People and cyber risks
Cyber threat is a problem. 90% of large UK organisations suffered an information breach in 2014. But ask an IT manager what keeps them awake at night and they are likely to say “my colleagues”.
Human error is responsible for around two thirds of data breaches in the UK with only one third being caused by malicious outsiders.
These human errors vary widely from the use of weak passwords, people losing mobile phones that contain confidential information, accidentally forwarded emails, and people succumbing to phishing attacks that steal log in details.
Why are people such a risk? There are three main problems: ignorance, inconvenience, and trust.
When were you last trained on cyber risks? Chances are that if you don’t work in IT you won’t have had any training beyond an IT “policy” hidden somewhere in your employee’s handbook.
And yet there are cyber risks everywhere: people who use public wi-fi to log on to your corporate network; people who store sensitive information such as a new product design insecurely in the “cloud”; people who accidentally give away strategic plans through conversations or behaviour on social media.
It isn’t sufficient to tell people about the risks. You also need to help people understand the importance of complying with information security policies. Too many people feel that security policies are irrelevant: perhaps they think a security breach won’t affect them; or they feel that it’s not their job to police security; they might even think they think they are too important to bother with security rules.
Badly designed systems that are inconvenient to use are another major cause of cyber risk. If security requirements get in the way of doing a job efficiently, people will look for ways to get around them. Usable systems need to be developed with input from users, so that they protect corporate systems but avoid hampering employees. Forget that simple rule and expect the number of information breaches to grow.
The fact that most people are very trusting is also a problem for cyber security. Passwords get shared because people trust colleagues to act appropriately – even though sometimes they don’t. And trust is the reason that so many people fall for phishing attacks
People are social animals. Because we trust people we have a tendency to follow the crowd. If everybody is doing something, then we will do it too. This is particularly true when that “everybody” is influential. In other words, if the CEO is seen to be routinely flouting cyber security requirements, they shouldn’t be surprised if the rest of the company does it too.
Managing people risks
Managing cyber risk isn’t easy – because managing people isn’t easy. You can tell them what to do but that doesn’t mean they will do it!
Nonetheless, the first step is education. Explaining cyber risks and why they are important should be done face to face. Do it regularly to keep it front of mind. And use different media to keep awareness up: emails, posters, on-screen messages, “advertisements” on the intranet. And socialise it: use the fact that we are social animals by presenting and discussing cyber security advice in groups, and by encouraging people to share best practice.
Back up your education with appropriate tools – to make it easy for people to comply with the guidelines, or to monitor and manage people’s compliance. There are numerous tools although of course the resources your organisation has to hand will dictate how many can be used.
Consider email management tools that can encrypt content, prevent alteration of emails, or manage the distribution of content and attachments. Investigate “Bring your own device” tools such as software that allows mobile devices to be locked or even wiped if they are stolen. Password sharing is also a problem, especially in relation to corporate social media accounts. The solution here may be implementing “single sign on” systems that allow people who sign on to a corporate network to be given access only to those systems they are authorised to access.
You may also want to stop your employees from being so trusting. A good place to start is with an anti-phishing tool. These allow organisations to create and circulate spoof phishing emails which flash up warning messages when clicked on and record data about who is being fooled by them.
Finally ensure that you manage people appropriately. Personalise the information they get so that it is perceived as relevant. Play games with them such as spoofing phishing attacks and seeing whether they fall for them. Give them instant feedback about the things they do well – and the things they do badly. And don’t expect people to change all of their risky behaviour over night – push them gently towards safety by suggesting a series of small changes over time.
It’s important not to forget network security when thinking about cyber security. But with so much information being held and used outside the corporate network it is vital to address the very real cyber risks that your employees represent.