Human beings are a naturally cooperative species. We feel at home collaborating with others and working on successful projects together. This cooperation, this feeling of togetherness, helps to build more robust and smoother running societies.
Pulling together, in one direction, is also something that can help to build a cyber-safe organisation. However, making everyone understand that this shared responsibility is the reality of modern-day cyber security threat control is another matter.
To get to a place where we can tackle the increasing onslaught of cyber attacks, an enterprise needs to instill a sense that cyber security is everyone’s responsibility. However, how to make that a reality needs some thought and preparation.
Cyber Security Is About More Than Technology
Security attackers look for an easy ride; after all, why make life hard for yourself? The ‘easy ride’ comes in the form of cyber security attack scenarios that make use of a human being, usually an employee or business associate, to open the door to the corporate network.
Typically, cybercriminals use social engineering techniques and phishing to get inside the network, and once inside, cyber attackers can feast on data, install ransomware, and cause general havoc.
Researchers at Stanford University found that 88% of security breaches had an element of human error with employees often being unwilling to admit mistakes. The report also identified phishing emails as the cause of 25% of breaches, with phishing scams catching out employees using social engineering and psychological tricks to manipulate behaviour.
Compounding the success of the human element in cyber attacks, traditional security tools such as anti-virus software have been demonstrated to be only 50% effective at detecting threats. This double-whammy of social engineering, coupled with less than 100% effective security technologies, has led to IT teams understanding that they need a more holistic approach to protect resources.
Instead, security professionals know that to take on cyber attacks they must incorporate a mix of Security Awareness Training and technological measures led by robust policy enforcement.
Ultimately, everyone in an organisation has a part to play to create a protective layer against cyber attacks. The use of five core values helps to cement the responsibility of everyone within a company.
Create A Responsible Cyber Security Mindset Through Five Core Values
By recognising that cyber security is everyone’s responsibility and that employees are a crucial part of an effective cyber security strategy leads to the concept of the human firewall. This is an idea that is based on enabling employees to act as a shield against human-focused cyber-threats.
Employees are a target of cybercriminals looking for easy ways into an organisation. Effective and actionable responsibility requires the tools to protect against attacks that focus on employees; an empowered employee reduces the likelihood of a successful attack.
Building a robust human firewall requires a change in mindset. This mindset shift creates a culture of cyber security, built upon good security education and tools and measures that provide employees and other non-employees the means to help detect and tackle phishing and other scams such as Business Email Compromise (BEC).
This security-first mindset is upheld by the National Institute of Standards and Technology (NIST). A 2018 NIST publication “Security is everybody’s job” sets out five core values that are used to create a cyber security culture that NIST deems “critical” to a successful cyber security posture:
Core Value One – Mindset
NIST says that a culture of cyber security is fundamental to imbue the entire organisation with a security-first mindset. This foundation stone of enterprise security sets the scene for better security through awareness of the tricks and scams that lead to data exposure, ransomware, and other security breaches.
Core Value Two – Leadership
The tone for security responsibility must come from the top to encourage and enforce the security mindset needed to thwart cyber attacks.
This top-down leadership in security is being formalised, as Gartner, Inc., predicts that “by 2025, 40% of boards of directors will have a dedicated cyber security committee overseen by a qualified board member.” Leaders should lead by example, and act to influence and model good security habits.
Core Value Three – Training and Awareness
NIST recognises that a fundamental building block of a secure organisation is to implement Security Awareness Training. By educating employees on social engineering tricks and training them to spot phishing emails, employees can ‘slam the cyber-threat door’ in the cybercriminal’s face.
Core Value Four – Performance Management
The goals of the organisation must align with individual performance goals. NIST suggests using incentives and disincentives to help modify poor cyber security behaviour.
Core Value Five – Technical and Policy Reinforcement
Technical measures, such as multi-factor authentication (MFA) and password policies should be used to augment and enforce good security hygiene.
Cyber-Safety Through Cyber-Responsibility
Cyber security is everyone’s responsibility. But when you make someone responsible for something you must empower them with the tools to act on that responsibility.
To begin the process of becoming a cyber-responsible organisation, an enterprise must create a culture where security is second nature. Human beings are naturally cooperative, and a sense of responsibility can be cultivated by implementing the five core values from NIST, as shown above.
These values let you underline and enforce a sense of cyber security responsibility and provide employees with the means to meet that responsibility and act as a combined force against social engineering attacks.
