A theme that underscores cinema’s modern sci-fi classic, The Matrix, is the underlying fear that technology makes us humans redundant: it plays on our innate worry that the future is beyond our control. Today this insecurity is very real – and our approach to cybersecurity shows how our own ignorance and helplessness feeds this anxiety.
None of this is new. Government and security organisations spent years suggesting companies patch and update their operating systems and third-party applications, restrict administrative access and use malware defences. But this general advice seems to miss the bigger truth – that people still have the largest impact over a company’s IT security.
As this is the case, then there is hope – that by focusing on the human factor of the issue, the majority of information security threats can be dealt with successfully and without additional IT investments. We provide here a practical approach to how to achieve this.
Information security is about more than just ….. information. As our lives go digital, so do our vulnerabilities. The rising number of cyberattacks increases the possibility of significant damage. The ransomware attacks on the NHS in the past few days makes clear that the costs involved can go well beyond money – with patients’ lives and well-being at stake. The data breach of the infidelity web service Ashley Madison shows how reputation – in this case of a company as well as its clients – can be destroyed in an instant. The hacking of electoral campaigns in the US and more recently France suggests cyberattacks could even swing major world events.
A hack into the average firm’s IT systems is unlikely to ripple as wide as these examples, but most people still fail to grasp how pervasive this issue has (already) become. Convergence of digital, mobile and industrial technology generates and stores data well beyond the confines of traditional IT infrastructure. Opportunities for a breach are coming from places that may not be immediately obvious. For example, an oil service company can perform real-time analytics in a remote client location where drilling is occurring. The data centre might be a van, moving from well-head to well-head, carrying confidential client data around. All it takes is the wrong use of a USB to create a major operational and reputational data breach.
So, what are the biggest vulnerabilities a company must consider to protect itself?
Know this: your IT system is only human. Plenty of studies consistently show that over 70% of all data breaches result from human error. And if human error – simply defined as knowledge gap – becomes a company’s biggest IT vulnerability, managing employee behaviour becomes critical to minimising information security risk. Yet not enough attention is given to this.
Obvious examples of human error include incorrect IT configuration set-up, or employee failure to comply with the control systems that have been put in place. Technology is not second-nature to most people. So even a partial implementation of system guidelines or security protocols can have a huge detrimental impact on cybersecurity.
“The answer to minimising cyber threats is not to throw cash at yet more software.”
Many successful security breaches are down to internal exploitation. A hacking technique known as social engineering – the art of manipulating people so they give up confidential information – is predominant, yet at its heart it is as old a trick as it gets. IT experts can tinker with a system until it feels as airtight as a submarine, but it takes just one person to fall victim to the prowling social engineer to spark a major breach.
Another recurring statistic: of all the companies that are hacked, about three quarters take no action. And only 20% of UK and US companies have a director’s level involvement in the review of information security risks.. This may change due to new upcoming punitive rules under the General Data Protection Regulation (GPRD) for those who don’t do enough to protect data – yet much of this inertia is driven by a lack of practical approach, a governance failure to involve decision makers and to think about cybersecurity only as an IT rather than a business issue.
The real changes required to reduce the risk of data breaches. So what can one do? It is extremely difficult to keep a determined hacker out of someone’s system. But if the large majority of data breaches are due to human error then a company can do plenty to minimise the risk significantly – without throwing cash at yet more software.
“At a practical level, it is critical to ensure alignment between systems, policies, compliance and reporting.”
Reducing the risk of data breaches calls for a change in focus. Investing in systems and technology remains a pre-requisite. But without a solid strategy to tackle the people element, information security is like fixing a cracked pipe with sellotape: at some point it will breach under pressure.
Threats are more manageable if a company’s employees understand them. A strong change management approach to generate awareness, deliver training and give education will eventually do the trick. To begin with, the leadership team must be behind these efforts, and make people understand that this is a business issue – not an IT problem.
At a practical level, it is critical to ensure alignment between systems, policies, compliance and reporting. Systems provide the ability to deploy specific defences, but policies dictate how people should use them and behave. If a policy is either not specific enough or not adequate to a given operating environment, there will be gaps in compliance even before anyone fails to follow the instructions. The more complex an organisation, the more a general policy will need to adapt through a variety of sub-policies/amendments. For example, different sub-policies are required to handle CRM information in the US vs. China, where the definition of confidential information is materially different. Compliance is about ensuring employee behaviour aligns with policy. Policies must be complete, efficient and up to date. And only by monitoring employee behaviour can good policy changes be made – which could even mean adapting policies to suit employee behaviours. Failure to get employees to comply with policy might be down to environment, lack of training or ignorance about a policy, or deliberate failing.
A detailed understanding of potential gaps between policies and compliance will provide a guide on how to fix leaks by either changing policies, or ensuring awareness and training of those who need to comply. Finally, a strong reporting system – that feeds back issues to the top – coupled with a detailed risk register system, should ensure that appropriate corrective actions are taken swiftly enough.
This focus on policy, compliance and reporting will help a company significantly reduce its cybersecurity threat, without the need for additional spending in software, and may turn a potential problem into a differentiating competitive advantage. In this sense, it is time for us mere humans to stand and fight back.
At nest consulting, we help companies develop a strong and resilient information security culture. We do this by putting together targeted and specific change management programmes that align your information security policies with how people carry them out in the everyday.