teissTalk: Protecting your key people from their own mistakes

On 1 March, teissTalk host Jenny Radcliffe was joined by Keil Hubert, Head of Security Awareness & Training, OCC; Bernard Swierczyna, Chief Information Security Officer, Vivid Money Ireland; Robert Fleming, Chief Marketing Officer, Zivver.

 

Views on news

 

Experts are warning of retaliatory and spill over cyberattacks by Russia in response to sanctions imposed by the West to curtail the war against Ukraine, which may impact businesses in allied nations.

 

The types of attacks to be expected span the whole spectrum from destructive campaigns involving the use of disk-wipers and ransomware, to distributed-denial-of-service attacks, phishing, disinformation, misinformation and influence campaigns. To read the 7 steps that exposed organisations are recommended to take click here.

 

One of the precautions highlighted have been secure communications. Some of the email systems used today are not inherently secured by encryption (end-to-end or zero access). However, the panel doesn’t think that the war in Ukraine marks a watershed moment in cybersecurity, as these threats have been around for quite some time now. A persisting problem is that society still doesn’t genuinely care about cyber security and their proper education in this field hasn’t even started yet. And change is still not on the horizon with 7-10 year olds getting quite computer-savvy without developing any awareness whatsoever of security. Cyber incidents raise the interest of the business and the public only temporarily leading to buying sprees of cyber security software which subside in weeks.

 

You can make me aware but you can’t make me care! Unless you reinforce secure behaviours, security values and standards by leading by example, your people will comply only with a boss or an auditor around and will relapse into old practices for the rest of the time. 

 

Protecting people from their own mistakes

 

Even the most security aware professional can fall for fishing eventually. Cyber security teams, therefore, should be perceived by staff as a trusted friend who they can rely on for support rather then surveyors or harassers. Also, to make a real change in the medium term, cyber and data security should be integrated into school curricula. 

 

The division in people’s minds between security at work and in their private lives should definitely be eliminated for secure practices becoming their second nature. It could also help if those who fell victim to scams and social engineering would share their stories rather than dusting themselves off and keep quiet about their gullibility. By making cyber security more personal and emotionally resonant through these stories, they could win more people over to good cyber security practices.

 

Cyber security messages would also stick better with technology that can give prompts and pointers in real time to users about to fall victims to malicious actors or their own mistakes.

Security awareness training, in the UK data leaks were around 40,000 last year, about 80% of which were down to human error.