Cyber security best practice: Definition, diversity, training, responsibility and technology

As part of Information Age's Cyber Security Month, we look at cyber security best practice - everything from defining it to the importance of training Cyber security best practice: Definition, diversity, training, responsibility and technology image

Cyber security is a business problem, not a technology one.

This misconception is the greatest challenge facing businesses across entire industries, according to Ina Wanca – founder of AI Governance, and former director of Cybercrime Prevention at the Citizens Crime Commission of NYC, where she pioneered and led the Predictive Prevention Lab.

“I think the problem that we have right now is that a lot of the CEOs of organisations – in general – believe cyber security is a technology problem,” said Wanca.

Definition

What businesses really need to understand is how to create a cyber security culture. This culture should focus on the employee, because the human understanding of cyber security is lacking. And, this lack of understanding is, by far, the biggest contributor to data breaches.

A challenge when entering the cyber security domain, explained Wanca, “is to expand our understanding of what really is cyber security. It’s not just a technological field, or a technology problem, it’s a managerial and operational problem.”

>Read more on The 10 cyber security trends to look out for in 2018

“In general, we need to expand the definition of cyber security, in order to attract people from more diverse backgrounds. This will help attract more women to the field, in particular, who don’t necessarily have the technical skills. They are more suited to some of the positions that require communication or behavioural sciences skills, which are useful in tackling some of the challenges in cyber security.”

Women only represent 20% of the global cyber security workforce, and their inclusion will be vital in improving cyber security best practice, in the face of growing cyber attacks and more stringent regulation.

Diversity

Again, cyber security is not a technology problem. The human factor – the insider threat – is the most important chink in the cyber security chain.

“The majority of the cyber attacks, (93%, looking at even last year in the United States), have occurred because of preventable human error,” said Wanca.

The vast majority of cyber attacks or data breaches occur because hackers are using deception to impersonate human behaviour. This means that technology itself cannot stop all of the cyber attacks.

Responding to this realisation, organisations need to create training that is going to help employees understand how their digital proficiency impacts the environment they work in. A lack of cyber security understanding – on an individual level – leads to greater operational risk.

“We need to have diversification in the thinking process, and that comes from bringing different types of people into the discussion,” said Wanca. “This will help address the challenges and problems that need to be solved in the cyber risk domain.”

Women make up half the population, and yet, are severely underrepresented in the cyber security industry

Women make up half the population, and yet, are severely underrepresented in the cyber security industry

This idea of diversification extends to the hiring process. Currently, when companies are looking to hire – for example – a cyber security analyst or manager, they are looking for people graduating with a computer science degree. Of course, this experience should be a requirement. However, the hiring process in cyber security should also extend to people who don’t necessarily have technical backgrounds. These are people who have graduated with a degree in humanities or behavioural science, or similar, as it adds another perspective on the issue of cyber security.

>Read more on Diversity in cyber security: How to close the gender gap

Organisations need to shift the idea of cyber security just being limited to knowledge. If this persists then companies are simply hiring the same engineers, and the continuing cyber security problem persists. “Engineers can’t clearly communicate what exactly and how exactly we need to prevent and stop the hackers,” explained Wanca.

“Hackers are people who are very smart and sophisticated, but they’re looking for easy ways to get in. And one way to do that is by using the oldest trick in the book, which is human perception.”

“Companies should bring a diverse group of people together, in order to tackle the persistent issues, put together proper programmes and training that can help companies to limit their cyber risk.”

Cyber security training

It is increasingly evident that the companies who spend a lot of money on technologies to monitor and protect their network traffic are not solving the issue. The focus needs to be on making sure that the employees can self-learn about cyber attacks, that they understand where are the risks and ways of thinking that expose them to online attacks.

>Read more on Staff training: The key in defending against cyber attacks

“This is achieved with training, and with information sharing with cyber security best practice between departments as well,” said Wanca. “We also need to have people that think about the different types of cyber attacks, methodologies and motivations as well.”

Software is not the end-all solution – there are too many vulnerable devices and points of entry. Businesses have to marry technology with human training to be able to really help prevent the majority of the attacks, and then plan for mitigation.

Intelligent solutions can be used to create personalised training that can help individuals to self-learn on an ongoing basis.

Wanca pointed to a personalised training system she developed in partnership with Carnegie Mellon. Here, they wanted to create an exercise to help employees to stop phishing emails. The exercise worked like a human tutor – an online training, where the training itself could assess the knowledge of the employee and tailor the training depending on  skillset, give feedback and help them through the process of learning.

“This is the type of training that organisations need,” said Wanca. “The ones that are really more personalised and can help the individuals more effectively to understand the issue. The majority of the training that exists right now is ‘one size fits all’.”

Responsibility

The responsibility for cyber security depends on the company. But, it all boils down to who is in charge of the budget – the c-suite executive. “In a large insurance company, for example, the CTO is the one that will propose spending the money, and create the resources necessary to deal with cyber security,” said Wanca.

>Read more on CTO vs. CISO: Who should have ultimate responsibility for cyber security

“If it’s a $1 billion insurance company, the CTO will likely propose that to the CEO, and the board of directors, who then take the decision for a new department to be created. At CTO level or CIO level, you have a budget to start the process of creating a team that can improve the situational awareness around cyber, and when hiring a more diverse workforce.”

“Having said that, it all depends on the company and how the organisational structure works.”

Technology

Cyber security is a business problem, not a technology one. It has been made clear that training and the building of more diverse teams are more important in cyber security best practice than implementing a new, ‘shiny’ technology.

However, this is not to say technology should be overlooked – especially regarding prevention. Artificial intelligence, for example, is an umbrella technology that will disrupt the cyber security industry and how cyber security solutions are developed.

>Read more on Cyber security and AI predictions 2018

‘AI-led solutions’ are already being used by companies to detect abnormal network behaviour. At the same time, hackers are also using artificial intelligence. “There are, right now, artificial intelligence-based attacks,” said Wanca. “There are artificial intelligence phishing scams, meaning that hackers are using different machine learning skills to find out how key employees in companies act and communicate, so that they can mimic the culture and create the best way to deceive the employee of the company.”

“They also use machine learning to prioritise their targets. Cyber security attacks are not, anymore, random. They’re more personalised.”

The more companies use ‘artificial intelligence’, the more it will help help them detect these attacks, and how to help with intrusion detection.

Artificial intelligence, machine learning and automation solutions can be used for prevention. But, “organisations have to be smart about using it, and create better training that uses AI to create better prediction algorithms; that can, for example, detect what in the behaviour of the employee could be triggered, which could expose the employee or the person to attack.”

Moving forward, the use of AI will be important in understanding what future attacks will look like and how to prevent them.

Latest news

divider
Automation
Opinion: “RPA delivers greater productivity in the workplace”

Opinion: “RPA delivers greater productivity in the workplace”

21 September 2018 / Finance plays an essential role in every part of a firm’s operations. In fact, few [...]

divider
Business & Strategy
Charting the course for tech success

Charting the course for tech success

21 September 2018 / “The Digital Skills Gap” is a phrase that has been bandied around for some time [...]

divider
News
The week in tech

The week in tech

21 September 2018 / Government committee recommends abolishing the Tier 2 visa cap The Migration Advisory Committee, this week, finally [...]

divider
Cybersecurity
Executives waking up to cyber threats

Executives waking up to cyber threats

21 September 2018 / It took time, and some major monetary losses, but executives are finally beginning to understand [...]

divider
Diversity
Bridging the gender gap in tech

Bridging the gender gap in tech

20 September 2018 / September is a month of new beginnings, with sixth formers starting A-level courses, students beginning [...]

divider
Governance, Risk and Compliance
Credit reference agency, Equifax fined by ICO over data breach

Credit reference agency, Equifax fined by ICO over data breach

20 September 2018 / Equifax will be fined £500,000 by the Information Commissioner’s Office (ICO) following its failure to protect [...]

divider
Major Contracts
Asda goes to the checkout with HCL Technologies

Asda goes to the checkout with HCL Technologies

20 September 2018 / HCL Technologies, the technology company, has been selected by grocery retailer Asda. The three-year applications [...]

divider
Cybersecurity
Millennials and cyber security: understanding the value of personal data

Millennials and cyber security: understanding the value of personal data

20 September 2018 / Millennials often get a bad rap in the workplace and get an endless supply of labels [...]

divider
Releases & Updates
Could Insightly emerge as a viable alternative to Salesforce?

Could Insightly emerge as a viable alternative to Salesforce?

20 September 2018 / In the world of customer relationship management (CRM) Salesforce is currently on top. According to a [...]

Do NOT follow this link or you will be banned from the site!

Pin It on Pinterest

Share This