13 September 2017

  |  CBI Updates Team

News

#CBICyber breakout session review: People and behaviours are your strongest defence

Employees remember stories over facts, so appeal to hearts not minds when engaging in cyber resilience

#CBICyber breakout session review: People and behaviours are your strongest defence

We are all enjoying the benefits of the digital age at home and at work, but with these advantages comes risk and cyber-attacks continue to grow.

Nick Wilding, General Manager at AXELOS RESILIA talked to delegates at the CBI Cyber Security Conference about why adapting the human factor should sit at the heart of any business’ response to cyber security.

He explored by balancing the responsibilities of people, process and technology, ways to mitigate the chance of a cyber-attack. He stressed how businesses need to know they’re a target, however powerful they are, and no one is immune. Hackers are hunting ‘whales’ in the boardroom and will attack, steal and ruin reputations.

Nick explained the need for engagement at all levels in a business, with a goal of making better security decisions. Real-world security problems are often complex and require interaction to tease apart different perspectives. His presentation covered key engagement principles:

  • Cede control to the participants
  • Make visible all collected data by participants
  • Carry out research in everyday spaces
  • Engender a participative environment

Cyber resilient culture is just as important as health and safety, which relied on high profile disasters before being taken seriously. The concern is that the same will happen with cyber security.

Nick is working together with Lizzie Coles-Kemp, Professor of Information Security at Royal Holloway, University of London to understand how people learn and what is effective engagement. The message was clear - one size does not fit all and learning needs to sustain long term behaviour change. Recent research quoted 45% companies do no security awareness training and the majority rely on a tick box approach.

So why do information security awareness programmes typically fail?

  • Reliance on checking the box
  • Failure to acknowledge that awareness is a unique discipline
  • Lack of engaging and appropriate materials
  • Key metrics are not collected
  • Unreasonable expectations
  • Reliance on a single training exercise

People need support to make better decisions and a diversified approach to awareness, engagement and security will help, such as broadening the range of training by working collaboratively, using storytelling and social media. Effective learning principles include:

  • Ongoing, regular training
  • Adapting & personalised
  • Engaging, relevant and valuable
  • Have measurable benefit

People pay attention to leaders and if there is buy in at the top of an organisation, there’s a great opportunity to demonstrate how important information security is to everyone. People remember stories over facts, so aim to appeal to hearts and not minds.

Thanks to our partner AXELOS RESILIA for facilitating the breakout session. Join the live conversation on #CBICyber