How can Cybersecurity be improved

Author: Gary Hibberd

Date: 31st July 2020

Hardly a day goes by without there being a news story or social media headline which involves an organisation who has suffered a Data breach or become the victim of Cyberattack.

Our use of and reliance on technology and technical services is increasing exponentially and shows no signs of stopping. A Deloitte’s 2016 Global Mobile Consumer Survey revealed that more than 60% of people check their devices within 5 minutes of waking up in the morning. Nearly 90% check their phones within 30 minutes, and nearly everybody (96%) admits to using their devices less than an hour after waking.

If 60% of people are checking their devices within 5 minutes of waking, is it any wonder that they click on infected links or make poor choices when responding to someone they believed to be their CEO? 

Improving Cybersecurity

You’re possibly reading this because you’re looking for ‘quick tips’ to improve Cybersecurity. Of course, I wouldn’t want to disappoint you, so I’ve included a few things you should consider at the bottom of this blog, and I would say look at implementing Cyber Essentials.

If this is all you’re looking for, feel free to skip to that section for some simple advice.

However, if you are truly serious about improving Cybersecurity, don’t go for the ‘quick win’, because it simply isn’t working. For the last twenty years, the IT Crowd, Cybersecurity and Data Protection specialists having been offering ‘top tips’ to improve your Cybersecurity, but it’s not working. Cybercrime and our reliance on devices and technology is on the increase, while our understanding of Cybersecurity and Data Protection has remained static, at best.

I believe in order to improve Cybersecurity we need to do a number of things before we even begin looking at technology itself.

Firstly we need to broaden our understanding and approach to Cybersecurity and recognise that this is only part of an overall strategy to protect Data. That strategy is an Information Security strategy.

Imagine Information Security as a tree, and Cybersecurity is simply one of the branches upon that tree. Other branches include Human Security, physical security, third-party security, and Policies & Procedures. The leaves upon that tree, are the Data you are trying to protect.

If we’re to improve Cybersecurity, we need to ensure the entire ‘tree’ is fed-and-watered.

Human security; Do the hard thing first.

Possibly the hardest, yet most important aspects of improving Cybersecurity is getting people to recognise the impact they have on this topic. For far too long, Cybersecurity professionals have focused on people’s knowledge, and getting them to ‘know’ about Cybersecurity, rather than focusing on getting them to ‘care’ about this topic. 

We present facts and figures, and statistics, which are important, but don’t tell a story. People leave Cybersecurity training knowing that Cybercrime is on the increase, and sympathise with the victims. But they rarely understand how that impacts them personally, and therefore they are less likely to care. If they don’t care, then they are less likely to retain the knowledge and translate it into their day-to-day lives, and habits.

Understandably, but for far too long, Cybersecurity has been seen as the IT Crowds job. The IT Crowd are expected to protect us, and the systems and services we use.  But this is like expecting the car mechanic to ensure we are all safe road users.

To improve Human security, I often say we need to meet people where they are. This means we need to understand both the emotional and physical aspects of their world.  If people are stretched, or stressed, they are likely to act in haste, click on infected links, or make a simple mistake which leads to a Data breach.  In audits, I pay close attention to things like attrition and retention within the department. How overworked are people? Is the person sat opposite me wearing multiple ‘hats’, and spinning far too many plates. If they are, are they likely to be listening when I give them a presentation telling them “Think before you click”?

We need to develop our emotional intelligence if we’re going to develop training that changes people’s behaviour and attitudes towards the protection of Data. How do we do this? Firstly we need to recognise there is a problem with the approach we’ve taken for the last 20+, years.  Boards, CEO’s and business owners need to recognise that they are ultimately responsible and accountable for the protection of Data because they set the culture within their organisation.

If we are to improve Cybersecurity, we need to bring other people ‘along on the journey’ with us and that means moving out of the IT room and speaking to other people. Asking “What concerns you about Information Security in your department and others?” is better than just assuming you know what is best for the business. 

If you have a marketing function, you can also ask them to help you inject a little fun and life into your Cybersecurity progamme. Yes, I said ‘fun’! Cybersecurity may be a serious topic, but it doesn’t mean you can’t have fun with it.

Finally… some tips

For those of you who skipped straight to the ‘tips’, I hope you weren’t expecting any quick fixes. The following steps require commitment and dedication. If you were hoping for advice, such as “Install a firewall”, you’ve come to the wrong blog. Google “Top ten tips for Cybersecurity” and I’m sure you’ll find some steps you can take that will make things feel better for a while. But if you’re looking for ways to improve Cybersecurity, and build something that will continually improve, the following just might get you there.

Improving Cybersecurity; Top Tips

Leaders; Get buy-in

There’s really no point moving forward unless you have Leadership that is committed to this task. It’s not enough for them to point at you and say “Make IT work!” Ask them why this is important; ask them to support you. They need to demonstrate that they are committed to this task and supporting you. This is no time for ‘lip service’. 

Start with the end in mind

Develop a clear picture of the outcome of your Cybersecurity journey. What are your objectives? What will ‘success’ look like? Write down a clear vision of what the future will look like.

Develop a clear strategy

Once you know what you’re looking to achieve, write down how you intend to get their. What is your strategy? If your objective is to get 100% of people to know about Cybersecurity, your strategy might be to run training for every team for the next six months.

Finding friends and foes

Who are your allies and who is against Cybersecurity? Do a little analysis within your business to see who can help you with getting the message across, of how important this topic is. Maybe the head of HR? or Finance? What are their concerns? What keeps them awake at night? Look for the positives in what Cybersecurity brings, and help them see how it will help, not hinder them.

Build a Plan

Cybersecurity is part of a bigger picture (Information Security) so build a plan that goes beyond the narrow confines of the IT department. Now you have got leaders involved (and supportive), and you have a clear picture of your objectives and identified your supporters you can write your plan of action.

You should see Cybersecurity as an enduring programme, but still approach it like a project, with milestones and outcomes. 

Conclusion

There are many ways you can improve Cybersecurity. But don’t expect to do it overnight if you wish to do it well. Yes, of course, you can look to implement Cyber Essentials, and that will be a great first step. But to make a real difference, it takes effort, and it takes time.

Remember; Cybersecurity is a journey, not a destination.