Why recent security breaches should force organisations to think internally…
The recent spate of high profile security data breaches has – well should have done – put cyber security at the very top of all organisations ‘to do lists’.
Where once, CEO’s and other board level members would dismiss cyber security and wider technology too for that matter (due to a lack of understanding), this now cannot be the case. Digital and the accompanying technologies are fundamental elements of all organisations, and so those at the very top of all organisations need to be held responsible for them, specifically so when it comes to cyber security.
At present, many organisations are just focusing on trying to create an almost impenetrable layer around their information, believing this to be the best protection against cyber crime – shown by the fact that
cyber security jobs are on the rise, with 14% of all new IT jobs being in the cyber security field.
There is no doubt that organisations need to strengthen their systems against outside threats. But what the recent data breaches at both Marks & Spencer and British Gas (both of whom admitted their security breaches were as a result of internal errors) has shown is that the cyber security threat is not only external but internal too.
Furthermore, research from IBM based on their own data breaches, revealed how ‘human error’ was at fault for 95% of the security incidents that they investigated.
The report found the most common behaviours to put information at risk were:
– Clicking on a malicious link found in a phishing message
– The use of default and weak usernames and passwords
– Lost laptops or mobile devices
It should come as no real surprise how the human element is the weak link in the fight against cyber crime. After all, no one is perfect and we all make mistakes. Yet, human behaviour is the element that the majority of organisations are still failing to give enough attention to.
Changing employee behaviour
It is evident that organisations need to focus on changing the behaviour of their employees in order to reduce the chances of data breaches. Although, changing behaviour in regards to information security is one of the most difficult and complex challenges organisations can face.
One reason as to why behaviour change can be so difficult is because the ‘correct behaviour’ is often actually far too difficult to carry out, due to the processes being too complex. Simple rules of behaviour that employees can follow and that are actually doable is crucial for success. Meaning well-designed security systems and policies are much needed.
Knowledge and awareness is a prerequisite for any behaviour change campaign. But this alone is simply not enough. Focus then needs to be given to the implementation of strategies that influence. And what we have found is that causing feelings of fear amongst the audience is not the most effective tactic to use for influencing behaviour. It can actually put people off, even driving them away from using technology, leading to inefficiencies in their performance.
Positive information security behaviours should be communicated. By doing so, is how desired behaviour can become a habit. Even more powerful will positive communications be when they are designed in context for each individual.
And of course, once people are willing to change, continued training and feedback is required to support them through the transformation. With sustained cultivation of a security conscious culture required beyond that. Cyber security needs to be a part of every organisations culture – ingrained in every employee. But as recent security breaches have shown, organisations are still some way off this ideal.
It’s time organisations applied the same resources internally as they do externally in the fight against cyber crime.
We’ve implemented award winning internal cyber security campaigns for some of the worlds leading organisations. If you’d like to find out how we could help you change the behaviour of your employees, to reduce the number of security incidents and breaches at your organisation, then please do get in touch.
Until next time…