Why Improving Cyber Security Awareness Isn’t Enough

Every day we hear in the news that there has been a new Cyber Security threat. Every day another big brand brings us news of the latest and biggest attack by Cyber Criminals. But why and how are these types of attacks still happening? Companies are investing billions of pounds in new technology and state of the art controls, yet breaches are up 30% and that figure is climbing.

People can be your strongest or weakest link…

Whether it is lost laptops, compromised credentials, careless conversations in public or clicking on the wrong link, people generally tend to be the most likely source of all your security incidents. This isn’t to say that people are stupid, this is simply highlighting that people have business processes to carry out and therefore cyber security is not necessarily at the front of their mind. The overriding will to get the job done can sometimes lead to security being a much lower priority.

Why is this still a problem in 2017?

As I mentioned earlier, companies have invested billions in state of the art technologies but we often find that this level of investment is not typically matched when it comes to investing in people, culture and behaviour. Simply sending out a communications email, running a seminar or putting up a poster is no longer enough. Truly empowering a work force must go further than this and companies need to wake up to that.

We need to focus on more than just Cyber Security awareness…

Cyber Security goes beyond technology. People are not going to change their behaviour just by reading a poster or attending a 20 minute webinar. To understand the problem we must first understand the culture of the business and “normal” behaviours.

If for example your organisation is particularly friendly this might lead to incidents where people are allowed to walk through a secure door by tailgating unchallenged.

Or if, like most service companies, you are focused heavily on customer experience you could inadvertently develop a culture where shortcuts are taken in order to get an order processed quickly or a customer satisfied instantly.

All of these seemingly innocuous behaviours can potentially lead to a rise in security incidents. This is why it is imperative to ensure that your company gives proper thought not only to data and controls but to its people, culture and processes when adopting a Cyber Security strategy.

Changing security mindsets…

Changing the mindset and culture within in a company takes a long time but is as important as and potentially more critical than simply raising awareness. Companies who understand this are stretching way beyond merely communications and training. These are the organisations who invest more time and effort in things such as role modelling, leadership and balancing incentives with consequences to change the security culture of its people.

By understanding and making changes to culture and behaviour within your organisation you can mobilise a more security conscious workforce. Empowering and enabling the workforce in this way you create a “human firewall” that could prove to be your most efficient defence in the war on Cyber Crime.

Written by Danny Maher

Danny Maher is Chief Technology Officer at HANDD Business Solutions, an independent specialist in global data security