Dr. Laura Marulanda-Carter PhD is the Head of Curriculum IoT at Milton Keynes College, a campaigner for women in technology and a monthly columnist for Information Age. In this, her third contribution to the Mirus IT blog, Laura explores a lack of cyber security knowledge in UK human resources, and how to turn this weakness into a valuable protective force.
Cyber-attacks are increasingly menacing businesses. Technical vulnerabilities are just the start as attackers are now more likely to target your operational weaknesses. These often stem from processes, policies and humans within an organisation. Whilst these are often overlooked, they largely become part of the problem and should be the solution (see Huang et al. 2018).
The 2019 Cyber Security Breaches Survey revealed only a third of organisations had carried out a cyber-risk assessment in the last 12 months; despite persistent threat increases involving medium (60%) businesses, large (61%) organisations and high-income charities (52%). A common trend is that many organisations do not recognise a need to seek information or guidance out for themselves. As we start reflecting on the past and moving forward into the next decade, there is a general consensus that common sense alone is no longer enough. There is a much greater need to ensure your human resources are as, if not more, effective than your physical infrastructure.
Cyber security researchers out of MIT more recently found that insider threat, from human behaviour, is one of the most difficult aspects of security to control. It is evident that good cyber security protection remains at the forefront of many organisations’ information and communication technology strategy and investment. However, delving deeper into the details of its implementation reveals that organisations’ human-capital cyber security knowledge base continues to be very low.
So what should you be doing to improve this?
- Technology is not enough, training is essential. It is not enough to protect an organisation from a cyber-breach if the people in the organisation are not careful and protective from day one. Many assume their employees are digital literate and ‘tech-savvy’ on arrival. In reality, the volatile nature of the virtual world allows attackers to get away with malicious acts more easily, and are much less likely to get caught compared to physical world thieves (see TechaPeek 2019). This is why everyone needs IT and cyber security training as part of their induction and on-going professional development. Mirus IT are experienced with this by sharing their expert trainers to ensure training solutions improve effectiveness, gain better results in working practice and guarantee more productive users.
- Encourage a security safe culture. The lack of effective awareness programs affects the chances of creating a safe culture among staff. In general, non-IT employees are not suspicious of social engineering attacks, especially when they offer them some help in adjusting their work access or resetting their passwords for example. This lack of awareness in recognising such a trick often results in a successful breach. The impact can then cause the enterprise a huge cost of recovery if the breach is successful (see Aldawood & Skinner 2019). To avoid this, cyber security awareness is critical to encourage a secure safe place to work. The Cyber Streetwise Campaign is a good example of a campaign that supports behavioural change but also uses a positive message method to influence and support users.
- Motivation is key to change. Research has shown that people can be resistant to change and do not always simply follow advice or instructions on how to behave online. In many cases, end users are not fully aware of the dangers of interacting online, and to exacerbate the issue, some security experts provide them with too complicated information, often evoking emotions of fear and despair. Even the word ‘cyberspace’, indicates something unknown to many non-IT specialists. The easiest way to combat this is to preserve a free and open information environment, often dubbed a ‘social cyber-security’ attitude. Let us take the example of sending phishing emails to all employees within your organisation. In a more traditional cyber security sense, this would focus on technology and how it can be used to avoid data being comprised. From a social cyber-security view, this would serve as part of a group-level social influence campaign. The shift in emphasis explores how groups can be manipulated and opinions shaped to mitigate cyber threats, and how this could impact the wider community (see Carley et al. 2018).
- You can see other Guest Blogs by Laura Marulandara-Carter PhD here:
Check out Mirus IT Solutions News to keep up-to-date with top tips, strategies to future proof your business and webinars to expand your Cyber Security knowledge.
Looking to Apply for Your Cyber Essentials Certification?
As an IASME-approved certification body, Mirus can help get your business set for cyber security success.
Would you like to benchmark your current cyber situation?
We've got a comprehensive Cyber Security Questionnaire that you can complete to better understand your situation.
Or to find out about important changes to Cyber Essentials due to arrive next year,
check out our blog Cyber Essentials is Evolving.