Building cyber-security, people first

Rachel Banks at Apogee Corporation explains why it is essential to put people and communication at the top of a layered approach to cyber-security

As security requirements become more stringent and demanding, any organisation can easily fall into the trap of treating compliance as a tick-box exercise.

Yet, while policies and procedures are undeniably important, there is so much more to cyber-security than specific technical controls and written rules. Organisations need to be doing more than meeting only the basic requirements of insurers and auditors.

For many businesses, the human impact only becomes clear when they experience the devastating effects of a cyber-attack – and witness first-hand the toll taken on employees, customers, and other stakeholders.

Many SMBs subjected to a severe cyber-attack never fully recover, leading to job losses and in some cases, to closure. In public sector organisations, the loss of confidential data and the inability to provide vital services is frequently very damaging to the wellbeing of hundreds or thousands of people.

As cyber-attacks have evolved in sophistication, it has become obvious that security requires investment in layered defences and the right tools. Businesses and public sector institutions must have access to expertise and technology that enables them to stay ahead of the highly inventive and increasingly well-resourced cyber-crime gangs.

Cyber-crime has been made easier by the new era of hybrid working, the increased sophistication and use of employees’ own everyday devices accessing company networks, and therefore the growth of IoT, which have all vastly extended the attack surface for malicious individuals or groups intent on extortion or havoc.

They only need one success in breaching defences to achieve their aims, whereas an organisation must defeat every attempt to get inside its perimeter.

People: top of a layered approach to cyber-defence

Layered defences are essential because no single technology is effective against every threat. Yet total reliance on technology is inadequate as a sole approach and part of the tick-box mindset. Security is in fact, very much a people-centred topic.

This year’s Verizon Data Breach Investigations Report for example, finds the human element features in 74% of all breaches, through errors, the misuse or theft of employee credentials and the continued growth of phishing and social engineering. Social engineering is significantly on the rise, frequently with crafted emails that put pressure on specific employees, forcing them into an error that will provide criminals with credentials, cash or entry into otherwise secure systems.

Verizon estimates the average amount stolen in just one of these attacks, if successful, to be the equivalent of approximately £41,000.

Although people are where many organisations are vulnerable, senior leadership teams are ill-advised to see employees as a security problem. Any member of staff can make a mistake, such as sending an email to the wrong address.

Everyone in an organisation must be part of its layered defences. Each member of staff should feel they share responsibility for cyber-security, rather than regarding it as purely an IT matter.

Uplifting cyber-culture

The nature of today’s threats means organisations must now build a strong and inclusive security culture that prioritises a human focus and effective communication at all levels, from the boardroom down.

This culture uplift is not a one-time endeavour but a continuous journey that requires concerted efforts and collaboration. It can only be achieved with greater cyber-security education and awareness across the business.

Organisations must, therefore, be prepared to constantly adapt to new ways of thinking, avoiding an overly narrow focus on technological security and compliance by taking the bigger picture into account.

As the traditional security perimeters dissolve, it becomes imperative for companies to integrate cyber-security into the very fabric of their workplace culture. Crucially, they must also put employee wellbeing at the heart of their incident response processes, ensuring staff remain resilient and well-supported, even when a crisis hits.  

Education and training is essential. The most effective initiatives embed far-reaching behavioural change across the hybrid workplace by promoting a security-conscious mindset among all employees. In many cases, seeing really is believing – so organisations should provide visual demonstrations to employees to offer them a graphic understanding of their role in maintaining a secure workplace environment.

This more holistic, multi-layered approach to cyber-security should begin with a comprehensive cyber-health check or gap assessment. Partnering with a service provider can be helpful, as the right partner will conduct a thorough investigation of the organisation’s current security landscape beyond physical endpoints, identifying areas of vulnerability and determining specific requirements and priorities.

This process can then be the foundation for developing a recurring managed service, which provides ongoing protection.

A single layer of protection is no longer enough to safeguard the extended security perimeters of today’s organisations. Businesses can now strengthen their defences by taking the initiative to ensure everyone has training that is constantly updated and stimulating. This will ensure that organisations are well-equipped to navigate the many risks and opportunities.

Cyber-criminals are always on the prowl, and security must always be more than the bare, tick-box, minimum. By ensuring employees are fully included through training, regular updates and a programme of awareness-maintenance, organisations will significantly reduce the risks they face and be much better placed to seize the opportunities.

Rachel Banks is Head of Product Management at Apogee Corporation

Main image courtesy of iStockPhoto.com