Cyber threats dominated the headlines in 2016 and this trend looks set to continue in the year ahead. Data breaches, malware infections and hacked email accounts were regulars in our news feeds and the best way to prevent your own organisation from ending up on the wrong side of the headline is to stop your employees from flouting your security protocols.
There is a fundamental reason for this growth in cyber threats. The digital revolution, specifically of the last twenty years, has taken our lives and businesses online and cyber criminals have followed us there. For centuries, the fundamentals of physical security have been relatively unchanged – we were taught as children to lock doors and windows and keep valuables in a safe. Digital security however is a rapidly changing environment.
Research from our latest Data Health Check survey revealed that 61 per cent of businesses believe that their employees disregard security policies at least once a month. Nearly a third say it happens every day. Businesses can either start the year by spending millions on the latest security software and prevention tools, or you could resolve to take on the more difficult human factor.
Employees that flout security policies are unlikely to be purposely trying to threaten the business – they either don’t know the consequences of their actions or they feel too restricted by the policies in place. However, this disregard for security polices leaves organisations exposed to serious threats. But what practical steps can an organisation take in 2017 to reduce this risk?
Employees are often more lax with security at work than in their personal lives because the burden of cyber security falls solely on the IT department. It is vital to develop a culture of shared responsibility. We understand this in the physical work environment – if an unknown person walked in to your office and plugged in a USB to one of your PCs, you would step in and question it. This attitude must be applied all aspects of digital security.
We need to have a much more open dialogue between the IT department and the rest of the business. Often, many IT teams handle incidents in the background with only key senior individuals being informed, but if threats aren’t communicated internally to all employees then they will carry on as they always have. Transparency has a big part to play here. The IT department has a responsibility to educate the entire business on why an incident took place, what the implications were and, most importantly, what can be done to prevent this from happening again.
Equally, there needs to be a flow of information from users about their experience living with the policies IT have set. By doing so, businesses can find out where and how security processes are too restrictive or unintuitive and work on improving employees’ experience with them.
Balancing productivity and security
When security processes hinder an employee’s performance, they will often opt for the path of least resistance and circumvent them to get the job done quicker. As we know, what we choose to measure drives behavior. Staff will only adhere to security policies if they are motivated to do so – if employees are only recognised or rewarded for productivity, managers can’t be surprised when this is prioritised over anything else.
This realisation dictates that security needs to be built into the organisation’s overall strategy, and communicated down through employees’ objectives, so that it is not sacrificed at the cost of productivity.
Training and education
Regular training and education play a vital role. Awareness training is typically only carried out yearly or as part of an initial induction, but this should be increased. Employees need constant security refreshers throughout the year, at least twice annually, not only to address any new threats, but also so security remains front of mind. The threat landscape is constantly evolving and maturing, and it’s vital for organisations to keep pace. It’s very easy for employees to go through awareness training, but six months later have forgotten what they’ve learnt as day-to-day tasks take priority.
2017 should see an increase in structured security training for the entire organisation. The average cost of a data breach is £3.25 million according to the Ponemon Institute, a cost that is only likely to increase once the General Data Protection (GDPR) comes into full effect. These new regulations will see companies face fines of €20 million or 4 per cent of annual turnover, whichever is greater, if they fail to keep personal data appropriately secure. It’s better to invest time and money in sound practices and additional training now, rather than pay the price later.
Making resolutions is easy, but keeping them is notoriously less so – especially when you are trying to instil an ethos throughout your whole organisation.
Whether our resolution is weight loss, giving up smoking or changing our attitudes and security actions, we can apply the same methods to guarantee behaviour change.
We need to create an environment that supports the change (our management processes).
We need to remove any obvious barriers by making our security processes as easy to follow as possible, we need to simplify the complex issue into simple steps and we need to drive action until these new behaviors form a habit. In order for any of these changes to really stick, the entire organisation needs to know why we are changing and why this is so important. If we can get this right, this is the best way to make our business more secure in 2017.
Oscar Arean is technical operations manager at Databarracks