Cyber security: why people are a business' strongest asset
This article is adapted from a talk given by Cursor’s Managing Director Daniel Westlake at the launch event of the Lincolnshire Cyber Security Forum on 17th April.
There comes a point where everyone declares that their IT skills are not up to scratch. Whether it be a complete tech novice who can’t even access the internet, a competent user who lacks specific knowledge, or an experienced member of staff defeated by a particularly stubborn problem. There is always a hurdle which can’t be cleared, and with IT there is always more to learn.
Unfortunately, rather than encouraging their employees to learn, there are many businesses who will simply outsource any problem to their IT department. The problem gets solved, but nobody learns anything. At best, an employee will learn by rote, following a strict list of instructions in order to solve the problem. Over time this approach creates a skills gap between the employees who use the technology and the IT department who understand the technology.
This skills gap can have unforeseen consequences when it comes to cyber security. IT departments would sooner protect staff rather than making the extra effort to educate them, but this castle mentality misses a fundamental point: businesses aren’t castles.
If a business sees their own people as a weakness when it comes to cyber security then systems can be set up to distrust every email, restrict use of websites and software just to make sure that their staff don’t do anything ‘stupid’. However, no system provides 100% protection, and the human error factor cannot be accounted for. If a staff member has never seen a phishing email, they are more likely to click on one that makes it past the firewall.
People are often seen as the greatest weakness of a business’ cyber security, and when you consider that over 90% of cyber attacks are caused by human error, it’s easy to see why. That isn’t the fault of the individuals, but the situation isn’t going to improve unless attitudes change.
The construction analogy
Back in the 1960s, construction sites were a lot more dangerous than they are today. Each worker was responsible for their own safety, but there were not many rules in place and little education about the risks. Accidents happened, and in most cases nobody could be held accountable.
In the 1970s, Health and Safety legislation was introduced to keep workers safe. Site managers and health & safety executives were responsible for enforcing the new rules, but this life-saving legislation was not universally well-received. Many people complained about the new guidelines, many of which seemed entirely arbitrary and prevented people from doing their jobs.
This is where cyber security is now. Businesses bombard their employees with instructions to protect against cyber attacks, but without telling them why. Like the construction workers of yesteryear, the modern employee won’t be inclined to follow instructions unless they know why they are doing so.
Eventually, the culture in the construction industry changed. Employees were given explanations of how their actions would ensure the health and safety of themselves and their colleagues. Everyone knew what they could do to keep the site safe and would call out problems as they occurred - leading to a safer work environment for everyone.
We need to see the same cultural change in cyber security so that everyone understands the part they have to play in keeping the digital work environment safe and secure.
The idea that people are a business’ greatest weakness is a self-fulfilling prophecy. When businesses adopt a castle mentality, keep their employees in the dark and fail to educate them in how to combat cyber threats, it’s no wonder they don’t know how to spot the warning signs.
But the reverse is also true. A business which empowers its employees, shows them why cyber security is such a pressing concern and teaches them how to identify the dangers, will soon find that people can be the greatest asset in the war against cyber crime.
Take phishing emails for example. Employees in a business which doesn’t test its own cyber security will never learn how to spot suspicious activity. The first time they receive a phishing email, they may not be able to spot the warning signs, and a single click is all it takes to covertly install malware on your system.
Sending fake phishing emails is a great way to ascertain how prepared your employees are. Those who fall for the scam and click the link will have to be educated about the dangers of phishing emails and how to recognise them. Therefore, when a genuine phishing email shows up in their inbox, they will know exactly how to deal with it.
Businesses should also have a cyber security incident response plan in place, so that every employee knows exactly what to do in the event of a security breach. Whether it’s the IT team working to isolate the breach or the receptionist cancelling appointments in anticipation of a hectic week, everyone should know how to respond when the worst happens.
A model example is provided by Norwegian aluminium and renewable energy company Norsk Hydro, hit by a ransomware attack which affected 160 sites in March 2019. They had a thorough incident response plan in place and switched immediately from automatic to manual operations.
Senior figures within the business held daily press conferences to keep the public updated and provided specific information about their progress during the recovery stage. They were transparent with their customers, and their share price was not badly affected.
Everyone working for the company knew exactly what to do when the cyber attack hit. Some who were on holiday voluntarily came in to help out. After the event, Norsk Hydro praised its employees as “heroes” for their ingenuity and commitment that kept production going during the crisis.
Norsk Hydro set the high watermark for how a business should respond to a cyber attack, and showed why it is so important to be prepared for the worst.
Being prepared for a cyber attack is not just about protecting employees. It’s about giving them the power to fight back by educating them about the dangers of cyber attacks and helping them to understand why it is important to have an incident response plan in place.
Every employee should be shown the steps they need to take to work safely online, and they should know exactly what to do in the event of a cyber attack. Only by being prepared can a business hope to withstand a serious attack or data breach.
It will take time for this proactive mindset to become an integral part of your company's culture, but it is an approach that all businesses should take. People don't have to be your organisation's greatest weakness - they can be its strongest asset.
Photo by Kerrin Wilson