The “human factor” is responsible for 80% of all security breaches

Richard Knowlton

Written by Richard Knowlton, Digital Resilience Advisory Board

Most articles I read about cyber security focus either on the technical (obscure at best to non-specialists), or on how security managers can increase digital awareness within their organisations. This focus is supplemented at regular intervals by pieces about the latest issue such as GDPR or ransomware, or cottage industries on subjects like the development of increasingly exotic job titles to boost the importance of CISOs.

I’m also a consultant and we all have to earn our way. But aren’t we simply focussed on individual trees in the forest, without seeing the bigger picture?

The digital revolutions of the last 35 years will prove at least as disruptive as those of steam and electricity. History teaches that industrial revolutions provide immense medium to long-term benefits to society, but at considerable short-term cost to individual humans: compare the quality of life of a rural family in the 18th century with that of a factory worker in a Dickensian slum 100 years later.

I think that society is completely unprepared for what’s coming. What we hear are quasi-messianic stories about the benefits of robots and artificial intelligence (AI), or a daily barrage of horror stories about the latest security breaches.

What are ordinary punters to make of all this? They are smart enough to know that robotics and AI will have a much more important impact on employment than immigration, while it will also hit the professional classes (in medicine, accountancy and the law, for example). That’s worrying enough without people forgetting the extraordinary benefits of the digital world as constant security breaches undermine faith in our political processes, health and financial systems, and so on.

Where is the national debate on these issues? And where is the government, the only entity capable of leading that debate?

Let me concentrate on cyber security issues. Like many readers of this blog, I’ve spent years in multinational organisations trying to engage co-workers – including top management – in a common security culture. This reflects the fact that cyber security should be a routine enterprise risk issue where the “human factor” is responsible for 80% of all security breaches.

For reasons that need a separate blog, the results are often disappointing. I believe that a part of this is our focus on those trees at the expense of the forest….

Surely equipping people to safely and securely navigate the digital world is a societal, not just an individual organisational issue. It follows that government has to take the responsibility for ensuring that all of its citizens understand the risks and how to manage them. This means a series of national campaigns, of the sort we’ve had with other serious issues, such as smoking, the AIDS epidemic, the use of seat belts in cars and so on.

Everybody should understand the basics of cyber security from the toddler to the young adult to the silver surfer. The basic messages are not complicated and there don’t need to be many. If even half the population began to understand best practice, they would be safer in their private use of their gadgets. They would take that understanding to their work-places, and would be much more open to reinforcement messages from their security colleagues.

Eyes glaze when I mention this idea to people in government. There is always a reason for doing nothing (or doing it “later”), ranging from cost to other priorities, particularly in a time of economic and political uncertainty, Brexit etc.). I’ve heard similar arguments from Executive Committees whenever I’ve wanted to launch a security awareness campaign, in competition with all the other departmental voices struggling to get their internal messages out.

The digital revolution is taking hold with unprecedented, uncontrollable speed and impacting the lives of every one of us. Now is the time for each of us to learn how to play our part in minimising the risks that a sloppy security culture inevitably brings. The government needs to roll out an effective campaign to show us all the basic do’s and don’ts, just as they’ve done in those earlier public safety programmes.

The government has been investing significant sums in cyber security and safety issues for some years, and I’m not knocking its understanding of the seriousness of the issue. But we need to think of investing in a less niche way.

Karen Bradley, Secretary of State for Digital, Culture, Media and Sport (DCMS), has just  announced that half of DCMS policy and delivery work now covers the digital sectors – telecommunications, data protection, internet safety, cyber skills and parts of media and the creative industries. It sounds as though a national campaign should be her baby!

 

More Thought Leadership

Comments are closed.