By Jeremy Swinfen-Green
Most people would agree that employees are the greatest threat to cyber security faced by organisations. By some counts* around 2/3rds of breaches involve a non-malicious insider in some way.
And yet, many organisations fail to take internal cyber threats seriously. They pay lip service to the solution, perhaps feeling that “awareness training”, often focussed on avoiding phishing scams, is sufficient.
Or at least sufficient to avoid an accusation of negligence by regulators.
The reality is that training on its own will never be sufficient to protect an organisation. A more holistic approach to managing human behaviour is needed. This approach can be divided into 6 separate areas:
- Deciding what to protect, and what to protect against
- Deciding how to protect it (i.e. identifying how you want people to behave)
- Explaining to people how you want them to behave
- Promoting continuous awareness of these behavioural guidelines
- Motivating people to comply with the guidelines
- Monitoring their behaviour
What to protect
The classification of information underpins any cyber security strategy. No organisation can protect all the information they hold. It is necessary to classify information so that decisions van be taken about both how it should be protected and how much effort should be expended in doing this.
Take websites. The amount of effort you take will depend on the purpose of the website. If it is takes a significant proportion of your sales, then you may well prioritise protection. If it is merely a marketing website, then you may prefer to prioritise other assets.
You also need to decide what to protect against. Websites again: The focus is likely to be on protecting access e.g. by protecting against DDoS attacks (you want people to be able to reach it) and integrity by protecting the Content Management System against unauthorised access (you don’t want hacktivists altering it), rather than on confidentiality (because it is a public document).
How to protect
You also need to decide how to protect your assets. There will be a number of solutions such as encryption or access controls, but all of these solutions need to be tested against the way people work.
For most people, the main focus of their job isn’t “maintain cyber security”. It is “sell widgets” or “hire graduates” or “analyse profitability”. Cyber security comes a poor third, at best after (one) the day job and (two) having a cup of tea.
Any security solutions or processes you put in place must be simple and intuitive to us. Most importantly, they mustn’t get in the way of people undertaking their day job efficiently. The way to ensure that your security solutions are “usable” is to run simple observational tests to evaluate how people cope with the security processes you are proposing. Modify your processes on the basis of these tests, to ensure they are as invisible as possible.
Explaining the rules
When you are content that the processes you have put in place are usable, it is time to codify them in an end user policy document. This shouldn’t be a complex 50-page tome that details every aspect of your processes. If it is no one will read it.
The policy should be one of the tools you use to change behaviour. And for it to change behaviour you need people to be able to read it and understand it. Keep it short (no more than 2 pages), rigorously exclude any jargon, and explain the “why” as well as the “how” you want people to behave.
A document won’t be sufficient though. Even short ones will get ignored by most people. You also need to provide people with appropriate training, ideally face to face training so that they can ask questions.
Keeping the guidelines “front of mind”
You can transmit knowledge with training. But you have no guarantee that people will remember what you have told them during the hurly burly of every day work life.
To ensure that people have a chance to remember how to behave safely you need to conduct awareness campaigns. These are internal marketing campaigns designed to remind people of the behavioural guidelines you have set.
Prompting the right behaviour
Even if people are fully aware of how to behave safely they may choose to behave differently. (Have you ever broken the speed limit when driving?) Motivating people is difficult. A combination of sticks and carrots (generally with far more carrot than stick) can work but it is important to understand what drives people’s behaviour.
There is plenty to learn from marketers here. Social proof can be a powerful tool (“90% of people behave this way”), as can supportive messages from authority figures (not necessarily the CEO – the newest intern may be very influential when it comes to technology). Having a likable messenger is also helpful: which is why so many security awareness campaigns use cartoon figures.
Take care to focus on people who are actively unengaged with security – people who say it is unnecessary for instance, as they can cause enormous damage if they are allowed to spread their message.
Unless you monitor how people are behaving you cannot know whether you are succeeding in changing the way people think and act. You can of course question people face to face or in surveys but there is the danger that people will tell you what they think you want to know (“Of course I never share my password”.)
More useful are group discussions where people can be encouraged to debate issues freely. This can be supplemented by simple observation of behaviour on the shop floor such as the implementation of lock screens after a short period. Ultimately though you will want to identify some “hard” KPIs that are reflective of secure behaviour such as number of reports by employees of suspicious events, number of times employees attempt to access blocked websites, and number of times employees fall for fake phishing emails, and password scans to measure average password strength.
An impossible approach?
Using this holistic, six factor approach to keep an organisation secure from employee error is a major task. It is a task that is likely to require larger resources than most CISOs can muster, and indeed may well be a task that is outside their skill set.
That isn’t to say that it is impossible though. Security teams should be empowered to work with functions across their organisation, especially including HR and marketing, to deliver the education, awareness and motivation that will drive increased safety through the promotion of safe behaviour.
*2016 Cost of Insider Threats, Ponemon Institute, available at https://dtexsystems.com/cost-of-insider-threat-ppc/ (registration required)
The author, Jeremy Swinfen-Green, is the Director of Consulting at TEISS Cyber Security. You can follow them on Twitter @jswinfengreen and .