Building a security culture is a medium-term project that requires information security to be viewed not as another in a line of ‘tick box’ compliance exercises, but as an ongoing process that is reflected in the way all employees – not just the IT team – think and act.
Organisations face a growing and ever-changing cyber threat. Changes in the circumstances businesses find themselves operating in present fresh opportunities for online criminals – the coronavirus crisis being the latest and obvious example, as highlighted by the UK’s National Cyber Security Centre (NCSC) in its annual review last year.
According to the UK government’s cybersecurity breaches survey 2020 (58-page / 1.1MB PDF), 75% of large businesses experience a cybersecurity breach or attack every year. Of almost half of all UK businesses to have reported such incidents, almost a third said they are experiencing them at least once a week, while almost a fifth said the cases had resulted in them losing money or data.
Phishing attacks are by far the most commonly reported, but many businesses said they had identified online impersonators, viruses, hacking of bank accounts and ransomware attacks too, among other forms of cyber attack.
The scale of the threat is demonstrated by statistics published by the NCSC. Between April and August 2020 alone, the NCSC’s suspicious email reporting service received more than 2.3 million reports from members of the public, took down or blocked access to more than 22,000 malicious links, and neutered more than 9,000 scams.
Against this backdrop, businesses are taking steps to improve their cyber resilience and their ability to respond quickly and effectively to incidents when they occur.
Our experience in deploying the Human Cyber Index is that building a security culture starts with speaking to your people
Many of the trends reported by the UK government are positive – cybersecurity has become a higher priority for a greater number of senior managers within businesses; the proportion of businesses carrying out cyber-related risk assessments and investing in threat intelligence has grown, and; more businesses than ever before are seeking external information and advice on cybersecurity matters.
However, information security is a team sport that requires everyone within an organisation to play their part. It is why a growing number of businesses are seeking to ingrain a security culture.
People used to be described as the weakest link in an organisation’s cyber defences. Indeed, data from the UK’s Information Commissioner’s Office, analysed by cybersecurity company CybSafe, suggests that human error was behind 90% of data breaches in 2019. However, our experience is that, where people fail, it is more often than not attributable to a lack of training or insufficient processes being provided to those individuals.
A growing number of businesses are realising that their staff can be an asset to their cyber defences if they build a security culture.
According to the Centre for the Protection of National Infrastructure (CPNI), the UK government’s national technical authority for physical and personnel protective security, security culture is “the set of values, shared by everyone in an organisation, that determine how people are expected to think about and approach security”.
Pinsent Masons has developed the Human Cyber Index as an enabler of a security culture in businesses and public sector organisations. Our experience in deploying the Human Cyber Index, both internally and in implementing it externally with clients, is that building a security culture starts with speaking to your people. The main benefits from such an exercise is to challenge what a business thinks it knows about itself, and determine whether your security policies and processes are being adopted. It also helps to establish your people’s behavioural intent and how likely they are to exhibit secure behaviour.
Once a business has a handle on employees’ attitudes and approaches to information security it can identify where there are opportunities to improve.
Commonly, many employees might only encounter information security issues on dull, archaic annual training exercises. These are wholly insufficient to both engage staff on the topic of information security and educate them on, and raise their awareness of, the threat landscape and the proportionate behavioural response.
It is important to build trust with employees and empower them to make the right decisions. There should be regular touch points to learn, inform, escalate or just question. Things will build the rapport a business needs to ingrain a security culture.
Through the Human Cyber Index we have found that energising content and engaging campaigns will also get people’s attention and get them engaged on the topic of information security and in the habit of security-conscious behaviour. People’s attitudes to security can be transformed by presenting them with engaging digital content that is focused on their personal rather than organisational security. There is a role for competitions and league tables too to track performance against security goals and to reward positive behaviour.
That said, there is no point in spending money and time and energy on creative campaigns, if the processes and policies in place are sometimes difficult or too cumbersome for people to follow. The Human Cyber Index aims to identify any of these areas that need improvement to ensure people can adopt good security practice seamlessly.
Information security is a team sport. Building a positive security culture helps you protect your business. The right approach to doing this will be determined by listening to employees and engaging with them regularly with innovative, personable and engaging content that helps to deliver core security messages and ethos. This in turn enables businesses to be transparent, build trust and educate its teams on good cyber practices.