How to create a security conscious workforce, why it is about more than just awareness…

05 August 2016


View Daisy McCartney’s profile on LinkedIn 

Everyday a new cyber security threat emerges. In response to this we have seen organisations adapt their security infrastructure and heavily invest in state of the art technical controls to defend themselves against attacks. However, even with all of these efforts, security breaches continue to dominate newspaper headlines. So where is it going wrong?

People are often the weak link

From losing laptops and documents to clicking on suspicious links and sharing too much information, people are the most likely source of incidents*. Root causes we have seen for this range from simply not knowing what to look for or what to do, to complacency where people see security as someone else’s responsibility or where the control environment creates a ‘false sense of security’. Another key challenge people face is practicality; security measures are often seen as burdensome and this conflicts with business priorities and simply ‘getting the job done’, it therefore becomes low on the list of priorities.

This isn’t a new issue, so why are organisations still not getting this right?

The level of investment in technical controls has not been matched with investment in people and culture. Many organisations have established cyber security training and issued communications, such as posters and emails, advising people for example not to share passwords or highlighting the dangers of phishing attacks. But these efforts don’t go far enough.

It is more than just cyber security awareness…

Human behaviour is complex. Behaviours, and ultimately mindsets, cannot be changed by simply reading a poster or doing a 20 minute e-learn. Though these are important, organisations need to consider the human factor in more depth; why we make the decisions and behave the way we do. For example:

Many organisations may benefit from having a friendly and welcoming culture. However, from a security perspective this may create a culture where people would not challenge poor security behaviours (for example tailgating through secure doors) because it may seem rude even though they know the potential security risk.

Customer focus is critically important to many organisations but this can create a culture where it is the norm for seemingly cumbersome security controls to be circumvented to speed up a task to meet customer demands. Rather than feeding back and working to improve security controls, ‘work arounds’ may be hidden preventing improvement and allowing continued security risk exposure.

Tackling these challenges is about looking at the culture in the organisation and understanding how to influence behaviours to create a secure mindset in everyone. Trying to evolve culture in this way is no easy task, but it can be done.

Changing security behaviours to develop secure mindsets

Communication and training have increasingly been the ‘go to’ behavioural levers for security. Organisations need to build on the work they have already done in these areas to make communication and learning more impactful. From the use of virtual reality to gamification and application of behavioural economics, those leading the way on security culture are disrupting the environment to put people first.

These organisations are also not limiting themselves to communication and training, they understand the complexities of human behaviour and are thinking about their security culture holistically, using a broad range of leavers to influence security behaviours and evolve their culture. These levers range from leadership and role modelling, to organisational structure and balanced incentives and consequences.

Achieving a strong security culture takes time and investment but it is a business imperative. It takes years to build a trusted reputation, a single security breach can destroy this overnight. You can build a secure culture which allows you not only to defend and protect your business value by creating a ‘human firewall’, but also gives you the confidence to look forward and be proactive: be a step ahead of the next threat and create a unique competitive advantage.

Daisy McCartney | Senior Manager
+44 (0)207 213 1096

* PwC The Global State of Information Security Survey 2016