Business processes and cyber risk

Cyber risk doesn’t just involve malicious techies hacking into corporate accounts. It can also involve risk to every day business processes: “process cyber risk”. Unfortunately, because the IT Department are kept busy defending the corporate network from the hackers, these process risks are often left to themselves.

What do I mean by process cyber risk? Quite simply, a risk of loss or damage to an organisation caused by a weak business process combined with the use of computer technology. These weak processes are often found within finance departments, but you will also find them in HR, in marketing and across organisations.

Process risk and identity

Many business processes rely on a particular document being signed off by an authorised individual. As many processes migrate online, the assumption is that the sign-off process can also be undertaken online. Sign on as an individual and perhaps you have authorisation to access a particular document or process.

As most people have to log in to company systems with a password and a name, then this shouldn’t be a problem. Except that passwords get shared. Busy people often share log-in details with juniors, allowing unauthorised people to access systems and documents that they are not authorised to access.

Any authorisation process that simply relies on someone logging in with name and password is weak because it is easily subverted. Issuing “dongles” as a second factor authentication device isn’t much better as these can get shared (unless they are integral to a company identity card). Robust processes where sensitive data or decisions are concerned should assume that a password has been shared (or stolen) and require additional security such as a second pair of eyes.

Process risks and finance departments

One big risk for finance departments is invoice fraud. This can happen in several ways. A common way is for thieves to gather information about a company, perhaps the news that it is investing in new technology. They will then use this information plus other easily obtainable assets such as company logos and the names of senior people in an organisation to put together a scam.

This might involve an email “from” a director of the organisation to a mid ranking person in the finance department asking for an invoice to be paid promptly; the invoice, which is of course a fake, is attached to the email.

In other cases the invoice is genuine. For instance thieves may pose as a supplier and ask for details of any unpaid invoices. They then resubmit a genuine invoice – but with the bank payment details changed.

All too often the unwitting finance executive passes the invoice for payment. Once the money has reached the thief’s bank account it is quickly transferred to another account making it unrecoverable.

This type of fraud is big business. Earlier this year Ubiquiti Networks disclosed that thieves stole $46.7 million in this way. While in the UK, the police’s Action Fraud service received reports of around 750 in the first half of 2015. And of course many similar frauds go unreported – or undetected.

What can you do to protect against this? Well start by educating staff about the nature of the threat – all staff not just in the finance department. Ensure that the details of all invoices are scrutinised carefully: Is the logo up-to-date? Is the email address correct (perhaps it is a .org instead of a .com)? Are the bank payment details the same as usual (if they have changed then telephone someone you know at the supplier to ask for confirmation)? And take extra care with larger invoices, for instance requiring them to be check by two separate people.

There are other cyber risks within finance processes – and often these are internal risks, initiated by employees. Examples include purchase fraud when personal items are bought using company money or when required items are bought at inflated prices, with the purchaser then getting a kick back at a later date. Again fake emails can be used to support these purchases. And again simple processes can disarm the threat.

Process risks within HR

Within HR there are numerous process risks. Let’s start with recruitment. The risks here can involve social media profiles designed to misinform, perhaps with fake endorsements or untrue job details. Looking at a LinkedIn profile is an easy way to identify potential candidates – but it is important to realise that the profile you see may well be substantially embroidered.

Another short cut, especially when looking for “knowledge leaders”, is to see what sort of “rating” candidates have on sites like Superficially this is fine. However, it is essential to be aware of how people are rated by the site (for instance what data is used) before making a judgement using this type of data as you may well be given an untrue perspective.

Another risk of using social media to identify candidates is that you open yourself to accusations of discrimination. An attractive cv may not have information on social media about age, ethnicity or sexual preference. Social media will. You really don’t want to know this sort of information but once you know something you can’t “unknown it”: and this can open you up to accusations of bias. It isn’t unknown for companies to commission an edited summary of a candidate’s social media profiles with anything that could lead to accusations of discrimination taken out in order to de-risk the profile before it is given to the recruiter.

In fact HR is full of cyber risk, especially where social media is concerned. There may be problems with the posts employees make on social media. There may be issues around bullying or discrimination at work. And maintaining a positive “employer brand” can be very difficult if an ex-employee starts to deride their old employer on line in sites such as Glassdoor.

Process risk and marketing

Process risk is also very at home in marketing. Again social media is one of the culprits. Not everyone, even in marketing, is a social media addict. Senior marketers frequently hand over their brands’ social media profiles to junior marketers, or even interns, because “they have a Facebook page”.

It’s a mistake. Not only is it likely that the output will be poor, the junior marketer may well (they frequently do) break advertising regulations (for instance by glamorising alcohol, or even fair trading laws (e.g. by including “spontaneous” endorsements from paid celebrities).

This shouldn’t be difficult: there is no reason that the processes that govern advertising in general can’t be applied to social media.

Procurement and cyber risk

Finally there is procurement – and the process of ensuring that third party suppliers don’t represent a cyber risk. This is a huge area of risk and one that is not always well appreciated.

The issue is not just that the third party may be insecure (for instance the massive hack to US retailer Target came about via an insecure supplier) and it is hard to know whether they are secure or not. It is also that people working for a supplier who have been given access may then leave the supplier without you being told: and as a result they retain access to your information, perhaps after they have joined a competitor. In additions suppliers may well have their own reasons for being a risk – they are in dispute with you, they are in financial difficulty, they have been taken over by a competitor…

Business processes frequently have the potential to be undermined by online technologies. It takes imagination to identify where the threats lie. However once they have been identified, actions to reduce the effect of the threat are often very simple.

Does your cyber security have the right aura?

Can cyber security have auras?

How can cyber security have an “aura”? It sounds like a meaningless question. But step back a little and think about how direct marketing works.

Commonly, people in direct marketing use a simple mnemonic to describe the steps they take consumers through when persuading them to buy: AURAL. I think this is relevant for cyber security.

AURAL stands for Awareness, Understanding, Relevance, Action, and Loyalty. In other words:

  1. You start by making people aware of your product
  2. You move on to helping them understand what it does – its benefits and features
  3. Then you persuade them that the product is relevant for their own needs, that it solves a particular problem they have
  4. Next you call them to the action you want them to take, which is generally putting their hand in their pocket and shelling out for whatever you are selling
  5. And finally you hope to generate some loyalty so that they will come back and buy again, and perhaps even recommend your product to their friends.

As I said, this process (which by the way doesn’t have to be linear) is pretty relevant for cyber security too. Except that “loyalty” isn’t really appropriate. But rather than simply getting rid of the “L” I am going to change it to an S: AURAS. The final S stands for Socialise. You will see what I mean in a moment.

So what do I mean by “AURAS”?


As with direct marketing, in cyber security we need Awareness. This is aimed at keeping cyber threats, and the need for cyber security, at the front of everyone’s minds.

You might create awareness with posters (remember to move them around and change their message so that people don’t become blind to them), emails (personalised messages can be highly effective), messages when people start their computers up or start to do certain things (again remember to change them), even things like mugs and mouse mats which can be given to reward cyber safe behaviour.


It isn’t enough to be aware of a threat though. People also need Understanding about what they can do. For instance, if you have a policy of insisting on complex passwords that are changed every month then you need to give people the tools to do this – otherwise they are likely to write their passwords down on sticky notes and put them on their monitors, hardly the cyber safe behaviour you want to encourage. (There is a hint about complex passwords at the end of this post.) This is where training comes in: helping people understand how they need to behave to keep safe.


You also need to ensure that people feel the training they have had has real Relevance to their own lives. Not everyone lives to work. Most people regard work as a way of getting the things they want in life. Of course their job is important – so stressing that unsafe behaviour could damage their employer, and hence their own job, is one tactic.

A stronger tactic though (and one that might even generate a bit of gratitude) is to show them how being cyber safe can help them outside their work life – protecting their identity, their bank accounts, their children’s physical safety.


Now you need to call them to Action. This involves communication at the moment they are doing something. For instance, BAE’s email security service has a very handy feature: if a user is tempted to click on a link in an email (generally accepted as unsafe behaviour unless you are certain who the email is from) they can be served a CAPTCHA image which makes them stop and think about what they are doing before they click on the link.

(I haven’t seen these images: it would be nice to think that instead of a standard CAPTCHA image such as a random set of numbers they contain a little message like “Are you sure?” or “Links can hurt”.)


And finally you need to Socialise cyber safe behaviour into the organisation. The aim will be to make unsafe behaviour socially unacceptable – just as drink driving, not showering after a lunchtime run, or eating fish soup at your desk are all pretty unacceptable.

One of the most powerful way of socialising behaviour is telling people that the majority of their fellows act in the way you are hoping to persuade them to act.This doesn’t have to be complicated. For instance Northern Illinois University halved the amount of binge drinking by students simply by promoting the message “Most students drink in moderation.” People follow the crowd.


AURAS: it’s a great way of thinking about the different things you need to do to change the way people think about cyber security and to change the way they behave.

An easy way to complex passwords

Now I did say I would give you a tip about remembering complex passwords that change every month. It’s easy. You need two things: a memorable phrase; and a date “protocol” (I’ll explain).

Let’s say your IT people have demanded a password of at least 12 characters that includes at least one of each of the following: upper case letter, lower case letter, number and symbol. They also want you to change it every month.

First of all, the phrase. This isn’t the same as a “pass phrase” where people use several words as a passwords: there is some evidence that this isn’t very secure.

You need to think of a phrase such as: I love my job at Acme Widgets, Dorking! Take the first letter of each word and the symbols and you get: 1lmj@AW,D! (the word “at” is useful as it turns nicely into a symbol and the “I” is useful as you can turn it into a number 1).

Now think about a date “protocol”. A really simple one might be to use the first of the month. It’s October 2015 so that makes: 01 10 15. Just for a bit of fun I am going to put the first thee numbers at the start and the last three numbers at the end. So my password this month is: 0111lmj@AW,D!015. Easy to remember and I can change it every month.

Keep cyber safe!

Why Human Resources need to engage with cyber security

You may think that cyber security is something for your IT department to manage. If you work in Human Resources, you need to think again. Because cyber security is very much your responsibility.

No, I am not saying you need to go around seeing if your organisation has installed the latest firewall or if all your Internet of Things ports have been secured.

What you do need to do though, is to check whether your colleagues across the organisation are cyber safe.

That’s because only around one third of data breaches are caused by malicious outsiders. The rest are caused by insiders, your colleagues: acting foolishly, carelessly, and yes sometimes maliciously.

What can go wrong? A lot of things. Personal information about customers is leaked because a laptop gets left in a taxi.  An email leads to an unintentional contract variation. A social media posts leads to a libel suits. An unwary worker shares their log-in details, leading to data theft.

So what should you be doing?

Start with strategy

A good place to start is strategy. Most organisations have some understanding of cyber risk. But often they focus on protecting corporate networks from external risks such as hackers. What is your organisation’s cyber security strategy? Does it include sufficient analysis of internal “human” risks? If it doesn’t then you need to work with the Information Security team to identify and manage these human risks.

Develop practical policies

Developing appropriate policies to help manage cyber security and spell out the “rules” is important. You are likely to need policies in several areas: web and computer use, data privacy, social media use at work, a “Bring your own device” policy to manage personal phones and tablets, and even policies about the software and cloud services that people are allowed to use.

Writing these policies should not be a “tick box” exercise. They need to make sense: they should be easy to understand by everyone in the organisation; and they need to benefit your organisation. They shouldn’t simply be designed to make the IT department’s life easier. Sure, pouring digital super-glue into all the USB ports would stop people uploading corporate data to insecure USB sticks, but it might not improve business efficiency. HR executives, with a feel for wider business needs, as well as an understanding of what will motivate or demotivate employees, are an essential part of any cyber policy development process.

Training: tell people how they should behave

The next step is training. Training is essential because without it most people won’t know how to act in a cyber safe manner.

You might as well accept that almost no one is going to read your policies. So you will have to tell everybody about them, face to face. And it won’t be enough to read out a list of rules and corresponding sanctions for disobedience. Apart from putting everyone’s backs up, people will generally ignore rules if they don’t know why they are in place. You will need to explain what the rules mean, why keeping to them is important, and quite possibly when they can be ignored (and when they can’t).

You will need to train the way people think too. This isn’t just about describing dangers: it’s about how people interact safely with colleagues, with suppliers and customers, and with people outside the organisation. It’s not about following rigid processes: it’s about understanding how to avoid risk in the first place. For instance you can’t tell people the precise information to avoid sharing on social media. But you can help them understand what types of information they shouldn’t share and how competitors can draw conclusions from seemingly innocent pieces of data.

Build continued awareness

Don’t think a one-off (or even annual) training session will cut it though. You need to keep awareness of cyber safe behaviour at the front of people’s minds. This means developing assets designed to deliver continued awareness of cyber risks – posters (that change design and location regularly), screen savers, sign in messages, even mouse mats and mugs.

Develop a cyber secure culture

An even more important issue for HR to address is culture. An organisation that doesn’t take cyber security seriously is unlikely to be changed by training and awareness. HR may need to address underlying cultural assumptions.

Start by auditing the security culture. Do this from the perspective of employees: what cyber risks do they know of; what do they think of existing security processes; to what extent do they feel security is their responsibility? And do it from the perspective of the organisation: how are employees expected to behave; what sort of resources are provided for security; is dangerous behaviour stopped, tolerated – or not even noticed.

Once you know what needs to change, you can start thinking about how to do that. Build persuasion tools, such as leader boards of cyber-safe behaviour; incentivise safe behaviour with praise or other rewards – and make sure it is not disincentivised accidentally; ensure that leaders walk the cyber security walk; develop an intolerance to unsafe behaviour. (“Why are you putting my job at risk by doing that?”)

But don’t develop a blame culture. That way you will just drive unsafe behaviour underground.

Encourage people to be less trusting

Sadly, one element of culture you will need to work on is trust. People are often very trusting and this can be a problem for cyber security. They need to be taught to question: emails don’t always come from the people they appear to, friendly people on the phone aren’t always who they say they are, confident people striding round the office without a visitor’s badge don’t necessarily have the right to be there. Defending against people who take advantage of trust doesn’t need complex software: it needs awareness, sometimes combined with robust processes.

Make sure cyber security is usable

HR teams also need to work on the usability of any security processes.

By their nature most IT people are very logical. In addition they understand the purpose of systems they are developing. And of course they are focussed on their responsibility to protect IT systems.

In HR you are also focussed on cyber security. But you may have a wider view of the organisation. Almost certainly you understand what motivates people. You understand how people perform their tasks. And you probably provide a receptive ear to frustrated colleagues. In fact you are probably going to be one of the first people to hear about cyber security initiatives that are counter productive – because they cause blocks in efficiency. And you may even hear how people would like to alter them.

All this means that you are in pole position to identify usability problems, to construct the analysis that proves (to sceptical colleagues in IT) problems exist and to make the case for change.

Monitor “off network” activities

Not everything that should concern your organisation will be happening within your corporate network. You colleagues, almost inevitably, will be using social media. And many will be commenting on colleagues, clients, your organisation and your industry. In addition they may be using cloud computing services such as Drop Box and Google Docs to store, edit and share corporate information. This type of activity needs to be managed, to preserve information security and to protect reputation.

Recruit sensibly

When recruiting, watch out for people who may not be cyber secure. Anyone who comes from a competitor boasting they can bring a list of clients on a disk may well be less than trustworthy. You might also need to think twice about people whose social media posts are irresponsible – perhaps complaining about their current employers or giving information away about new initiatives.

Keep an eye on risky people

Some people will be higher risks than others. Sometimes this will be a result of personality. For instance sales people are likely to me more open, and possibly more trusting, than finance people. But that’s not where the real risk lies. The people you will need to monitor most closely are those who feel disengaged from your organisation. These may include temporary staff, new recruits during a probation period, people on low pay or in boring jobs, people who have handed their notice in, and people who are having difficulties at work, perhaps experiencing disciplinary procedures.

Yes, cyber security really is an issue for HR

Human Resources managers may not be particularly focussed on technology. But they have a responsibility to learn about cyber security because the role that HR can play in preserving security is an enormous one. In other words, if your HR and IT departments are not working closely together on cyber security you are opening your organisation up to some major and unnecessary risks.

Eight steps to change cyber security culture

Hackers are always a problem. And naturally, your IT Department has network security buttoned down. But they are probably more worried about something else: you and your colleagues.

The big challenge in cyber security is people. It is how to change an organisation’s culture from relying on IT for security into one where everyone takes responsibility. Everyone, from the CEO to the newest intern.

John Kotter famously proposed an eight step process for changing organisational culture, starting with “Establish a sense of urgency” and finishing with “Institutionalise the change”. Well, most people realise that the cyber security problem is pretty urgent. So I thought I’d outline a separate set of eight steps that organisations can follow to strengthen their cyber security culture.

Step 1. Build your guiding coalition

Start by building a multifunctional team to guide change. Cyber security shouldn’t be the responsibility of IT, so you will need people from across the organisation to be involved: sales, marketing. operations, finance… This is essential so you get buy in across the organisation.

More importantly though, if your approach to security doesn’t take account of the way people work, it will fail.

Step 2. Form your vision and scope out your intentions

Next you need to form your vision for cyber security. That should be simple: to protect your assets, reputation, efficiency and information from computer based threats, and to ensure that your digital information is private, is accessible by people who have authority, and has integrity (think “the truth, the whole truth and nothing but the truth”).

In addition you will need to identify the scope of your vision: who it applies to, and what assets, processes and information is relevant. You will also need – and this is a big task – to identify the risks that your vision faces and how best to manage them.

Step 3. Define the details of what you want to achieve

Out of your vision will come the detailed policies you need around cyber security (including policies on IT and web use, Bring your own device, Privacy, and Social media). These need to be expressed in clear language: avoid techie jargon at all costs. Having a truly multifunctional team should mean that the policies should be relevant and effective for your whole organisation.

Step 4. Build new processes

Based on your policies you will be able to identify the tools you need to implement and the processes you need to develop that will help to protect you from cyber risks. It is vital to include a cross section of employees in the design of these systems. Without them you are likely to end up with unusable, frustrating and inflexible processes. If that happens your workforce will soon be looking for ways to work around them. So remove any barriers to people being cyber safe.

Step 5. Educate

Bring your policies to your workforce and educate them about any new tools and processes. Tell them why cyber security is important – for your organisation but also for them personally. And make sure they understand what they should do if they have problems or if things go wrong (as they surely will).

Don’t rely on one off training sessions: make sure that security is constantly “front of mind” with reminders using different techniques, messages and media hitting them as often as possible.

Step 6. Persuade

You can “educate” all you want, but if you fail to persuade them about the importance and effectiveness of what you are proposing then you won’t change anyone’s behaviour.

There are lots of methods that you can steal from marketing and from behavioural economics here. For instance, make sure authority and other credible figures are seen to follow the rules (if the Chief Exec is lax with security you can be certain everyone will happily follow their example). Prove to people that your new ways of working actually deliver benefits. Help people realise that they face constant and sometimes personal risks but (and this is very important) that there is plenty they can do to keep safe.

Keep an eye on how people are incentivised as well. Not about cyber security but about their every day tasks. Don’t put incentives in place that could persuade people to behave in an insecure manner.

Step 7. Socialise cyber security

Kotter talks about “enlisting a volunteer army” and that’s exactly what you have to do. You need everyone in your organisation buying in to the idea of cyber security. Part of this will be ensuring that “the organisation” behaves properly: if it is seen to be cavalier with the security of customer data for instance your internal processes will lose credibility. Ultimately you want your workforce disapproving of people who behave unsafely.

Disapproval doesn’t mean developing a blame culture. That would be very damaging – given the ever changing nature of cyber threats you need people to be able to feel safe if they make a mistake or if they respond wrongly to a new threat. But you do need people to accept cyber safety as the norm and as something that has value in protecting their career and indeed themselves personally, as well as protecting their colleagues and the organisation as a whole.

You might want to take some ideas from Sales as well – leader-boards for people who are particularly effective, prizes for good behaviour, simple recognition for jobs well done…

Step 8 Monitor and enforce

Measurement is very important. Your organisation needs to know how well it is maintaining a positive security culture. Identify some relevant KPIs so you will know if you need to take remedial action.

Enforcement is also important. If people who act unsafely are seen to get away with it then others will quickly follow them. Regular negligence and malicious behaviour may need disciplinary sanctions. More often than not though, you will simply need to offer a little “re-education”. And treat this as a learning opportunity for the organisation as well as the individual concerned. After all if someone is regularly breaking the rules it could well be the fault of the rules!

Selling cyber security to the Board

Fact 1. Almost all businesses rely on computer technology and this reliance is increasing.

Fact 2. Last year around two thirds of British SMEs experienced a cyber attack.

Fact 3. Two thirds of SMEs don’t regard themselves at risk from cyber attacks

Why is there this big disconnect between the risks that SMEs (and in fact all organisations) face, and the way that risk is perceived? Perhaps it is something to do with the way the whole concept of cyber risk is “sold in”. So here are a few do’s and dont’s when trying to persuade senior colleagues (or clients) of the importance of cyber security.

Don’t use FUD (Fear, Uncertainty, and Doubt). Telling people that their world is about to end is likely to have one of two results: they may be so frightened that they avoid thinking about the problem at all; or they will get angry with the threat and turn that anger on you as the bearer of bad news. Either way you won’t get anywhere with them.

Do describe some of the some of the things that can go wrong, but explain that these risks can largely be managed and that there is no need to panic if they take the appropriate actions (which you can help them with). Emphasise that there are practical solutions within reach and that, while 100% security can never be attained, there is a lot that can be done to reduce risk to acceptable levels.

Don’t use the cost of cyber attacks as a motivator. For many companies the cost of the average attack is really quite small. The average cost of a major security breach at a large organisation is £1.4 million. Sounds a lot if you are a one-man plumbing band, and it might be a lot compared with your salary or your budget; but it’s nothing if you are a Board Director of a major retailer. (Note the FUD in the headline – what about the cost of minor security breaches, what about small organisations?)

Do talk about business problems and emphasise that  the real damage is likely to be to reputation, staff motivation, compliance failure, and the leakage of strategic information. Oh, and it can cost you quite a bit too.

Don’t make it all sound difficult. If you start using jargon and describing complicated technology then all you will do is convince your colleagues that you should be talking to the IT department and not them.

Do  explain that cyber security is a people problem not a technology problem. It can impact anywhere in an organisation and needs to be managed by the whole organisation and not just the IT department. After all most problems are caused by insiders – accidentally, because people trust too much, because security systems are not usable (and so don’t get used), or simply because people don’t understand the risks.

And finally make it personal. Explain how cyber unsafe behaviour can put their own possessions, and more importantly their own reputations at risks. If they appreciate that they need to act in a cyber safe manner, the chances are that they will accept that their organisation also needs to be cyber secure.

Why your employees are your biggest cyber threat

People and cyber risks

Cyber threat is a problem. 90% of large UK organisations suffered an information breach in 2014. But ask an IT manager what keeps them awake at night and they are likely to say “my colleagues”.

Human error is responsible for around two thirds of data breaches in the UK with only one third being caused by malicious outsiders.

These human errors vary widely from the use of weak passwords, people losing mobile phones that contain confidential information, accidentally forwarded emails, and people succumbing to phishing attacks that steal log in details.

Why are people such a risk? There are three main problems: ignorance, inconvenience, and trust.


When were you last trained on cyber risks? Chances are that if you don’t work in IT you won’t have had any training beyond an IT “policy” hidden somewhere in your employee’s handbook.

And yet there are cyber risks everywhere: people who use public wi-fi to log on to your corporate network; people who store sensitive information such as a new product design insecurely in the “cloud”; people who accidentally give away strategic plans through conversations or behaviour on social media.

It isn’t sufficient to tell people about the risks. You also need to help people understand the importance of complying with information security policies. Too many people feel that security policies are irrelevant: perhaps they think a security breach won’t affect them; or they feel that it’s not their job to police security; they might even think they think they are too important to bother with security rules.


Badly designed systems that are inconvenient to use are another major cause of cyber risk. If security requirements get in the way of doing a job efficiently, people will look for ways to get around them. Usable systems need to be developed with input from users, so that they protect corporate systems but avoid hampering employees. Forget that simple rule and expect the number of information breaches to grow.


The fact that most people are very trusting is also a problem for cyber security. Passwords get shared because people trust colleagues to act appropriately – even though sometimes they don’t. And trust is the reason that so many people fall for phishing attacks

People are social animals. Because we trust people we have a tendency to follow the crowd.  If everybody is doing something, then we will do it too. This is particularly true when that “everybody” is influential. In other words, if the CEO is seen to be routinely flouting cyber security requirements, they shouldn’t be surprised if the rest of the company does it too.

Managing people risks

Managing cyber risk isn’t easy – because managing people isn’t easy. You can tell them what to do but that doesn’t mean they will do it!

Nonetheless, the first step is education. Explaining cyber risks and why they are important should be done face to face. Do it regularly to keep it front of mind. And use different media to keep awareness up: emails, posters, on-screen messages, “advertisements” on the intranet. And socialise it: use the fact that we are social animals by presenting and discussing cyber security advice in groups, and by encouraging people to share best practice.

Back up your education with appropriate tools – to make it easy for people to comply with the guidelines, or to monitor and manage people’s compliance. There are numerous tools although of course the resources your organisation has to hand will dictate how many can be used.

Consider email management tools that can encrypt content, prevent alteration of emails, or manage the distribution of content and attachments. Investigate “Bring your own device” tools such as software that allows mobile devices to be locked or even wiped if they are stolen. Password sharing is also a problem, especially in relation to corporate social media accounts. The solution here may be implementing “single sign on” systems that allow people who sign on to a corporate network to be given access only to those systems they are authorised to access.

You may also want to stop your employees from being so trusting. A good place to start is with an anti-phishing tool. These allow organisations to create and circulate spoof phishing emails which flash up warning messages when clicked on and record data about who is being fooled by them.

Finally ensure that you manage people appropriately. Personalise the information they get so that it is perceived as relevant. Play games with them such as spoofing phishing attacks and seeing whether they fall for them. Give them instant feedback about the things they do well – and the things they do badly. And don’t expect people to change all of their risky behaviour over night – push them gently towards safety by suggesting a series of small changes over time.

It’s important not to forget network security when thinking about cyber security. But with so much information being held and used outside the corporate network it is vital to address the very real cyber risks that your employees represent.

Ten cultural barriers to cyber security

Cyber security doesn’t only get breached because clever hackers manage to break through your cyber defences. Ask most IT professionals and they will say that the people they fear most are their colleagues.

Why is that? Why does business culture so often mean that the employees of an organisation are such a major cause of cyber damage?

Of course it depends on the organisation, but here are ten common reasons (plus a bonus reason) why employees can cause trouble.

1. It doesn’t matter

Everyone knows that what you say on the internet, especially on social media, doesn’t matter. It’s unofficial, it doesn’t count legally, and it’s not important. Hmm, ask Sally Bercow and countless like her who have found out otherwise. Anything you write on social media (or in an email, or in an online or mobile message), cannot be unwritten, can be archived and may have an impact on any legal, compliance, contractual or HR wrangles you become involved in.

2. It’s too difficult

We have all experienced directive from IT like this: “Passwords must be changed every month, must contain numbers, capital and lowercase letters, and symbols, can’t be the same as a previous password, and must be at least 12 characters”. If things are too difficult people will simply ignore them, or find ways of working round them. Force people to use an impossible password protocol and expect to see their passwords on Post-it notes stuck on their screens – hardly secure. (Or ask me how to help them remember “random” passwords that comply with these rules.)

3. It’s inconvenient

This one is similar to the “too difficult” reason. Make people’s life hard – for instance by forcing them to log on too many times or go through over-complex routines to get data, and you can be sure that they will invent clever ways of getting round the obstacles you have imposed. And if they can’t get round them, well you are simply making them spend a lot of time on unconstructive tasks.

4. It’s a waste of time

If people don’t understand why you have out certain security procedures in place then they will simply ignore them. Few people (in British culture anyway) follow the rules just because they are there. (After all “rules are for the obedience of fools and the guidance of wise men.”) People want to know why they have to do something. And if they think they are being forced to do something unnecessary, a lot of people will simply ignore the requirement: after all their time is too valuable to spend on pointless activities.

5. I thought it was the right thing to do

If you don’t train people in best practise they won’t know what is appropriate. Give your social media marketing to an intern (because they use Facebook and you don’t) and they will do things to your brand you may not be too happy with. Let inexperienced people “chat” with customers by email in order to develop better relations and they may accidentally agree to contract variations that take all the profit out of hard-won deals. Fail to protect crucial documents from unauthorised “helpful” editing and you may have a problem on your hands. Honest people doing the wrong thing is a cause of real concern.

6. I didn’t realise it was a problem

If people simply don’t know something is dangerous then they may well do it. What harm could there possibly be in sharing that social media password with your colleague? Why should it matter if I download a list of our customers to my smartphone – it will be handy when I am on the road? What is wrong with discussing our plans for expansion into China/our new IT security software/our search for a replacement marketing director (delete as appropriate) on LinkedIn? Education is a key part of cyber security.

7. It’s a laugh

The Labour Party’s Twitter-based policy promising everyone free owls was amusing of course. But not everything that is meant as a laugh is amusing. Online jokes can be misinterpreted and end up as discrimination cases or damage corporate and brand reputations. Social media jokes, especially those made in bars at 2 a.m., are rarely as funny as you think they are at the time and may result in you being fired. Don’t do it. Tell your colleagues not to do it.

8. Just in case you sack me

This is a difficult one. Especially if you are intending to sack them. Employees who feel threatened will often take data out of the office via email, cloud services, memory sticks or smartphones. Some organisations lock down their information – no mobile devices, no data downloads. Most can’t (or won’t) do that though: it demotivates people and reduces efficiency. So unless you are in an organisation that is very risk averse, the best way forward is to protect the most important information (blueprints, strategic plans, customer lists) by passwords and restricting access, and trust people to deal fairly with the rest (they won’t, but the reality is that most of the information they can access will be of little real value to your competitors).

9. It’s none of your business

“So you want to have access to the data on my smartphone in return for letting me use it for work? Why should I let you do that?” Because if you don’t then I will be unimpressed with your loyalty and your business acumen; and that will have an effect on your career prospects. And just as I retain the right to read the emails you send out on the company system, and review the websites you visit, so I need to be able to demand access to (and potentially destroy) the data on your personal mobile devices if you are using them for work. I’ll only do that if there is a problem, and if I need to. But it’s the company’s data after all.

10. I hate you all

Disaffected employees (political activists as well as people with grievances) may well be tempted to cause cyber security breaches, perhaps by destroying information or by making it easy for others to steal information. The way organisations respond to this threat will depend on their appetite for risk. Making systems too secure will reduce efficiency: that may be a price worth paying if you are running a nuclear power station but most organisations will want to reduce the risk from disaffected employees while maintaining flexibility. Scenario planning is one way of managing this: Imagine that a senior IT executive decides to steal the client list. How can you prevent them? Disaffected employees are a major threat and unless you use your imagination to identify how this threat might appear, you will be unable to manage it.

Bonus reason: I’m the boss, don’t tell me what to do

It’s not the boss’s fault if you are too frightened to tell them (tactfully of course) why a certain way of behaving could cause problems. And if you feel you can’t tell a senior executive that their behaviour is putting the organisation in danger then try to find someone who can. Security is the responsibility of everyone in an organisation: cleaners, interns and receptionists as well as Directors. So if you are the boss and run an organisation where people are too scared to tell you there is a problem, well you deserve that cyber breach.