Nick Wilding, General Manager at AXELOS leads the Cyber Resilience Best Practice division which puts people at the heart of an organisation’s cyber resilience strategy and response, enabling them to effectively recognise, respond to and recover from cyber-attacks.
So, how many times do we read about an embarrassing high-profile cyber-attack? Most weeks right?
How often do we believe these attacks are part of an ongoing battle between high-tech goodies and baddies? Most of the time according to on-going research.
But how often do we hear about the role any one of us can play in helping these attacks succeed? Not very often!
The vast majority of successful cyber-attacks succeed because of people – the unwitting actions of anyone in an organisation regardless of their role or responsibility. But do we really understand that it’s our own people, who we see and talk to every day, who can help us most in managing our critical cyber-risks most effectively?
I worry that we don’t care enough or just believe we can make do with providing simple, annual e-learning every year for all our people. It’s not enough!
Ciaran Martin, CEO of the UK’s National Cyber Security Centre, said at the Confederation of British Industry’s (CBI) Annual Cyber Security Conference in September 2017:
“So let’s get serious about understanding the human being in all this. Let’s stop talking nonsense about humans being the weakest link in cyber security… human factors techniques can maximise human performance while ensuring safety and security.”
In this vital area of staff training and development the usual ‘all staff, once a year’ approach, simply does not influence, or sustain long-term behavioural change. At best, it reminds us of some essentials; at worst, it’s treated as a necessary evil, a distraction and something to be completed as quickly as possible.
Multi-layered technology and rewards
I would suggest that we’re at a crossroads in our collective corporate response to the cyber-risks we all face. One – where many will continue to invest in more technology and expect that multiple layers of technical defence will suffice.
Another group – the market leaders, pioneers and innovators but increasingly the ‘just plain sensible’ will change direction and embrace an enterprise-wide approach which uses new methods to engage and openly reward good cyber behaviours, from top to bottom.
Training and security evolving together
A new more collaborative approach is required, where information security and cyber awareness training is conceived of as a continuous, ongoing and sustainable campaign. Just as our technical security controls must constantly evolve and adapt to combat changing cyber threats and vulnerabilities, we should also ensure all of our people maintain their awareness training and are provided with the appropriate, practical guidance on a continual basis that fits the needs and requirements of your organisation.
I believe that the opportunity is clear: our people are our most powerful and cost-effective defence against growing cyber-attacks. Ignorance isn’t a defence anymore. The risks and potential impacts are too great.
Start your journey
Six key questions to ask how cyber security aware is your organisation:
1. How relevant is the awareness learning you’re providing to all staff?
2. Does everyone who needs awareness learning receive it?
3. How do you know people are engaging with your cyber security learning?
4. Is your awareness learning giving people knowledge they can use?
5. Do you have the right ‘tone from the top’?
6. How do you know your cyber awareness learning and training is effective?
The most cost-effective solution is indeed staring us in the face – all our people represent our greatest defence against cyber-attacks. Let’s work harder to engage them properly in our resilience.
Author: Nick Wilding
For more information about how Williams Lea Tag works with clients to provide best practice and dedicated solutions –