View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Infosec London: The Human Issue Won’t Go Away

“Make them feel empowered and they feel engaged."

By CBR Staff Writer

Slick technology aside, old fashioned employee cyber training was a hot topic on the first day of Infosec London, with CEO and founder of “human risk protection” platform OutThink and former head of IT security at Bank of Ireland, Flavius Plesu, noting inculcating secure behaviour is still one of a security team’s biggest challenges.

This isn’t just in terms of making employees aware of what a malicious link in an email is, or of the damage a phishing campaign can do, although he did note that they must be made aware of the security mechanisms in place. No, a bigger issue is making sure that there are actually willing to comply; and it starts with the right security culture…

(This includes not plugging in gift USBs handed to you by mysterious personages: Ed Tucker, the CEO at Byte TM Ltd said he was gifted one by a “Chinese visitor” to his company’s stand: needless to say, this particular gift looks likely to be opened in a virtual machine and scrutinised curiously for any unexpected behaviour…)

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Flavius commented: “They must have the intention to comply and you need to measure that. If they are disengaged, if they’re under a lot of pressure at work, if you’re laying people off, do you think they’ll get your awareness training or your acceptable use policy? They won’t… If they don’t have the intention to comply they might even do the opposite. They might take some information with them to their next job.”

A risk companies run, says Flavius, is that they can over-complicate the process: “If I’m in this part of a bank and it’s my job to send 100 emails a day with attachments, and you’re giving me WinZip, the encryption tool and you’ve just told me I should encrypt attachments. I have the intention to comply. I believe I can do it.

“But, when I actually sit down and start doing it I realize this is adding three extra minutes per email, 300 minutes a day, that’s five hours. Am I gonna do it.”

“No.”

“I’m simply going to ignore security awareness and all that messaging and all the effort people have put into it.”

Secure Behaviour

Make Employees Take Good Practice Home?

Getting that messaging to stick in the first place is always a challenge for organisations. How do you ensure that workers are going out of their way to have good cybersecurity practices?

This is something that banking and financial services giant HSBC thought about and one of its solutions was to make employees bring cybersecurity practices home with them.

Paula Kershaw CISO for HSBC’s European and UK told the Infosec audience: “This is probably the most important for me. Colleagues develop the knowledge and skills on how to protect themselves, their families and the people that they care about.”

“If we can engage our staff and teach them how to protect themselves by very nature they will then bring that back into the workplace and by very nature we then get that emotional engagement from them and they’re willing to learn.”

To do this HSBC initiated a Cyber Champion Programme last year, which is essentially a cyber hub full of resources such as videos, posters and tip sheets.

Everything is positioned towards building what they call a ‘human firewall’. A key factor in HSBC’s security team’s approach was to make their colleagues feel supported: “Make them feel empowered and they feel engaged,” Kershaw notes.

She believes that anyone can build this kind of organisational culture; that size is not an issue, be the organisation large or small.

For instance HSBC has over 35,000 employees worldwide and they work in eight official languages. They found that once they engaged people, individuals in their own time translated the message across all of the languages and helped to deliver it to the whole company. While they themselves built their internal programme, the free resources to do so are out there and at the end of the day its more about a cultural change than a knowledge change.

Kershaw states: “So set a target, be realistic. And be very clear about what you actually want to achieve, and why?”

And perhaps remind employees not to plug in any strange USB sticks…

 

See Also: University of Bradford Uses HPC System to Build 3D Models of Lost Heritage Sites

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU