Don’t overlook the human factor
By Alexandra Payne, Head of Global Security Services, AstraZeneca
Conversations around cyber security are usually centred on the technology aspect – something which seems only natural given that the discipline is focused on preventing IT systems from being exploited. However, many organisations tend to put the human element of security at the bottom of their priorities list.
With most security incidents either resulting from human error or social engineering techniques designed to exploit users however, overlooking the human factor can be one of the most serious security mistakes any organisation can make.
Why are people overlooked?
Most security decision makers come from highly technical backgrounds and a soft discipline such as changing human behaviour is often simply not on their radar. Similarly, human behaviour is an unknown quantity and can be a much harder area to predict and define than areas such as network or email security. There are no easy answers or quick fixes.
While it may seem more straightforward, investing in the latest technology can be a colossal waste of money if you haven’t invested in the human side at the same time. Having both elements together creates a powerful force multiplier that will be far more effective than either side alone.
One of the biggest challenges is the balancing act between security and usability. If security solutions and processes are seen as too complicated or onerous, many users will simply find a way around them.
For example, in a previous role we implemented a BYOD (bring your own device) programme which required all authorised devices to use long, complicated passwords. Before long I had a call from an irate salesperson who was angry that he couldn’t input such a difficult password while he was on the move. It’s common to find convenience trumping security for most daily activities.
Similarly, it’s common to find that workforces with overbearing security setups for their work emails will simply send files through their personal accounts instead, and it should be remembered that there is no such thing as a totally secure system when it comes to internal user behaviour. Even the tightest data loss prevention set-up could be side-stepped by taking a photo of a confidential document with a smartphone.
However, it should be recognised that the human side of security does not necessarily mean guarding against malicious insiders. While the insider threat is a problem, most companies will face greater risks from simple human error that expose data or create openings for attackers.
How do you improve awareness?
Creating the kind of security-centric business culture that leads to better awareness and behaviour won’t happen overnight. I would say you need at least three years to start seeing real results. Simply booking an annual training session may tick a box on a security compliance list but it won’t have any real impact on the organisation’s security.
Instead, improving behaviour requires on-going activity that actively engages with the workforce so that they consciously consider how their behaviour impacts the company’s security.
I find one of the most accessible ways to think about security awareness is to compare it to traditional health and safety campaigns. If a worker notices a colleague acting unsafely – for example failing to anchor a tall ladder – it would be completely expected that they might call out the bad behaviour or even report them. By the same token, employees need to recognise insecure behaviour among colleagues and take appropriate action.
Indeed, organisations struggling with where to begin on their security awareness programme may consider tying cyber issues in with more traditional health and safety training. Dovetailing the two fields can make security more accessible for less technical employees, while also ensuring they are not overloaded with different awareness campaigns.
Attempts at improving security behaviour are also likely doomed to failure without buy-in from the top. Senior executives will be holding the purse strings for any awareness campaigns, but equally importantly they serve as leading role models to the workforce. People will be looking upwards, and if it’s apparent that the CEO is sending confidential data from his Gmail account or throwing restricted data in the bin, it will be hard to motivate staff to improve their behaviour.
By combining a solid investment in security technology with a workforce that is aware of the risks and the importance of their own individual behaviour, organisations will have a security strategy greater than the sum of its parts.
By Alexandra Payne, Head of Global Security Services, AstraZeneca
