Improving an organisation’s cyber security is about changing the way that security is seen by end users and making life easier for them to do their jobs.
Too often security policies make it more difficult for people to carry out simple tasks. If the IT department insists that everyone creates a complex password and changes it every two weeks people are forced to cheat the system because it is simply not possible to create and remember a proper password that often.
Instead people will use a variant on one word which is less safe.
Equally if access to key systems or databases is too restricted then people will share passwords so that people who need the information can get it. Once a password is being shouted across the office it is of no value at all.
Making security everyone’s job first of all means building systems which are easily workable by everyone in the organisation.
Blaming the user as the greatest security risk to the business is no longer good enough.
If people are expected to use dozens of passwords then some sort of password manager application is a better way to do it. Even better to get rid of as many passwords as possible in favour or token or card reader systems.
The first step to improving security might actually be getting rid of useless and annoying layers of security which don’t make the business any safer.
By making users’ lives easier there’s more chance that you can get them to take real risks seriously.
Removing needless restrictions, like passwords for photocopiers, is a good first step.
If security messages are clear, limited and necessary then people will pay more attention.
Think about endless security warnings some systems throw up about insecure web sites – we quickly become accustomed to clicking ‘continue anyway’ because nothing bad happens and stop reading the message.
IT security needs to be seen as an enabler for the business not a barrier – if not people will simply hide what they’re doing.
By providing useable and useful security systems then training staff will suddenly become much easier.
It is also important to create a culture where although security is everyone’s job, it is not everyone’s fault when it goes wrong.
Think about rewarding good security behaviour rather than just punishing bad behaviour. Phishing tests are one example of this.
Many organisations send out periodic fake phishing emails to see who falls for them. But instead of shaming those who fail this could be turned into a more positive exercise by rewarding people, or departments, who spot the dodgy emails.
Equally creating a genuine conversation about phishing – even asking people to send in suspicious emails – can help create a feeling that security is about more than just IT telling people off.
By getting users to inform you about other possible security holes you can create a 24/7 testing system for zero cost.
Cyber security teams need to win users over by rewarding them for doing well and not just take negative actions when they fail. This will help make security part of the psychological contract between staff and the business.
By seeing security as something positive you can effectively increase the size of the security team to include everyone in the organisation. Creating a culture which is both aware of security but also willing to own up to mistakes or possible problems is a difficult balancing act.
But get it right and your organisation will be best placed to deal with whatever the next wave of cyber attacks looks like.