Are the people in your organisation your greatest asset or your greatest risk when it comes to cybersecurity?
This article in our business cyber education series will help you manage this conundrum.
Any organisation’s success relies on people, processes and technology working in harmony to deliver business objectives, to sell more products or services, increase market share and help or support more people.
Many security commentators and managers say that people are the weakest link; and that systems and data would be secure if it wasn’t for the people clicking on links, bringing malware into the organisation, given out information that they shouldn’t, work around good procedures and policies that have been put in place. This viewpoint is common although changing.
Many organisational commentators say that people are your greatest asset. If it wasn’t for your employees your organisation could not function.
Are your staff an asset or a risk?
Hewlett Packard in their white paper, awareness is only the first step: A framework for the progressive engagement of staff in cybersecurity, state:
“The human element plays a significant role in the successful delivery of security in today’s organisations. Security behaviour is greatly influenced by employees’ personal perception of risk. These perceptions can be changed.”
It is much easier to change a person’s perception than to try and change a person. Yet security training, policies and procedures on many occasions try and do just that. They try and mould people into doing things that essentially don’t make sense from normal human behaviour.
Learning from Shadow IT, research conducted by Iacovos Kirlappos, Simon Parkin, and M.Angela Sasse states that most organisations impart security on their employees through “mechanisms, policies and communication”, through implementing technical controls, implementation of security policies and methods of communication focused on fixing the problem or risk.
Security policies are normally implemented for the right reasons. What is normally lacking is an understanding as to the impact these will have in practical terms on how people work. Without consultation with employees, many policies are impossible or impractical in real terms to comply with or are burdensome or irrelevant.
An organisations response to any non-compliance is normally a mixture of a “hard approach”, implementing some sort of punishment or reprimand to ensure compliance or a “persuasive” soft approach, using coercion to correct behaviour such as re-training. Research shows that there may be some effect but that this is not significant nor sustainable.
People are your greatest asset
If people are your greatest asset then work with them on solving the problem to make it better although maybe not perfect. Use the hot spots on policy and non-compliance to design and re-design the security ecosystem, your risk reviews, the policy to manage the risk and any technical or procedural aspects implemented and your employee response.
Emma C from National Cyber Security Centre (NCSC) states “People are the only link in security. We need security that understands human behaviour. Security must work for people. If security doesn’t work for people it doesn’t work”. You can watch the full keynote video on YouTube.
The NI Cyber Security Centre would reiterate a view from NCSC and organisational commentators that people are a businesses greatest asset and your strongest link. NCSC's Emma W's video presentation from Cyber UK 2017 is a great insight as to why we need to balance security to how people work. Some security policies and guidance are crazy in practice and are still reiterated today “don’t click on an email attachment” or “your passwords need to be strong and different for every account” or “your need to ensure your staff are trained and made aware of good cybersecurity practices”
This advice is not wrong but it is often difficult for anyone practically to comply with it all of the time. Many employees would not click on a link if it thought it would cause damage. It is not practical to say never open a link, the business would grind to a halt. It is also challenging to have unique long strong passwords across all accounts and for staff to remember them all.
We need to be able to help our employees with these challenges.
Make your business secure enough
Security professionals say that there is no perfectly secure system. The challenge for businesses is to make the business secure enough. Secure enough to balance the risks of an investment to that of potential losses. There is no point in an organisation investing in security technology and processes that protect a company’s data if this is implemented in a way that makes employees working practices so difficult that they simply work around it.
Understand the context your staff use technology
A good starting point for organisations trying to improve their approach to cybersecurity is understanding the context in which their people are using technology. So, what are their stresses, challenges and drivers when using technology? Only when you’ve answered this is it meaningful to embed security measures within that context. Have ongoing dialogues with people to tap into their ways of working and co-creating security policies that address long-standing problems. This will, ultimately, make an organisation more effective and better able to cope with the unexpected.
Make security an enabler for your organisation and reduce the viewpoint that security always says no. It is important to state why a policy is being introduced, the risks it protects the organisation from and to work with employees in identifying hotspots in policy and practice that need attention, and ways to address this that maybe isn’t perfect but is better than not doing it or the potential workarounds that would result.
Watch this NCSC video on how collaborative discussion with staff can help with better and often simple interventions to design and policy decisions that help design the policies or help make the policies workable in understanding the practical context in which these apply. The irony here is that most employees break the rules to try and do a good job.
Remember to protect the greatest asset of a business and this is its people. Security should be an enabler, not a barrier to doing a good job safely.