As high-profile breaches produce increasing public attention, effective information security is more important than ever. Cyber incidents have a potential impact comparable to natural disasters. It is increasingly insufficient for organisations to achieve the bare minimum required for regulatory compliance – real protection is necessary.
A competent cyber security strategy depends on people, process, and technology. Technical protections have their place but can only do so much to defend against an ignorant or uncaring workforce. For example, the vast majority of notifications submitted as part of the Australian Notifiable Data Breaches scheme (NDB) were caused by direct human error or phishing, which are most effectively combatted by an educated, security-conscious workforce. Too often, organisations attempt a technical solution for a human or procedural problem.
A successful security program is reliant on appropriate policies and procedures but is ineffective without people who adopt and implement them. This applies to IT and security staff, who are needed to implement technical controls, but also to the rest of the workforce. It is unfortunately common to think that security is handled solely by a specific department and is not of concern to the average individual. It is crucial for management and employees to recognise both that they are an essential part of the organisation’s security posture, and that security is important.
Although less tangible, a security-conscious cohort is a very valuable asset. Vigilant employees mitigate the most common avenues of attack and data leakage. They are a vital defence against physical intrusion, and greatly reduce its impact. Utilised correctly, they can detect and report phishing attempts missed by technical filters – alleviating a potential intrusion and used to improve the technical filter.
There will always be a spectrum of security understanding within an organisation’s population. It is management’s responsibility to encourage and reward those individuals who have an increased appreciation for security. This positive reinforcement ensures those individuals remain alert and their colleagues are encouraged to improve. Without recognition, the attentiveness of these individuals will naturally drop to the status quo, resulting in a gradual waning of the organization’s overall security posture. By creating a culture of information security awareness, the weaker individuals (who are the primary human risk) will naturally adopt better habits.
The next instalment in this series will explore specific strategies for achieving improvements to cultural security consciousness.