“Have you tried turning it off and on again?”
The iconic catchphrase from The IT Crowd struck a chord with misunderstood IT professionals everywhere, because in so many organisations the role of the IT department is misunderstood. Cyber security is often seen as something for “IT” to worry about, not sales, marketing, HR or any other department. However, in order to have watertight defences (or as close to that as possible), all staff need to be engaged in a data security culture.
- Is training enough? A well-intentioned first step is usually training – whether in-house or by using external consultants. Training is certainly better than nothing, but the benefits tend to fade over time as staff forget their meticulously written notes. Unless security practices are embedded into every day activities, they will eventually fall out of habit. If a crisis occurs – loss of servers, malware, power outage – then staff may well become flustered and all of their training goes out the window.
- Embed your training. Using ethical hacking and penetration testing against your own staff might not sound very ethical, but frequent testing is the most effective way to embed best practice. Using simulations, deliberate phishing or monthly test questions can help keep data security habits fresh.
- Create a security culture. The only way to ensure that your staff are your biggest security strength, not weakness, is to engage everyone. Every member of staff that has access to a device has the ability to report suspicious activity as well as fall for phishing emails. Having good “digital hygiene” through frequently changing passwords, using firewalls and promptly installing updates can make an organisation’s cyber defences far stronger than an IT department can do in isolation. By encouraging good cyber practice for all, IT becomes less of a mysterious land of wires and acronyms (DDoS, SaaS, AWS and IoT to name but a few) and more of an integral part of operations.
- Have a reliable, independent communications channel in place. No one can follow the instructions if they don’t know what they are. According to the BCI Cyber Resilience Report 2018, the most common secondary effect of cyber security incidents is loss of telecoms, suffered by 36% of respondents. In order to engage all staff in the incident response and empower them to make the right moves, an alternative to traditional comms (such as email and landlines) needs to be in place. Gatwick airport discovered this the hard way after being left with nothing but whiteboards to inform travellers after an IT outage.
Creating a culture of cyber security and involving people from every department and level of seniority is not easy, nor will it happen overnight. Staff expect the leadership team to set the example, and yet a study by the National Association of Corporate Directors found that only 14% of board members expressed a deep knowledge of cyber security. However, getting all staff on board and empowering them to be a part of your digital defences will make an incident less likely and recovery quicker. In a truly resilient organisation, no technophobe gets left behind.
YUDU Sentinel is an app based crisis communication platform for the management of fire, terrorist and cyber attacks, or any other critical incidents. Crisis managers have immediate access to an independent two-way communication (SMS, voice, email and in app messaging) and can view key documents on mobiles. Sentinel is a cutting edge crisis management tool. Find out more at www.yudu.com/sentinel or contact us on Twitter @YUDUSentinel.
This blog was written as part of the London Digital Security Centre’s Cyber Theme – Engaging Your Staff.