Unfortunately cognitive biases hinder our ability to judge risks correctly and it is this which inevitably causes individuals to fall victim to scams or cause a security breach. Explaining scenarios of how cyber criminals crack security that begin with an individual worker can help to change the culture and behaviour of employees. However those scenarios need to be relevant and in the language the business uses, hence very minimal techno babble. Remember, there is no silver bullet for solving this problem, technology alone is not the answer.
A combination of transparent security technology (one the end user doesn't even know is protecting them), psychology training in the area of judgment and decision making, regular education and a positive agile culture of risk management can help.
No employee wants to be the source of damage to a business. Nobody wants to be the one who is responsible for hitting the media headlines for a data breach. That's just human.
Seven tips for organisations to help improve cyber security:
- Build a culture of business resilience which includes security and risk as core pillars
- Understand your weak points by thinking like the criminals. Where does you data reside, who can access it, what controls are in place and how can you easily circumvent those controls?
- Identify, establish and monitor controls to reduce your weak points, but don't get lost in the compliance forest. Make sure what you're monitoring or assessing is relevant and real. Is it dependant on people doing the right thing and what happens if they don't?
- Supplement control monitoring with business education using real world scenarios to highlight the risks and exposures (in a business context). Rinse and repeat this step as education is a continuous process and you need to make it fun and engaging or it will fail
- Shift the needle of implicit trust of the Internet to a position where staff question things that sound too good to be true or just don't sound right. If you have done step 4 correctly, this will naturally occur in the business.
- Don't despair when it does go wrong. You just fell victim to your primal triggers and it takes time and training to control them. Perhaps your business needs to focus on the psychological aspects of security, namely decision making and judgement.
- Have a plan for when it goes wrong and the breach occurs. How will you contain it, how will you respond to customers / media, how will you restore confidence and continue adding value to your customers / shareholders during the crisis? Don't be afraid of it happening, embrace it, plan for it and be prepared.
Source: CSO Australia
Sign up for CIO Asia eNewsletters.