Cyber security is everyone’s responsibility. As human beings, we are naturally cooperative, thriving on collaboration and shared success. This sense of togetherness not only strengthens our communities but is also vital for building robust and efficient organisations in the face of increasing cyber threats.
In this article, we will explore how employees play a crucial role in effective security strategies and contribute to human risk management. We will discuss the importance of fostering a company culture where cyber security is viewed as a collective responsibility, and how pulling together in one direction can help create a cyber-safe organisation. However, achieving this requires thoughtful planning and preparation to ensure that everyone understands their role in modern cyber security threat control.
Cyber Security Is About More Than Technology
Security attackers look for an easy ride; after all, why make life hard for yourself? The ‘easy ride’ comes in the form of cyber security attack scenarios that make use of a human being, usually an employee or business associate, to open the door to the corporate network.
Typically, cybercriminals use social engineering techniques and phishing to get inside the network, and once inside, cyber attackers can feast on data, install ransomware, and cause general havoc.
Researchers at Stanford University found that 88% of security breaches had an element of human error with employees often being unwilling to admit mistakes. The report also identified phishing emails as the cause of 25% of breaches, with phishing scams catching out employees using social engineering and psychological tricks to manipulate behaviour.
Compounding the success of the human element in cyber attacks, traditional security tools such as anti-virus software have been demonstrated to be only 50% effective at detecting threats. This double-whammy of social engineering, coupled with less than 100% effective security technologies, has led to IT teams understanding that they need a more holistic approach to protect resources.
Instead, security professionals know that to take on cyber attacks they must incorporate a mix of Security Awareness Training and technological measures led by robust policy enforcement.
Ultimately, everyone in an organisation has a part to play to create a protective layer against cyber attacks. The use of five core values helps to cement the responsibility of everyone within a company.
Create A Responsible Cyber Security Mindset Through Five Core Values
By recognising that cyber security is everyone’s responsibility and that employees are a crucial part of an effective cyber security strategy leads to the concept of the human firewall. This is an idea that is based on enabling employees to act as a shield against human-focused cyber-threats.
Employees are a target of cybercriminals looking for easy ways into an organisation. Effective and actionable responsibility requires the tools to protect against attacks that focus on employees; an empowered employee reduces the likelihood of a successful attack.
Building a robust human firewall requires a change in mindset. This mindset shift creates a culture of cyber security, built upon good security education and tools and measures that provide employees and other non-employees the means to help detect and tackle phishing and other scams such as Business Email Compromise (BEC).
This security-first mindset is upheld by the National Institute of Standards and Technology (NIST). A 2018 NIST publication “Security is everybody’s job” sets out five core values that are used to create a cyber security culture that NIST deems “critical” to a successful cyber security posture:
1/ Core Value One – Mindset
NIST says that a culture of cyber security is fundamental to imbue the entire organisation with a security-first mindset. This foundation stone of enterprise security sets the scene for better security through awareness of the tricks and scams that lead to data exposure, ransomware, and other security breaches.
2/ Core Value Two – Leadership
The tone for security responsibility must come from the top to encourage and enforce the security mindset needed to thwart cyber attacks.
This top-down leadership in security is being formalised, as Gartner, Inc., predicts that “by 2025, 40% of boards of directors will have a dedicated cyber security committee overseen by a qualified board member.” Leaders should lead by example, and act to influence and model good security habits.
3/ Core Value Three – Training and Awareness
NIST recognises that a fundamental building block of a secure organisation is to implement Security Awareness Training. By educating employees on social engineering tricks and training them to spot phishing emails, employees can ‘slam the cyber-threat door’ in the cybercriminal’s face.
4/ Core Value Four – Performance Management
The goals of the organisation must align with individual performance goals. NIST suggests using incentives and disincentives to help modify poor cyber security behaviour.
5/ Core Value Five – Technical and Policy Reinforcement
Technical measures, such as multi-factor authentication (MFA) and password policies should be used to augment and enforce good security hygiene.
Cyber Security Is Everyone’s Responsibility: Cyber-Safety Through Cyber-Responsibility
Cyber security is everyone’s responsibility. But when you make someone responsible for something you must empower them with the tools to act on that responsibility.
To begin the process of becoming a cyber-responsible organisation, an enterprise must create a culture where security is second nature. Human beings are naturally cooperative, and a sense of responsibility can be cultivated by implementing the five core values from NIST, as shown above.
These values let you underline and enforce a sense of cyber security responsibility and provide employees with the means to meet that responsibility and act as a combined force against social engineering attacks.