People and Processes: The Key Drivers for Effective Cyber Security

Alan Calder

Alan Calder

Cyber security investment continues to spiral, with Gartner predicting that global security spend will reach £71.72 billion by the end of the year as a direct result of regulatory change, mindset and a growing awareness of threats, writes Alan Calder. With over 40% of UK businesses experiencing some form of cyber security attack or breach in the last 12 months, and having to deal with the attendant cost and reputational damage, it’s easy to see how information security teams can make the case for requiring ever-higher budgets.

That said, is handing over another tranche of cash really the most effective route to cyber resilience? Look closely at any recent high profile breach and the hacks were not achieved through bypassing top of the line security technology, but rather by identifying weaknesses within processes and staff.

While technology certainly has its part to play in a business’ overall cyber security strategy, people and processes actually have a much more significant role in ensuring that an organisation is protected. From management commitment to strategic risk assessment through to process change and employee awareness, organisations need to reconsider security and determine to rapidly on-board the skills required to achieve this three-fold approach towards mitigating cyber risk.

Weakest link

No organisation is immune to the threat of a cyber attack, especially so as the types and methods of attack become increasingly more sophisticated. Given the enormous cost associated with breaches, from regulatory fines to lost customers and compromised supplier relationships, this subject is clearly on Board agendas. Unfortunately, most Boards would rather commit to hiking the security budget than take the steps actually required to improve cyber resilience: namely, for them to be involved.

According to ISO 27001, Board-level commitment is an essential requirement, yet this is a message that the CIO or CISO is finding hard to put across. Most senior level individuals perceive that cyber security is too complex and too technical to have a place in any Board meeting. Yet this attitude underlines a patent lack of understanding of the cyber criminal. It’s not all about incredibly complex and sophisticated threats. Rather, attackers will aim at the weakest link in an organisation’s security posture – its people.

People are a risk because they will forget passwords, make errors, click on phishing e-mails or access websites loaded with malware. It’s not malicious in the main, but it is a huge problem. The fact is that the majority of breaches are linked to human error and, more often than not, the cause is ill-considered processes and education, not inadequate security solutions.

Proving the point

The massive data breach at Sony came about as a result of hackers gaining access to a list of passwords written in plain text, which is essentially an open door to an extraordinary raft of sensitive information. At Morrison’s, it was a disgruntled employee who was able to upload the details of 99,998 staff, including bank account details, salary information, dates of birth, National Insurance numbers, addresses and phone numbers to data sharing websites. With Morrison’s having spent more than £2 million tackling the breach, the High Court ruled that the supermarket giant was vicariously liable because the individual was acting in the course of his employment when he leaked the information online.

A lack of management understanding of risk also contributes to technology and process compromises that create unacceptable exposure. The WannaCry ransomware attack that ravaged so many businesses in 2017 is a prime example of poor processes. In this case, failing to update software, and in turn creating huge vulnerabilities. The attack affected companies globally, although in the UK the media brunt was borne by the NHS, which estimates a cost of £92 million to recover damaged IT equipment (although it has made no public acknowledgement of the cost to patients’ health as a result of cancelled operations and missed diagnoses).

While these events clearly focus management attention on the escalating risk created by cyber security, none of these organisations had failed to invest in security hardware or software. What they had overlooked was that a cyber resilient business is underpinned by highly effective processes and a highly aware and educated staff.

Information security culture

User awareness and education is a huge component of a cyber resilient organisation. Simple steps such as teaching employees to recognise a phishing e-mail or spot a rogue Wi-Fi hotspot at the café, station or conference centre can radically reduce incidents. This is just the start, however. User awareness and training must be part of a complete resilience process.

Continually testing staff awareness – by sending phishing e-mails and following up with additional training to those who mistakenly click on such e-mails – is essential, but staff also need to know what to do if they do click on a phishing e-mail by mistake. That means the company needs to put in place a clearly defined process that encompasses everything from ensuring users recognise the importance of immediately notifying the incident response team through to locking down the device and removing it from the network and, critically, undertaking an assessment to determine whether the incident has created a regulatory reportable breach.

In addition to improving awareness and understanding, it’s also important to make life easy for the user. While IT has become obsessed with the concept of complex passwords changed every 60 to 90 days, for the user the only option is to write these down or continually waste time calling the Help Desk for a reset.

How much more effective to opt for single sign-in and passwords changed only when the user perceives a risk? Or once a year? Not only does the business lose the massive risk associated with passwords written down everywhere, but the Help Desk call volumes plummet – and the IT team has time to fix the gaping security hole left by the disturbing number of network devices still operating on easily breached default settings.

Security standards

This ‘People and Process’ model is at the heart of the global ISO 27001 security standard – a standard which in this post-General Data Protection Regulation era is prompting increasing interest as a way of demonstrating that security provision in place should a breach occur.

Circling back to where we came in, this is where the Board needs to become involved. ISO 27001 states that management must be engaged in the information security management process. They must lead by example and provide clear guidance to the organisation on issues such as risk management. That means security isn’t just a line on the budget and a chance to pass the buck to the information security management team. The Board must actively discuss and consider security policy if certification is to be achieved.

To be frank, the Board should be actively involved. The creation of a cyber resilience framework is key not only to reducing the likelihood of a breach, but also to ensure systems can be back up-and-running as quickly as possible in order to minimise business disruption. That operational  framework is ultimately defined and directed by a corporate understanding of risk.

Simply accepting an ever-increasing security cost isn’t enough. It’s not until the Board has discussed and agreed upon the risk appetite, which will vary significantly between organisations, that the business can begin to take the correct steps towards managing information security. That means investing in the right skills to define and implement new processes and heightened levels of staff awareness.

Alan Calder is Founder and Executive Chairman of IT Governance

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts