Cyber Security for the Overworked, the Uninterested and the Innocent Spectator
Emma Osborn - 8th Oct 2018
On the face of it using technology is getting much much easier... Last month my (now retired) mum managed to teach my 88 year old gran how to use email, so accessibility is heading in the right direction. The problem is that easier also comes with some compromises. Technology users have to be given freedom to, well, use the technology.
That means that security experts can't lock a piece of software in a chest and drop it into the deepest part of the ocean, they have to configure their technical measures to enable its use rather than obstruct it. And this is where the biggest problem lies: users can’t be expected to be exemplary implementers of cyber security, cyber security experts can't be expected to never slip up, and yet the access we give to people also gives them the power to make expensive mistakes. So in comes the discussion about cyber hygiene.
There is no easy technical panacea for cyber risk. Unfortunately cyber security is about managing the squishy parts of the IT system too... and securing your people comes with challenges that have nothing to do with challenges your IT team can't fix on their own.
First things first:
If you don't know where to start writing a cyber security policy, I’ve written some templates in collaboration with solicitor Alasdair Taylor, which you can find here. Basically, if you want people to act the way that you want them to, the first step is deciding what you need and communicating that to your employees.
Of course the scope of these tasks depends on the size of the business and the amount of time available – just like technical cyber security measures, the cost of implementation needs to stay within budget. It might be more difficult to evaluate cost when considering this type of security measure, but it's always worth considering which human interventions are available as options for reducing risk.
Why? Because these decisions will typically end up being your last line of protection if the technology hasn’t plugged all the gaps in your security fence.
People choose the secure option when that’s the easy option.
If you're struggling to get your people to act more securely, it's not because they don't understand, it's because you're also inadvertently incentivising them to ignore your rules.
Why are employees finding one cyber measure easier than the other?
The way that the IT system works, the pressure they're out under to do their work, or even an obstacle caused by technical cyber security measures, might be leading them to entirely avoid using the business' IT infrastructure in favour of their own choice of IT provider.
Another example might be when one specific team seems not to be getting more secure. The number of issues IT has had to deal with everywhere else in the business is slowing down a bit, but in one team the employees are making the same basic mistakes over and over again.
When you're trying to understand why someone’s choosing not to do cyber security, the key is to look at what is costing them in terms of time and what that might be stopping them from doing.
The perfect example of this is password management. Creating one strong password is easy. Managing the 50-100 passwords any IT user has been lumbered with, in a way that doesn’t make it easy for hackers to guess what they are, is extremely challenging. Sometimes employees need usability more than they think their employers need security.
If nothing else this article should have convinced you that securing your people is a challenge that writing rules and telling people about them can only begin to address.
Moving to a culture of security recognises that helping people become more secure is about lots of small tweaks and nudges... And sometimes having to revert back to old processes because the new ones disrupt some undocumented practices that the business relies on.
Training people that cyber security is a process of ongoing improvement takes the pressure off of them to be perfect – and so may help them find the courage to report their mistakes in time for you to fix them. In addition, the mind-set of constant improvement might improve their ongoing engagement with the information and advice you supply, meaning that a greater proportion of your employees remain aware of evolving security threats.