According to a report from the Ponemon Institute, human error is the biggest contributing action to breaches of information within businesses.
The security risk from an organisation’s own employees likely keeps its information security staff awake at night.
The challenge is not in finding ways to communicate the importance of basic security security practices; i.e leaving your laptop logged in on a train whilst you nip to the sandwich cart or clicking a link on some dodgy email. The challenge is in communicating that every action has a consequence, and the impact on the company’s bottom line could be drastic. For the average end user cyber security professional, promoting a security standards process and getting buy-in from the board is more of a challenge than it should be. Even when companies invest resource in getting teams to take mandatory security awareness training, there is still no guarantee of behavioural change. So, in this case, where does the fault lie if there is a successful breach?
Is it with an employee who flouted the rules and ignored the warnings they were given? Is it with the staff who delivered the training to a sub par standard for it not to have made the desired impact? Or is it with the security team, who have a level of visibility on the organisation to be able to identify targets, and who are responsible for preventing attacks or mitigating the extent of damage from the attacks that do succeed?
The cyber security technology that businesses invest in needs to be utilized at every stage of the business if its going to be valuable. It is the information security professional’s responsibility to take some of the information and performance metrics from these technological systems, and communicate them in real terms to senior management. To change user behaviour, it seems logical to communicate in a way that relates cyber security to employees own personal well-being, and their responsibility to the company. It should be less about holding employees to account, but to educate them on what you monitor in terms of threats as proof of the challenges the organisation is facing. This highlights that their stance on taking it seriously could have fortuitous or dire consequences. Rather than rely on sending out awareness messages or mandatory training, perhaps the best way to engage employees is to show a direct correlation to their behaviour and the impact on the business by sharing these metrics internally.
To get buy in from employees about how they can have a impact on driving risk of a successful attack on the organisation down, perhaps it’s within the board’s interest not to treat employees like naughty school children if they fail the quarterly fake phishing attack test. It would be much better for information security staff to connect with teams over the information that they have access to, to show the potential impact of an employees actions and determine the level of understanding and appropriate training moving forward on a case by case basis.
Time consuming, yes. Likely to foster more of an impact on employee personal awareness than putting a poster up in the coffee area of a 2 hour training session on a Friday morning? Definitely.
Acumin Consulting’s sister company RANT is working with the Department of Digital, Culture, Media and Sport to deliver a trio of invite only cyber security events. They bring together a room of 100+ senior cyber security professionals to discuss issues affecting effective security controls within organisations, part of a project that will help determine national cyber security policy. For more information on the events or some of the content and reports to come out of them speak to myself or RANT directly.
Send us your CV and have our recruiters match you to the ideal opportunities
Do you already have an account with us?
Log inWant to have an account with us?
RegisterWant to just send us your CV?
By submitting your registration and CV to us you are agreeing to join our database and to be contacted about relevant jobs industry communications. Please read our terms of business for more information.