Cybercriminals Cause Havoc. People and Culture are the Answer.

In the defence of our businesses against cybercrime, Tony Dimech discusses the necessity of a holistic approach to security with people at its heart, and training that engenders proactivity.

Last year 75% of small businesses in the UK experienced a cyber breach. The average cost of a breach for small businesses can be anything from £75,000, to a staggering £311,000. (Source: PWC).

Disruption is Inevitable

Cybercriminals disrupt businesses. Last month we saw the huge disruption to the NHS caused by a global ransomware attack. Stories of data breaches, social engineering scams and audacious hacks, pepper our news every day. The fallout for the organisations concerned: financial losses, reputational damage and customers taking their business elsewhere. When GDPR becomes law in May 2018, companies who fail to protect personal information will face fines of up to 4% of global annual turnover and the stakes will be raised still higher.

Businesses have traditionally answered the threat of hacking with investment in technology: technical attacks needed technical solutions – and that is still the case. However, the threat landscape has changed and evidence consistently shows that employees are at the heart of the vast majority of data breaches, whether because of ignorance, carelessness, error, trickery or malice. With social engineers aggressively targeting human vulnerabilities, a more holistic approach to security is required and executives and security chiefs must now find ‘people solutions’.

The Current Top 3 Threats:
  •  Malware
  • Phishing attacks
  • Accidental data leaks by staff

The trend towards ‘hacking people’ has cast everyone as a frontline defender. Responsibility for the security of the organisation has been devolved from an individual (e.g. a CISO or Head of IT) or small designated team to every single employee. Security chiefs inevitably feel the tension of this situation: they’re still accountable but everyone is responsible, and their success in mitigating risks and preventing breaches relies on everyone else playing their part. In other words, they need security culture change.

Culture change, by its nature, is ‘disruptive’ – but in a good way. It’s disruptive because, to one degree or another, everyone will have to do things differently; it will mean updating processes, kicking insecure habits and adopting new behaviours. It’s disruptive because, unlike buying a tech solution to a tech problem, people will actually have to do something, do things, every day. Creating the proactive security culture we need is not something that happens overnight with the flick of a switch but, in our experience at Layer 8, change can begin immediately.

So, disruption is inevitable. The question facing businesses is what kind of disruption they want: the disruption of a breach and a fine, or the disruption of security culture change.

Training for Front-line Defenders

We wouldn’t expect soldiers to defend a city without training, we wouldn’t expect footballers to defend their goal without training - so why would we expect people to defend their business without training? If people are the focus for cyber criminals then it’s time they were the focus for security professionals. If they are seen as the ‘weakest link’ then they have to be strengthened: they need to be invested in, and given education and training to meet their security responsibilities. But it has to be the right kind of training.

In many businesses to date, staff security awareness training has been minimally disruptive and, not surprisingly, minimally effective. Lengthy policy documents, blanket directives and emails full of ‘tech speak’ aren’t going to fire anybody’s imagination. Annual computer-based training is quickly forgotten. Answering basic multiple choices questions doesn’t require deep learning and compliance tests have little impact on day-to-day behaviours. Companies sometimes go further with a good old PowerPoint presentation that might contain lots of important facts and instructions but that only switches people off.

Collectively, these approaches are fatally flawed and will serve only to help today’s cybercriminals. Why? Because they render employees passive and they don’t demand action. They don’t enable conversation or collaboration. They are top-down and function to hand down rules from ‘above’. They do nothing to develop culture.

New Approaches to Training and Culture Change

We define culture as how we collectively demonstrate what matters to us on a daily basis through what we say and what we do. So, culture is about conversation and behaviour. When, every day, across your organisation, people are talking about security and doing things to improve it, that is security culture. The quality of that determines the kind of security culture you have. Our approaches to training have to be radically renewed to engender the proactive culture demanded in today’s world. They must embody the new culture we are striving for, with conversation, collaboration and action at their heart.

Interactive training promotes deep learning and an effective session leaves participants feeling motivated, energised and confident in their ability to defend their business and their homes. The effects are long-lasting and they fuel ongoing conversations that – in turn – strengthen the developing security culture.

Involving participants in workshops, setting them tasks, requiring them to take the lead, enabling them to set their agenda for action after the workshop, these are huge strides towards a proactive culture of security. It has to be this way. Our culture belongs to everyone and culture change is by its nature inclusive.

Beyond workshops and training sessions, ‘frontline defenders’ need to be supported with communications and learning materials ‘written by human beings for human beings’. That means placing people (not just technology) at the heart of security, it means empowering them with useful, practical knowledge in context, explaining why we need to change behaviours. It means marshaling the ways in which people have always communicated what matters to them: through dramatic stories that demand empathy, employing analogies to make things clear, and using humour to engage. Crucially, communications should ask questions, set problems and stimulate conversations and actions that will contribute to the developing security culture. And those communications need to be regular and accessible in a way that they can fit into existing work patterns and business as usual.

People are the Solution

Our experience at Layer 8 – working with a wide range of people across organisations – has only demonstrated that people are the solution; they want to be a safe pair of hands and they want to protect the people and things that matter to them. Often they just need the space, encouragement and support to do so.

When they’re enabled to take ‘ownership’ of security, to acknowledge shared values and collaborate, when they’re required to have conversations, to change behaviours and to ask for things that would help them, then we’ve seen conversations go viral, behaviours and processes change, and cultures transform.

5 Tips to Kickstart Security Culture Change

1. Collaborate - You have to, because everyone is a frontline defender of your organisation. In our experience, change happens rapidly when buy-in from the board meets a grassroots movement by ordinary employees. People on the ground want to be part of the solution and culture includes everyone.

2. Grow Your Team - To that end, many organisations develop a network of ‘security champions’ or advocates to drive change. They ‘join the dots’ between CISOs and individual employees from all tiers and sectors of the business. We’ve seen exponential change in organisations who develop champions.

3. Make the Conversation Go Viral - Central to what champions do is taking the security conversation out into the business, making sure everybody participates in it and keeping it on the agenda every day. Culture change happens when conversations change.

4. Raise Awareness with Engaging Communications - As employees shoulder their security responsibilities they want to be kept up to date with information on the latest threats and what they can do about them. Best practice needs to be conveyed in materials that keep them switched on.

5. Train for Proactivity - Throw out the 64-slide security PowerPoint as it only imparts information to a passive audience. Instead, run training that demands that everyone contributes, collaborates and takes action. Changing security culture means changing training culture.

Read More

If you’d like to read more about developing the security culture of your organisation, download Layer 8's whitepaper: Developing Security Culture – 8 practical principles for effective change.

For more on the need to invest in people over tech and why, see this excellent article published recently in the Harvard Business Review. 

Tony Dimech has over 30 years’ experience in ‘People Development’ and is now specialising in behavioural change within cyber security awareness. Tony is one of the founders of Layer 8 Ltd, and previously spent twenty years heading up Appleton Associates Ltd.


No comments so far - why not be the first?

(HTML markup not supported)

Quantifying the Beautiful Game: How Analytics and Big Data is Helping to Shape Football.

In a world of rising transfer fees and ballooning costs, Premier League clubs are turning to data to streamline the running of their organisations.

Questions CIOs Are Asking About Digital Disruption

Last week we had the pleasure of meeting CIOs and key decision makers responsible for innovation and IT at the True North Breakfast with a View briefing. Their observations and questions about disruptive innovation are perhaps common to many

Defining Training Needs in a Disruptive World

Organisational psychologist and coach, Hugo Immink, explores why conventional corporate training no longer works in a disruptive world; and what to do about it.

Does Size Really Matter: An Insight into Whether You Can Be Too Small or Too Big to Disrupt Your Market

Winner of the PathFinder4 student blog competition, Georgie Fairweather, explores whether you can be too small or too big to disrupt your market.

Practicing Law in a Different World

50% of UK business leaders think their business model will cease in the next 5years. Lawyers need to know how disruption affects clients and their practice.

Disruptive Alliances: Six Lessons from Antony and Cleopatra

The do's and don'ts of creating successful alliances for disruptive innovation in the digital economy, looking at the lessons from Antony and Cleopatra's union.

Get Ahead of the Pack and Disrupt

Investment in digital is essential to stay in the game. The only way to get ahead of your competitors in many industries to lead the pack and disrupt.

Video: The Impact of Disruption on Business

The world is changing fast, very fast. Watch Marc Dowd discuss the changing world of the technology, how the consumer responds, and how business should react.

Corporates and Start-ups Should Collaborate - But How Can It Succeed?

Many corporates see the need to partner with start-ups to innovate. This article looks at the challenges from the start-up's point of view.

PathFinder4 Africa Launches 9th February

Announcing the launch of PathFinder4 Africa. We are pleased to announce the launch of the first PathFinder4 leaders meeting outside of the UK.

My Children May Not Need a Driving License to Get to Work, But Will They Even Have a Job.

The world is being disrupted. Perhaps no-where is this more obviously challenging to our psychology and the world of work than the driverless car.

Isn't Blockchain Illegal? And other questions............

It may come as no surprise that Blockchain specialists have identified this as one the of top FAQs We explain the good and the bad of Blockchain.

Disrupt or Be Disrupted: The Impact on Businesses Large and Small

Marc Dowd talks about Disruptive Innovation at the Hertfordshire Chamber of Commerce Lunch 17th January 2017

Are You Ready to Disrupt in 2017?

New features emerging from the PathFinder4 ecosystem for disruptive innovation.

Why I Joined an Ecosystem for Disruptive Innovation

The benefits of working with thought provoking people in an ecosystem for disruptive innovation.

The Benefit of Disruptive Innovation: a Day of Illustration

The benefit of disruptive innovation: a day of illustration. Reflections on differing views of disruptive innovation.

What is Disruptive Innovation?

There are a number of buzz phrases from digital transformation, to digital disruption, and disruptive innovation, but what does it all mean?

PathFinder4 contact details

info AT

Europe: +44 (0)207 993 9043
North America: +1 514 242 0810
Africa: +27 82 442 3397

PathFinder4 Company Details

PathFinder4 Limited

Registered in England and Wales
Number: 10267577

©Copyright - PathFinder4 2017