Cyber UK is the UK government’s flagship cyber security event. This year, Cyber Scotland Week is hosted by the National Cyber Security Centre (NCSC), and features world-class speakers, solutions and a combined idea sharing between the public and private sectors. Discussions are taking place on the evolving cyber threat and how we must respond as individuals and as a community to keep Britain safe in cyberspace.
To celebrate Cyber UK 2019 – we’re joining the conversation with an analysis from our experts on the human firewall.
The human firewall
Transforming the workforce from being the ‘weakest link’ in an organisation’s security chain into a ‘human firewall’ is arguably the most powerful way to protect business from cyber security threats. This presents a significant opportunity to drive a cultural shift (that will pay substantial dividends) in addressing an increasingly important area of risk more effectively.
The scale of the cyber security threat in the UK
This week it was revealed that more than half of British firms have reported cyber-attacks in 2019. This latest research by Hiscox found that 55% surveyed (5,400 small, medium and large businesses across seven countries) had faced an attack in 2019, up from 40% last year.
The latest Information Security Breaches Survey published by HMG in 2018 (in conjunction with PwC) further reveals the scale of the cyber security threat in the UK. Amongst the key findings are that over two in five businesses (43%) identified breaches in the last 12 months. 65% of medium/large businesses identified cyber security breaches or attacked in the last 12 months. One in five charities (19%) – surveyed for the first time in 2018 – identified a breach. Among these, the most common were:
- Staff receiving fraudulent emails (75% of businesses and 74% of charities experiencing breaches
- Others impersonating the organisation online (28% and 27%)
- Viruses and malware (24% and 24%)
Cyber security is everyone’s responsibility
Once more, the key take-away from the survey is the proportion of security incidents that were “staff related”. A lack of staff awareness and vigilance led to seven in ten businesses (70%) and nearly six in ten charities (57%) think the staff dealing with cyber security are capable of doing so. Alarmingly of this category, few staff have cyber security training (20% of businesses and 15% of charities) or have cyber security policies (27% and 21%).
The report concludes that employees are directly responsible for 27% of all cyber security incidents. It is clear that staff represent the soft underbelly of the security regimes of many organisations.
Should that come as a surprise? Probably not – over the past few years it’s been highlighted the impact of employees on data breaches. Specialists in the field will tell you that there are three main factors in play here. One is obvious, namely the proliferation of smartphones, tablets and other mobile computing devices which are increasingly being used for work related tasks and which are readily susceptible to loss or theft, potentially resulting in sensitive data (or user profiles enabling authentication to corporate networks) ending up in the wrong hands. Two others are less obvious and more systemic in their nature, making them trickier to address.
The shift in cyber criminal methods
The first is that there has been a significant shift in the modus operandi of cyber criminals. As technology-based defences to the perimeters of networks have become more effective (and therefore harder to penetrate), cyber criminals have sought easier ways into organisations – by exploiting human weaknesses.
For example, well-constructed and cleverly targeted phishing scams are increasingly providing cyber criminals with much easier avenues into organisations than attempting to hack into well protected networks and systems. The result of this shift is an inevitable surge in the number of incidents falling into the “staff related” bucket as innocent users fall for the tricks that are being deployed by attackers – unless, of course, users are trained effectively in how to spot and resist such trickery.
The technology-centric approach to security
The second relates to the technology-centric approach to security that still prevails in the majority of organisations. Historically, cyber security has been perceived as “an IT thing” and, by and large, the IT function has been responsible for implementing the organisation’s response to this new landscape of risk. Not surprisingly, this has resulted in the lion’s share of the security budget being allocated to implementing technical defences.
Unfortunately, this misses the point that no amount of technology can prevent the vast majority of staff-related security incidents. And if our biggest threat is human error, then there is clearly a mismatch between where the investment is going and where the risks truly lie.
The HMG survey found that the vast majority of respondent organisations deliver security awareness training to their staff. However, given the prevalence of staff-related incidents, the question arises of how effective that training actually is. Would a reallocation of a portion of the budget from technology to more or better training yield a greater “security dividend”? Probably. But such a shift is unlikely to be championed by the IT function who (not unnaturally) see technology as the answer: if change is to occur, it is likely to require a proactive drive from HR.
Championing a human firewall
A knowledgeable, vigilant and well-drilled workforce can be a highly effective “human firewall” sitting alongside the technical lines of defence. As effective cyber security is increasingly about people issues – behaviour, culture and training – it is time for HR to promote a more holistic, multidisciplinary approach to cyber security. By driving a shift in focus that places a much greater emphasis on the people issues, HR has the potential to play a key role in addressing what the World Economic Forum has ranked as one of the top five risks facing the global economy today.
If you’re interested in finding out how we can help your organisation train your employees in Cyber Security awareness and protect your business, get in touch today. You can reach us through our contact form, email us at firstname.lastname@example.org or give us a call on +44 (0) 207 323 9775.