For every nook and cranny of an enterprise’s digital landscape, from devices to data centres and networks, email inboxes and web browsers, there’s a bit of kit or software to defend it. Organisations are getting mired in an ever-growing ecosystem of tools and products to monitor, mitigate and respond to every kind of attack, hack, breach and bug. You would think with this arsenal at our disposal, the problem of cyber threats to businesses would be all but eradicated – but actually, all signs point to the opposite being true.
2014 has been declared the ‘year of the breach’ after a spectacular series of cyber attacks and insidious threats like the ‘Shellshock’ and ‘Heartbleed’ vulnerabilities peppered the headlines. This year is already looking like round two and more of the same. If this has taught us one thing, it should be that throwing money at technology on its own just isn’t working. So what’s the missing piece of the puzzle?
Technical questions like which tools to have in place, or whether to encrypt or not to encrypt data still remain crucial. But many experts, such as Chris McIntosh, CEO of communications security firm ViaSat UK, are emphasising that the human element of cyber security is just as essential a component.
‘The simple fact is that criminal organisations and hackers have far more resources and time at their disposal than any single potential target,’ says McIntosh. ‘As a result organisations need to take a complete approach using a combination of people, process and planning to minimise the risks they face.’
Attackers generally will always go for the weakest point in any system, so removing these as much as possible should be the first approach.
‘Investing in technology alone is not enough to provide this, so culture also needs considerable attention,’ McIntosh adds.
Cyber criminals are likely to go for the path of least resistance, which is often the employee. It all begins with user awareness training, which is the single best thing you can do to improve the security across your organisation. The importance of creating a culture where everyone has a commitment to protecting the organisation’s information can’t be understated- research from IT solutions firm Trustmarque has shown at that it’s often employees themselves that are causing security problems- usually without the firm even knowing about it.
Around 40% of office workers in the study admitted to using a cloud application they know hasn’t been approved or provided by IT departments, while one in five users uploaded sensitive company information to file sharing and personal cloud storage applications. A further 27% confessed they deliberately circumnavigated the restrictions of corporate IT.
But as TrustMarque’s CTO James Butler notes of the study, it needs to be remembered that in a vast majority of cases employees break rules in order to be productive, rather than from a desire to be difficult or cause issues. There is often a disconnect between what employees know what they should or should not do, and what they’re actually doing – sometimes this comes with the best of intentions to simply get a job done, and when employees decide or are told to disregard a security measure, it’s simply because it is impeding a task.
‘Since employees continue to engage in insecure practices online, even when they know it isn’t approved by the company,’ says Butler, ‘the onus has to be on the companies to change rather than allow potentially sensitive data to be uploaded to applications which are not enterprise ready.’
Baked in, not bolted on
So what can the company do to create a ‘security-conscious’ culture? In programming, the concept of security being ‘baked in’ is nothing new. It used to be the case that security was an afterthought, but over the decades, developers have learnt to ‘code in’ or ‘bake in’ protections to their code to prevent things like buffer overflows and stack exploits. The same applies to the security of an organisation and its people.
‘If security is ‘bolted on,’ IT is told they have to deploy something that will protect data, so they give people tools,’ as Tony Pepper, CEO of Egress Software Technologies explains. Then there are no real rules or policies to dictate how and when these tools should be used.
‘Often there is no real understanding or education around why they should use these tools, the consequences of failing to do so, or when they need to use them,’ says Pepper. ‘In many cases, people are not properly trained, making the technology a barrier to productivity.’
When security is baked in, technology is matched with processes and user education, meaning that security is integrated into employees’ daily working lives. Security becomes second nature to everyone, from the IT team to the janitor.
The number one way for companies to foster a culture where security is baked in, is to continually educate employees, from the outset, about why certain activities have been blocked. For example, points out Trustmarque’s Butler, if we look at cloud applications, when companies communicate with the workforce and offer alternative apps that share familiar features but at a lower risk, employees feel empowered, therefore giving them no reason to circumvent IT.
‘By using apps and devices they enjoy, rather than being restricted, more ‘cyber-healthy’ behaviour develops,’ says Butler. ‘Consulting and providing feedback to employees is also important as it means IT is in a strong position to give guidelines on approved applications, policies and alternatives.’
Providing clear consultative advice ensures IT is seen as a trusted provider; staff will want to be informed and discuss their IT queries so they can get the job done and improve business processes.
‘Ultimately, this open approach will give IT greater visibility and insight into what applications users are deploying,’ Butler adds.
And by analysing the activities that pose the greatest risk (such as sharing data outside the company) IT departments can specifically block them to mitigate risk while allowing employees to continue using their favourite applications.
Take it from the top
Many experts would argue that developing cyber security as a culture is the same process as developing corporate culture- it should come from the top down, and needs to lead by example.
Chris Yule, principal security consultant at DellSecureWorks, advises that someone at the top of the organisation be given formal responsibility for information security, and the culture will drive from them.
‘You need to have that single person building a global view so that you understand the risks you face and can make appropriate investments,’ says Yule.
Once that view is available, communicating the vision to the right people becomes much easier.
But as Daljit Paul, head of IT services company Networks First emphasises, a ‘top down’ approach to cyber security culture however, should not be about spying, intruding, or enforcing policies on staff, but rather building trust into the company.
‘Quite simply, if your employees value their work and respect the company,’ says Paul, ‘they’re far more likely to want to see it succeed, and part of that would be to make sure that they remain security conscious. The learning process should be fun and engaging for the employees.’
A great example of this is organisations carrying out online tests of their staff’s knowledge and offering prizes for the highest score.
‘This ‘carrot’ approach is far more effective than the ‘stick’ approach and likely to deliver more effective adoption of the policies.’
Bridging the generation gap
‘Baking in’ security really means getting the whole company involved from most junior staff right through to the board of directors. But not every individual is the same. Organisations should bear in mind the different attitudes towards security between more seasoned employees and younger generations of ‘Millennials’ entering the workforce.
‘With Generation Y now in the enterprise, the workforce of most organisations has become increasingly tech savvy,’ says Matt Middletown-Leal, regional director UK and Ireland for security software company CyberArk. ’However, this does not necessarily imply improved security.’
As James Henry, consulting practice manager at IT consultant Auriga points out, newer generations entering the workforce are more likely to be able to understand technical IT security and the reasons for it due to their exposure to the exponential growth and proliferation of technology over the last couple of decades.
‘Technologically savvy with a high exposure to all types of media, Millennials – or Generation Y soon to be joined by Z – are highly adaptable and capable of creating and utilising data over multiple platforms,’ says Henry. ’They’re very comfortable with abstract concepts, such as virtual consumerism and the cloud, and socialise as much online as they do in real life. But technical competence doesn’t necessarily make for a better security awareness. Security is absolutely not a technical challenge; it’s about people and process.’
For a generation raised on technology, the idea of putting people and process first may seem arcane and technological solutions offer reassurance. So, says Henry, the enterprise needs to work at fostering a security-aware culture.
‘In the future, threats will almost certainly be greater, if not in number than in scope and sophistication, and it’s the Millennials that will fight the good fight for us, so it’s important to get this right today.’