Cyber security: why your people are your most effective defence
When the majority of successful cyber attacks succeed because of human error, are you doing enough to stop them?
Many organisations continue to invest in multiple layers of “intelligent” technical controls to protect themselves from cyber attackers. Yet security breaches continue to grow in their scale and impact. There’s something missing in our organisational response to the risks we all face.
The fact is that the majority of successful cyber attacks succeed because of human error.
Everyone has a role to play in protecting hard-won reputations and competitive advantage. But how can we truly engage all our people in being more vigilant and cyber aware? And how can we ensure awareness leads to a long-term change in behaviour?
Good old storytelling can be the way to connect to new audiences, helping to reinforce effective cyber resilient behaviours by making the risks relevant.
Jim Baines, CEO of Baines Packaging, a highly respected mid-sized US packaging firm, recently wrote an open letter to his peers in other organisations following a catastrophic cyber attack. It’s an emotional plea:
”It never occurred to me that I, as the CEO, might be a target. We’re immune aren’t we?
"That’s what I thought. Now my company, which I built from nothing over nearly 30 years and into which I poured everything I had to ensure its success, is losing clients, losing money and most importantly, losing credibility. My reputation has been badly damaged along with my relationships with my customers, my peers and my friends.
"So, if you’re a business leader you need to know that you’re also a target. Everyone on your board is a target. No one is immune and everyone is vulnerable, no matter how powerful or successful they may be.
"You need to know that and you need to take action. NOW.”
Sadly for Jim he had to learn this the hard way. Imagine the narrative if it had been you...
It only takes one person
Effective corporate resilience to the cyber risks we all face is fundamentally as much about our people and their behaviours as it is about technology. Jim simply clicked on an innocent looking email and the rest took care of itself.
The recent Wannacry and Petya ransomware attacks demonstrate how quickly an attack can escalate, as well as highlight how easy it is to exploit our human vulnerabilities. It only takes one person in the organisation, who is not as aware or vigilant as they should be, to enable a cyber attack to succeed.
This is today’s reality. From the boardroom to the engine room of any organisation, and in the businesses we work with – everyone has a specific role to play in protecting our most precious information and assets. An organisation’s people can and should be its most important and cost-effective defence against attacks. As Verizon’s 2015 Data Breach Investigation Report highlighted, upwards of 90 per cent of all successful cyber attacks succeed because of human error.
In this vital area of staff training and development, one size doesn’t fit all. The current “all staff, once a year” approach, does not influence, or sustain long-term behavioural change. At best, it reminds us of some essentials; at worst, it’s treated as a necessary evil, a distraction, and something to be completed, and forgotten, as quickly as possible.
We need to take a different approach – one that moves beyond the annual “tick-box” tedium approach and provides simple, practical guidance to help people make the right decisions at the right time.
I believe there are five simple guiding principles to adopt when considering your approach to your cyber awareness training campaigns:
- Leadership: Get those at the top involved to highlight the positive benefits of resilient behaviours, assist in rewarding and inspiring all staff and illustrate just how seriously your organisation is committed to protecting its most sensitive information.
- Reinforce the message: Memories are fragile, always refresh the learning content and delivery techniques with your staff on a regular basis. Combine engaging online learning content and formats with offline activities to help sustain and instil the understanding and importance of new behaviours.
- Accommodate different learning styles: People learn differently so develop your campaign around a lively mix of online formats – games, animation, simulations and videos.
- Use every means at your disposal: Always stay agile, always adapt, fine tune, pilot new techniques and react quickly to the latest attack stories and how they affect your people.
- Storytelling: people remember stories more readily than dry facts. Great campaigns have great stories to tell. Use realistic scenarios to bring the message home.
This last point brings me back to Jim Baines, CEO of Baines Packaging. Jim’s story is a fictional account, inspired by real-life events, of a damaging cyber-attack on a CEO, his organisation and its clients.
Storytelling works. We make sense of our lives through stories. In the highly technical, jargon-heavy world of cyber security a compelling story can resonate with audiences where dry reports and training fail to connect. As a Harvard Business Review article highlighted in 2014:
“A story will go where statistics, data and quantitative analysis is denied admission: our hearts. Data can persuade people, but it doesn’t inspire them to act; to do that, you need to wrap your vision in a story that fires the imagination and stirs the soul.”
Imagine your stories if your people are not aware and vigilant as they could be…
Join Nick and Lizzie Coles-Kemp, Professor of Information Security, Royal Holloway, University of London at the CBI Cyber Conference on 13 September 2017 for their session ‘From the boardroom to the engine-room: how to make your people and their behaviours your strongest defence’ and discover how you can make your people your most effective defence against cyber-attacks.