CREATING a secure environment against the ever-present threat of cyber-attack requires more than good technology deployed in a secure way with regular updates. According to Andrew Scothern, chief software architect at Gallagher, people and culture also make up a large (and less predictable) part of your cyber defence.
From a cyber risk point of view, once your technology is fairly locked down, people become the easiest way in. All the end-to-end encryption, upgrades and patches in the world won’t protect your business from social engineering attacks, errors by employees who don’t understand the risks or, in the absolute worst case, malicious internal threat actors intentionally disrupting your systems. The human element can create vulnerabilities in some of the most secure environments. But where there’s risk, there’s opportunity. People and culture can also be a great asset when it comes to your cyber-security.
You must educate your people about cyber threats. In the same way health and safety practices are now recognised as everyone’s responsibility, cyber security requires a whole of business approach. Make policies and training part of your cyber security planning, ensuring best practice information is available widely and enacted as part of company culture. That doesn’t mean everyone has to fully understand all the details, but they do need to have the tools and basic knowledge to help keep your system secure.
This can be as simple as regularly alerting people to current threats, ensuring password best practice rules are embedded in business practices, or understanding why it’s important not to give out contact details to cold callers. Identify champions across your business who can keep cyber security visible and meaningful to employees, supporting people to help protect their workplace from cyber threats. With the backing of policy, education and culture, people will feel empowered to make a difference, which means cyber security becomes embedded as a ‘business as usual’ approach.
You must also manage user privileges. Cyber-attacks don’t discriminate between the receptionist at the front desk and the manager in the office, particularly when it comes to social engineering attacks that manipulate people into revealing confidential information. The level of risk you expose yourself to can depend on what access to information individuals have, based on their user privileges. It’s human nature to want to help, and social engineering attacks exploit this compulsion. To counter this, tight control of permissions ensures information is not freely available to employees who don’t need it, reducing the risk of the wrong people getting hold of crucial data. Put simply, tailor permissions to the individual – only give universal access to those who absolutely need it.
Finally, if someone is leaving the organisation, especially if it’s under a cloud, make sure you promptly remove their permissions and access to data. And look after your people. A company culture of reciprocal loyalty and trust can protect you as much as any business process or user permission management. The spectre of internal threat actors – those who might intentionally cause damage or allow access to your system – is not one I prefer to focus on because it isn’t a common situation for most companies.
Absolutely take precautions with education, permissions and access, but looking at and treating your employees as a threat actively works against a positive company culture. Focusing instead on support, education and positive team building can be infinitely more valuable when it comes to motivating people to take cyber security and protection seriously. In other words, look after your people and they’ll be more likely to look after you.
The simplest way to get started when addressing people and culture in cyber security is to ask one question: Who in our business cares about this? If the answer is ‘Just me and the IT guys,’ then it’s time to get moving and make cyber security a priority for all your people, from the guard at the gate to the CEO’s office.
Andrew Scothern has over 20 years’ experience in product development encompassing software development, software architecture, R&D management and IT advisory roles. He loves to work where people, process and technology intersect, finding new and innovative ways to solve complex problems. Andrew is also a founding member of the industry advisory group (IAG) behind the STRATUS research project, focused on improving cyber security and control of data to the end user.