“Laptops out,” “shoes off,” “coats off,” are the dreaded words that meet you before any outgoing flight. Annoying, yes; but I personally wouldn’t feel comfortable flying in airport that didn’t take these measures. We complain about the lengthy airport lines: we tut, we queue, and we abide by the procedures, gently reassured that security here is sufficient.
When cybersecurity requires human action, this level of acquiescence is difficult to find. The importance of security is under-rated in most organisations. While cybersecurity as an industry may be becoming more advanced, they are leaving the most important players, humans, behind.
Contrary to popular belief, the majority of data breaches are not caused by malicious external actors, but unwitting insiders. Forcepoint, an information security company, reports 64% of data loss is due to internal actors not understanding, and therefore not following, necessary security policies and procedures.
The traditional approach to cybersecurity is “threat-centric,” with companies focusing their efforts on creating policy they expect employees to follow, without taking the individual into account. Moving towards a “behavior-centric” approach that focusses on individuals' involvement with valuable data will allow companies to identify the high risk actors in their organisation.
This proactive approach will not only save on costs, but also improve the reputation of an organisation.
TalkTalk, a UK based telecommunication group, came under heavy fire in 2014/2015 after a series of security breaches and their previously lax approach to handling customer data. The company was not compliant with web security standards around the handling of credit card payments, did not encrypt its data, and did not segment its network which made the entire operation vulnerable.
Their response to the hacks may have been more alarming than the breaches itself, as their website was taken down following attacks, and representatives assured consumers that they would find the source of the problem, giving the impression they did not know what caused the hack and may not be suitably prepared for another one.
Virgin Media, on the other hand, is cited as being a great example of how a company should handle a data breach. They immediately informed their customers and engaged with them on a personal level, driving home the point that data is vulnerable and companies are still learning the best methods of managing it.
Both TalkTalk and Virgin Media approached their internal security retroactively, taking greater measures only after their systems had been compromised. But as more and more companies undergo digital transformation, moving their operations towards the cloud, it’s no longer the case of whether a data breach will occur, but rather, when. It is crucial companies take a proactive approach to data security across the board, starting with leadership.
Education, education, education
General Douglas MacArthur, a US WWII war hero, has been famously quoted saying, ‘Never give an order that can’t be obeyed.’ While the security concerns of the WWII era are a bit different to those of today, the same rule applies.
Employees’ accidental mistakes are most often due to overly complex rules and procedures around security. Organisations should ensure the cybersecurity policies they have in place can be realistically enforced and that employees can easily comply.
Education and training is key as non-security experts within the workforce need to understand what the stakes are so they understand the importance of abiding by the procedures in place. Apple, for example, has incredibly strict cybersecurity policies that their employees follow, as they have to safeguard their intellectual property to retain their competitive edge.
Training employees on the importance of cybersecurity can also benefit smaller organisations who don’t have the benefit of having CISOs and CTOs available at all times, as every employee would then be well equipped to secure data and understand the risks if they don’t.
Additionally, due process on how to report security breaches or rule breakers in the organisation is incredibly important as employees should know who to approach and feel comfortable doing so.
Finally, leadership and security teams should regularly review the policies in place to ensure that they are effective and that employees are compliant.
Cybersecurity is a relatively recent development and it is likely to face more bumps along the road. Organisations should be mindful of the necessity of cybersecurity, whilst also bearing in mind that creating a perfectly secure system won’t happen overnight. It will require transforming heavily ingrained (and usually negative) user behaviour and will require strong collaboration and communication across the board. While implementing this type of transformation will be challenging, it is crucial that organisations take these steps now.
The Humans are Coming... Cybersecurity evening took place on 9 July at The Cavalry and Guards Club. It was held in partnership with Forcepoint, with the aim of exploring the the threats posed by internal actions.
Forcepoint offers security software which takes a new approach. With a focus on intelligence and human behaviour, Forcepoint provides a new perspective on security with the intention to make an impactful difference in the cyber security space, to safeguard users, data and networks from internal and external threats.