Take a look at any newspaper from the past year and you are likely to find some terrifying facts about cyber security, generally related to massive data breaches by trusted companies or revelations about spying on citizens by friendly and not-so-friendly governments.
It’s no revelation for anyone in the IT business that information within computers and servers regularly ends up in the wrong hands or goes missing. We’ve spent decades putting into place ways to manage systems in a predictable and authorised manner (hello ITIL) and put good risk-based controls around them to help prevent things from going wrong (good to see you ISO27001, howdy the IASME Standard). These have had a great impact and have made many companies much more secure as a result.
What we must not forget along the way is to tell the rest of the business that they should care about security too.
The government is seeking to increase skills in the cyber sector and has launched a range of initiatives to get more young people skilled up in the technical areas of cyber defense. The government is fairly good at getting the ‘technical bits’ of cyber security correct, and it leans on its technical security arm, the Communications-Electronics Security Group (CESG0), for much of this.
A lot of these technical elements have made their way into the basic standard for cyber security, Cyber Essentials, which is a really good starting point for many companies on their journey towards better security.
What is important in the wider approach is to provide practical knowledge and skills on cyber security to ordinary employees within companies, and this includes managers, directors and general staff. Basic errors by employees, such as sending emails to the wrong recipients, failing to encrypt USB sticks then losing them and using poor or default passwords, make up the vast majority of all data breaches reported to the ICO.
It is these sorts of cyber incidents which can cause significant harm to the individuals whose data is lost, through fraud and identity theft, and to the organisations themselves, who may lose their competitive edge if product plans or pricing information is given to competitors.
It is these low-level high-volume incidents that gradually wear away at the population’s trust in online services and decrease the competitiveness of the wider UK economy.
So how do we fix it?
The good news is that actually most employees are now pretty aware of the threat of data breaches, (maybe less so the techy details of hacking), and thanks to the explosion of social media some have understand the notion of keeping safe online. The key is to tap into that basic idea of good practice at home, expand on it and bring it into the workplace.
It’s important to have a clear figurehead for the messages about cyber security within your organisation. Ideally this shouldn’t be the IT department because staff are weary of the lists of dos and don’ts that many IT teams will have sent out previously. HR teams work well as a source, not least because they are linked to pay (a source of motivation), policies, and often are involved in existing training. In the right company finance or even marketing can work as sources.
Put out clear messages that set expectations on security from the figurehead and keep staff updated to recent trends and incidents, perhaps via email, intranet or regular team meetings. The figurehead must be two-way. Staff should be able to ask queries about topics and also be able to report security incidents.
Regular staff training is a great way to get people on-board with your security initiative. One way could be to train directors and managers in cyber security and use them to message to wider staff via an awareness campaign. A more comprehensive method would be to provide two levels of training; practical, day-to-day advice for general staff, and strategic advice for decision makers. Use online training to support rather than replace face-to-face interactive training.
And, don’t forget the Data Protection Act (DPA). Most companies have training on this already but a lot of the training seems rooted in the late-1990s, meaning it doesn’t fit the wider picture of cyber security and is frankly dull. Why not refresh your DPA training to make it fit the current risks that your company faces and your wider approach to security. After all, a lot of the principles used to protect personal data under the DPA apply to all your other data within the lens of cyber security.
What should we be skilling staff to do?
Most of the skills and messages needed for general staff might look obvious for many who work in IT, but the truth is that most of us don’t actually follow this good practice ourselves. The key is making advice practical and approachable. The average person has very little time in their day to mull over the cyber risk levels of each of their activities, so making advice appropriate to the organisation, and to some extent prescriptive, is key.
If all the staff in your organisation had the following five things in mind during each day, you can bet your risk of a data breach would be significantly lower:
- Remember that data has a value in both financial terms, to criminals and hackers, and in terms of the harm that could be caused if it was lost or damaged. Treat customers and company data with the same care you would expect a company to treat your own private information. Think of the impact on you if your cloud provider lost all of your family photos or accidentally posted your private documents on social media
- Understand that people want to steal or damage company data. Be wary of responding to urgent emails with attachments or entering your login details into an unexpected pop-up window. Think about if this might be an attempt to steal data and ask your manager or colleagues for a second opinion
- Think in terms of how important a particular piece of information is and whether it needs extra protection. A simple data classification scheme can provide great guidance together with a table of actions to refer to – if it’s sensitive data then perhaps it must be encrypted before emailing or being sent by post
- Be prepared to question things. If there is someone wandering around the office that you don’t recognise, ask who they are
- Think twice before sending out information and verify the recipient is correct. You can set your email client to delay sending messages for a few minutes after you press send to give you a second chance, if needed
- When you are out of the office, use a virtual private network (VPN) to keep safe on Wi-Fi hotspots and be more aware of your privacy and security. Keep laptops and tablets with you all the time in your hand luggage - don’t leave them in the car boot.
Turning these sort of basic principles into practical advice that is suitable for your organisation requires some work, but not really that much. Perhaps a few afternoons in meetings and the odd heated discussion on the details and most companies will have some great practical advice to share with their staff that fits their work environment.
And that’s a lot better than weeks of late nights spent trying to resolve the headache of a data breach.