“If you think education is expensive, try ignorance” Derek Bok, former President of Harvard University
Picture this. One morning, a woman walks into your company’s head office. She tells the receptionist that she is the landlord for the building next door and supposed to be showing around prospective tenants. But in her rush from home she’s forgotten to bring the planning documents to show the tenants – would it be possible to quickly plug in her laptop and download the plans to print off? The receptionist understands her predicament and agrees. Five minutes later the “landlord” has infected your computer systems with malware. And you don’t know anything about it.
Sound far-fetched? Think again. It’s just one of the many (successful) war-gaming scenarios organised by Graeme McGowan, Technical Director of Bronzeye IBRM, to warn companies of the weakest link in their information security: People.
It’s a very simple, and equally very effective, way to demonstrate that while companies might be forking out thousands of pounds on IT systems to safeguard their business, it won’t eliminate the likelihood of employees undermining such systems by making mistakes, doing things under pressure or, most commonly, through their sheer lack of awareness.
Ignorance is one of the most prevalent threats to a company’s line of defence against cyber crime. There is a worrying perception, particularly among SMEs, that the cost of securing a business is not always commensurate with the risk of being attacked. This belief goes some way to explaining why so many companies are attracted by the IT vendors’ pitch of an automated solution – a one-stop shop for all their cyber security issues. “This magical panacea does not exist,” says Andrew Taylor, CEO of Bronzeye IBRM. “Yes you need the robust technical defence, but you also need to invest the time, effort and commitment to make sure your people aren’t going to subvert it by the most basic of errors”. From clicking on a phishing email, weak passwords to indiscreet conversations in the pub or on social media, the innocent errors of employees open up a world of opportunity to the seasoned cyber criminal.
These mistakes, while tough to eradicate, can be substantially reduced by companies working towards being secure, rather than just seeking to be compliant with regulatory regimes. Instead of asking, ‘have we ticked all the boxes?’ management should be driven instead to embed a culture of security. Graeme argues that it’s about tone from the top of the organisation, from the CEO and CIO to the security guards and receptionists. “You need a well-trained, well-aware workforce that is looked after by a management clearly interested in the issue”.
One of the barriers to this is the view of some companies that they have nothing to attract the interest of hackers. This is a monumental misjudgement. SMEs – particularly suppliers – are often used as a back door route into the more juicy prey of larger corporations. Remember ‘Target Corp’ anyone? Security and compliance can be a major drain on cash and resources but it’s about priorities. “Reduce the amount you are trying to make secure, and spend more time making that secure”, advises Andrew. “There’s probably no point spending loads of money putting bars on the window of a building where people don’t go to. But client data, how you pay money, how money is moved around – this is information that is always worth defending.”
One of those priorities should be people and their education, but management often plump for the online compliance packages that keep employees at their desk while satisfying the regulators (box ticked). But imagine if you got your employees in a room and talked about information security for a day. It is all about keeping the thought of security in their mind at all times. There is much more chance of it sinking in and reappearing later when they might really need it – like that receptionist. Training, comments Andrew Taylor, is often seen as dead money. But if you think compliance is expensive, try non-compliance. As many as 80% of unprepared businesses that fall victim to a serious cyber-breach, and don’t have a decent crisis management plan in place, will go out of business in the following months.
A magical panacea for cyber security is a myth. No-one and no company can be 100% secure. If someone tells you they are going to give you that, show them the door! But you can build a resilient defence by having the right culture, one that comes from proactive engagement from the top of an organisation with the right priorities and a well-crafted governance regime. If you do that, you will have a much better chance of weathering a breach and getting back to business.