People, collaboration, communication, behaviours, leadership, awareness and vigilance, reputation and resilience. During the recent inaugural National Cyber Resilience Week in September, organized by the Digital Leaders Forum with AXELOS RESILIA, I was greatly encouraged that it’s been these words that have dominated discussions and briefings. Technology and tech-speak took a welcome back seat for once.
Ciaran Martin, Director General of the National Cyber Security Centre said at the CBI’s Annual Cyber Security Conference on 13 September:
“So let’s get serious about understanding the human being in all this. Let’s stop talking nonsense about humans being the weakest link in cyber security… Human factors techniques can maximize human performance while ensuring safety and security.”
This acknowledgement that all of us and our behaviours forms a critical part of our resilience to cyber-attacks is refreshing. Everyone has a critical role to play and none of us are immune – irrespective of our role or responsibility – in protecting the information that’s most precious to us, whether it’s sensitive corporate or customer data or our own and our family’s information.
But do we care enough to make the change and how can we all be encouraged to play our part more effectively?
We all get tired of being told that the sky is falling down. Many of us know that the threat from cyber-attack is a real and present danger – intellectually – but we often don’t know any organization who’s been directly affected so it’s hard to imagine what it must be like. That’s why the endless headlines and statistics – billions of users hacked, millions lost by companies – start to blur. They don’t seem like real people.
We must do better in demystifying the challenges and making it easier for anyone to appreciate just why it’s so important for them – at home and at work. Government and organizations have a key role to play to help the ‘silent majority’ steer their way through the hype, hysteria and rhetoric to a position where we all feel able to contribute and challenge.
I would suggest that we’re at a crossroads in our collective corporate response to the cyber-risks we all face. One where many will continue to invest in more technology and expect that multiple layers of technical defence will suffice. Another group – the market leaders, pioneers and innovators but increasingly the ‘just plain sensible’ – will change direction and embrace an enterprise-wide approach, led from the top, which uses new methods to engage and openly reward good cyber behaviours, from top to bottom.
I believe that the opportunity is clear: staff are not, as is so often lazily reported ‘our weakest link’. They are instead our most powerful and cost-effective defence against growing attacks. But there is a big challenge.
Ciaran Martin highlighted at the recent CBI Cyber Security conference that:
“We haven’t always made it easy for our staff. Only 20% of all businesses have had their staff receive cyber security training, or attend seminars, in the last year.”
In this vital area of staff training and development, one size doesn’t fit all. The current ‘all staff, once a year’ approach, simply does not influence, or sustain long-term behavioural change. At best, it reminds us of some essentials; at worst, it’s treated as a necessary evil, a distraction, and something to be completed as quickly as possible.
A new more collaborative approach is required – one where information security and cyber awareness training is conceived of as a continuous, ongoing and sustainable campaign. Just as our technical security controls must constantly evolve and adapt to combat changing cyber threats and vulnerabilities, so we need to ensure all our people maintain their awareness training and are provided with the appropriate, practical guidance on a continual basis that fits the needs and requirements of your organization.
Ignorance isn’t a defence anymore. The risks and potential impacts are too great. Imagine if it’s your organization in the media headlights next week. The signs from the Cyber Resilience Week are encouraging – we’re beginning to rebalance our approach to building an effective response through our people and behaviours as much as technology. Let’s keep up the good work and never forget that it’s our people that hold the key to success.