Emma Osborn - 8th Oct 2018

On the face of it using technology is getting much much easier... Last month my (now retired) mum managed to teach my 88 year old gran how to use email, so accessibility is heading in the right direction. The problem is that easier also comes with some compromises. Technology users have to be given freedom to, well, use the technology. 

That means that security experts can't lock a piece of software in a chest and drop it into the deepest part of the ocean, they have to configure their technical measures to enable its use rather than obstruct it. And this is where the biggest problem lies: users can’t be expected to be exemplary implementers of cyber security, cyber security experts can't be expected to never slip up, and yet the access we give to people also gives them the power to make expensive mistakes. So in comes the discussion about cyber hygiene.

There is no easy technical panacea for cyber risk. Unfortunately cyber security is about managing the squishy parts of the IT system too... and securing your people comes with challenges that have nothing to do with challenges your IT team can't fix on their own.

What are the basics?

First things first:

• The people who use your it systems aren't making mistakes because they're poorly educated, dumb or negligent. If the people you’re trying to educate think you're talking to them like idiots they probably won’t engage with what you're saying. Whatever technology you use to secure your systems, the end users will always have some capacity to make mistakes.
• Telling people what you need them to do is only a tiny part of the task. You also have to listen to why they can't do what you ask every time, understand why some teams are assimilating your requirements better than others and work out when the rules are so restrictive that users are tempted to circumvent your entire IT system to complete a task.
• The basics of securing your people includes (among other things) the development of a cyber security policy; training employees about the content of the new policy; making sure there is a go-to person for answering security questions in the business, and that they’re visible to as many employees as possible; and testing any plans you have in place in case of a cyber security incident.

If you don't know where to start writing a cyber security policy, I’ve written some templates in collaboration with solicitor Alasdair Taylor, which you can find here. Basically, if you want people to act the way that you want them to, the first step is deciding what you need and communicating that to your employees.

Of course the scope of these tasks depends on the size of the business and the amount of time available – just like technical cyber security measures, the cost of implementation needs to stay within budget. It might be more difficult to evaluate cost when considering this type of security measure, but it's always worth considering which human interventions are available as options for reducing risk. 

Why? Because these decisions will typically end up being your last line of protection if the technology hasn’t plugged all the gaps in your security fence.

What do you need to be aware of as you write these rules?

People choose the secure option when that’s the easy option.

If you're struggling to get your people to act more securely, it's not because they don't understand, it's because you're also inadvertently incentivising them to ignore your rules.

For example, the IT team can see that there are fewer mistakes happening involving clicking on malicious links in emails, etc., but the number of people accessing public clouds such as Google Drive is increasing. Last week an employee was caught sharing customer personal data with a subcontractor via their private cloud account. An investigation revealed that the cloud provider’s terms of use now meant that they owned the right to use data in a way customers haven’t consented to.

Why are employees finding one cyber measure easier than the other?

The way that the IT system works, the pressure they're out under to do their work, or even an obstacle caused by technical cyber security measures, might be leading them to entirely avoid using the business' IT infrastructure in favour of their own choice of IT provider.

Another example might be when one specific team seems not to be getting more secure. The number of issues IT has had to deal with everywhere else in the business is slowing down a bit, but in one team the employees are making the same basic mistakes over and over again. 

• Are they being led to make mistakes? Possibly their manager or an influential member of the team is telling them that achieving something else is more important (or that cyber security is unimportant).
• Are they under more pressure to deliver their project than other teams?
• Do the people in this team think they deal with things that are far lower risk than other departments, making the security measure disproportionate to the problem?

When you're trying to understand why someone’s choosing not to do cyber security, the key is to look at what is costing them in terms of time and what that might be stopping them from doing.

The perfect example of this is password management. Creating one strong password is easy. Managing the 50-100 passwords any IT user has been lumbered with, in a way that doesn’t make it easy for hackers to guess what they are, is extremely challenging. Sometimes employees need usability more than they think their employers need security.

Why is the dialogue about cyber security shifting towards developing a “culture of security”?

If nothing else this article should have convinced you that securing your people is a challenge that writing rules and telling people about them can only begin to address. 
Moving to a culture of security recognises that helping people become more secure is about lots of small tweaks and nudges... And sometimes having to revert back to old processes because the new ones disrupt some undocumented practices that the business relies on.

Training people that cyber security is a process of ongoing improvement takes the pressure off of them to be perfect – and so may help them find the courage to report their mistakes in time for you to fix them. In addition, the mind-set of constant improvement might improve their ongoing engagement with the information and advice you supply, meaning that a greater proportion of your employees remain aware of evolving security threats.