Cyber Security for the Overworked, the Uninterested and the Innocent Spectator
Emma Osborn - 5 Nov 2018
When I train people about cyber security decision making I tell them this:
I could just as easily say that technology helps people and cyber security makes sure technology is less likely to help people make mistakes.
People are integral to an IT system, because the main things that IT systems do are facilitate communication and reduce cognitive burden.
Fortunately people aren't robots, but unfortunately they’re not robots.
People make mistakes... all the time. It's inevitable, it's difficult to fix with technology and represents at least one step in the majority of successful breaches. Our people are our biggest attack vectors, because we have to give them access to the IT systems that support them.
What takes a hacker longer: working out where the flaws are in the software you use, or guessing a few email addresses of people in your finance team? When we talk about hackers, we're just as likely to be talking about con-artists who know how to hack a human, as the stereotype of the teenager who's spent too long in the dark web.
Recently the financial ombudsman released a statement suggesting that banks shouldn't automatically assume that customers losing money in online transactions have been grossly negligent. Their reasoning? That hackers often put significant energy into duping their victims.
As the people who make decisions about cyber security inside our businesses it's really important we’re aware of the same issue. Our employees don't arrive with the intention to make a mistake. When they break the rules it's often because those rules stop them achieving their jobs. They may not be aware of the risks this behaviour places on the business.
So what are some steps we can take to reduce the risk of cyber security mistakes?
Policies give you a chance to articulate the things that you're worried about. They also let you formalise your processes, giving consistent requirements to your employees, providing information as they arrive in the business and often let you add consequences for misusing the IT system to your employment contracts.
If you don't know how to write a policy I've developed some templates with SEQ Legal, which are a good place to start.
Having a policy in a binder somewhere isn't enough. You have to communicate your cyber security requirements to the people who are expected to stick to them.
There's a growing expectation that proof of training is proof of due diligence, especially where cyber security measures have been put in place for data protection. However, the most important reason why the business owner or someone like me stands up in front of employees to explain a cyber security policy is to tell people the why that goes with the what.
Telling people why you need to achieve something helps people engage with the problem, broadens their understanding of what you need them to do and doing so in person makes it more likely they’ll listen.
The majority of businesses engaging with cyber security are doing so to reduce a real risk, not to box tick.
Pressure is the hacker's friend. If they can introduce a sense of urgency and consequences then it's significantly easier to fool their mark.
Realistically, do you have any suppliers who are likely to phone or email you saying “if you don't pay in the next 30 minutes I will take you to court/refuse to deliver today/cut off your access to a critical service”?
How often do you get a phone call from a customer saying that the sky’s on fire and they need rescuing yesterday?
When you tell an employee to finish something this week, do you mean that the business will fail without that deliverable?
Tell your employees that nothing’s ever that urgent, so that you’re building a culture where people think before they react or find a way around a cyber security protocol.
People are easily distracted and overloaded with information. It takes time to build a habit, so if you're reading something about security that's relevant to the business, forward it on to your employees. Not all of them will read it, but small improvements in cyber security awareness are reducing a far greater risk than the average piece of security technology will touch.
There are always exceptions and times when there is a genuine urgency to solving a problem. However, if you haven’t learned your own rules, if you ask your employees to make a different exception every time you task them, if you think they don't apply to you... You’re undermining your own policy.
Cyber security policies are living documents and business processes are complex, with limited documentation. Nobody gets it right first time and everything changes as technology evolves, but if you're consistently circumventing your own policy that tells your employees that security is unimportant.
Expect to update your policy when these constant work-arounds come up. Then make a good example, because you don't want to be the person who causes the breach!