IT professionals around the world have some thorough and detailed frameworks and guidelines to use when it comes to developing a robust information security strategy, but there is one thing missing – the human element. The cyber threat landscape is out of control across the globe and organisations can’t seem to get ahead of the curve. Cyber attacks are increasing as cybercriminals are becoming more and more sophisticated and their methods are quite frankly abhorrent. They continue to target our human vulnerabilities and leave a trail of destruction in their wake without a care in the world.
Most organisations have a well-documented cybersecurity strategy. The Australian Cybersecurity Strategy 2020 was released in August with a focus on government, business and the community. The recommendations made are all great, however, achieving the desired outcomes will be challenging if there is no clear way forward as to how we as a nation go about creating a (cyber)security culture to support the strategy.
The missing link is the human element.
Protecting systems and information is the core purpose of anyone working in the information security world, which includes cybersecurity. Yes, some people see these as one in the same and others see them as separate disciplines, but that’s a discussion for another day.
Today, we are looking at the human operating system and what you can do to attract its attention, raise curiosity, get buy-in and have yourself a powerful culture of (cyber)security in your organisation.
Context and understanding are important in this process, so let’s start with some definitions.
Strategy is tangible and visible with clear guidelines. It’s the road map, the plan, the goals, the logical process of taking us from where we are to where we want to be. A place where outcomes are defined and results are measured and managed.
Culture is tacit and elusive in its very nature. It’s often unspoken, based on behaviours, hidden in the thoughts and minds of people. We have all heard things like ‘the behaviour you ignore is the behaviour you accept’ or ‘the fish rots from the head’ or ‘monkey see monkey do’. These sayings can all describe culture. We often see the framework of culture in an organisation’s vision, mission and values which can describe the attitudes they have towards various elements. For example, do they value innovation over tradition?
Observable culture is the way an organisation welcomes new employees, comes together (or not) at a time of crisis, manages performance, celebrates birthdays, responds to change and ideas or treats its customers and vendors. It is also the way you go about your day-to-day work when no one is watching which has been highlighted as we moved to a remote working situation in this year of COVID-19.
Strategy is usually an annual event — ‘here is our 2020 strategy’. The road map for the year is clear and hopefully, we all know what our role is in it. Culture, if not defined, is formed by the people, their attitudes, values, unconscious bias and overall approach to the world. Unchecked, group thinking emerges, silos form and if you are not careful, you may find yourself amid a toxic culture.
For organisations that are about to go through a lot of change, it is going to be important for them to understand what the culture-related change is for their people. Do they embrace change, or will they fight it every step of the way? This is the very reason many strategic plans fail because the culture was ignored or dismissed as being irrelevant. Big mistake!
We can have the most brilliant (cyber)security strategy the world has ever seen, and it will never be completely realised if we fail to engage the hearts and minds of the people.
Before we look at how to go about creating a (cyber)security culture, let’s look at the benefits of having one versus not having one. The following examples are situational and are from the point of view of the human, your users and represent what’s going on in their minds.
Situation One – Phishing (malicious emails)
Without a (cyber)security culture | With a (cyber)security culture |
OMG, an email from my bank – looks like someone has tried to illegally use my credit card. I better click on this link and update my password. | Hold on a minute, I know what red flags to look for that could indicate a phishing email and I know that I must not engage with it. I will call my bank to confirm. |
This email looks suspicious, I don’t even bank with them. I’ll ignore it and delete it later. | I need to report this suspicious email to the cyber team. I better not delete it because I know they will want to look into it further. |
Oh no. I don’t think I should have clicked on that. Nothing bad happened – phew. | Oh no. I don’t think I should have clicked on that. I better let the cyber team know straight away. |
IT wants me to change my password again – this is getting ridiculous. I did this last week too. | Hmmm – IT wants me to change my password again and I only just changed it. This could be one of their tricky phishing tests. I think it’s bogus and I will report it using the phish alert button. |
Situation Two – USB devices
Without a (cyber)security culture | With a (cyber)security culture |
**USB found in carpark with ‘payroll’ written on it** LOL – this is going to be good. I’ll take this back to my desk, plug it in and show the guys. | As much as I want to look at this, I am going to take it to the cyber team. |
**Vendor comes in for a meeting and wants to plug in their USB** Yep, I will plug it in and set that up for you. | Sure thing, I will just get the cyber team to scan it first. OR Unfortunately, our cyber policy is very clear with USBs – we can’t use them. |
Situation Three – Working from Home or Remotely
Without a (cyber)security culture | With a (cyber)security culture |
This is cool! Now my kids can use the work computer at home! | I wish the kids could use the work computer at home. However, I know that there are too many risks associated with that. |
I can use free Wi-Fi on my work mobile – this is awesome! | I better make sure the VPN is on before I connect to free Wi-Fi. |
I don’t need to lock my computer at home. | Even though I am working from home, I really need to lock my computer just to be safe. |
Whilst these situations seem second nature to those of us who live and breathe information security and cybersecurity, they are not second nature to everyone else. I can promise you that this is exactly what your people are thinking and doing every single day.
A (cyber)security culture is not just completing training or reporting phishing emails. It’s the unseen and sometimes unmeasurable situations that occur and the subsequent response.
A non-cyber example is driving a car. You don’t get handed the keys and told to drive safely. There is documentation to read and absorb, rules to remember. Then there’s a process of familiarisation with the car itself. Preparing to drive away from the curb involves multiple steps that are hard to remember at the beginning. Your first drive is terrifying. Other cars on the road, pedestrians, street signs, weather changes, the rear-view mirror, side mirrors, accelerate, brake, indicate, clutch, slow down, speed up, windscreen wipers and so much more. It is only after time and practice and testing that it all comes together. Even then, there are constant reminders of the dangers and our role in keeping the roads safe for everyone.
The same can be said for cybersecurity. You want a culture where your people are aware of their responsibility to keep things safe, the cyber threat landscape and the tricks cybercriminals use. You also want them aware of your policies when it comes to keeping everything secure, to understand what is acceptable online behaviour, how to spot the red flags and report any potential phishing emails.
How do you do it?
By taking the time to define your (cyber)security expectations when it comes to the human o/s with these seven (7) questions:
- What attitudes do you expect your people to have towards security?
- What behaviours are you wanting to change or see?
- Do your people have an understanding, knowledge and sense of awareness?
- How do you go about communicating with your people? Do they feel like part of the solution?
- Have you considered and included your people in your policies, and do they know what to do?
- When it comes to the unwritten rules of conduct at your organisation, have you thought to include (cyber)security?
- Lastly and perhaps most importantly as without it you are doomed to fail – do your people understand why cybersecurity is everyone’s responsibility and that they have a critical role to play?
Once you have the answers to these questions, you are on your way to developing your (cyber)security culture. Enjoy your breakfast!
Security Awareness Advocate – APAC, KnowBe4