Hardly a day goes by without there being a news story or social media headline which involves an organisation who has suffered a data breach or become the victim of a cyberattack.
Our use of and reliance on technology and technical services is increasing exponentially and shows no signs of stopping. Recent research (2023) shows that people spend 3 hours and 15 minutes on their phones per day and individuals check their phones an average of 58 times each day! With this data showing such high usage, is it any wonder that accidentally clicking on infected links or making poor choices when responding to someone believed to be somebody else is a daily cyber risk that affects everybody who is cyber active?
If you are truly serious about improving cybersecurity, don’t go for the ‘quick win’, because it simply isn’t working. For the last twenty years, the IT crowd, cybersecurity and data protection specialists have been offering ‘top tips’ to improve cybersecurity, but it’s not always enough. Cybercrime and our reliance on devices and technology is on the increase, while our understanding of cybersecurity and data protection has remained static, at best.
In order to improve cybersecurity we need to do a number of things before we even begin looking at technology itself.
Firstly, we need to broaden our understanding and approach to cybersecurity and recognise that this is only part of an overall strategy to protect data. That strategy is an Information Security strategy. Imagine Information Security as a tree and cybersecurity is simply one of the branches upon that tree. Other branches include human security, physical security, third-party security and policies and procedures. The leaves upon that tree are the data you are trying to protect. If we’re to improve cybersecurity, we need to ensure the entire ‘tree’ is fed-and-watered.
Human security – doing the hard part first
Possibly the hardest, yet most important aspects of improving cybersecurity is getting people to recognise the impact they have on this topic. For far too long, cybersecurity professionals have focused on people’s knowledge and getting them to ‘know’ about Cybersecurity, rather than focusing on getting them to ‘care’ about this topic.
We present facts and figures, and statistics, which are important but don’t tell a story. People leave cybersecurity training knowing that cybercrime is on the increase and sympathise with the victims. They don’t always understand however, how that impacts them personally and therefore they are less likely to give it the consideration it requires. Consequently, they are less likely to retain the knowledge and translate it into their day-to-day lives and cyber habits.
Understandably but for far too long cybersecurity has been seen as the IT departments responsibility. They’re expected to protect us and the systems and services we use. This is like expecting the car mechanic to ensure we are all safe road users.
To improve human security, we need to meet people where they are. This means we need to understand both the emotional and physical aspects of their world. If people are stretched, or stressed, they are likely to act in haste, click on infected links, or make a simple mistake which leads to a data breach. In audits, we pay close attention to things like attrition and retention within the department. How overworked are people? Is the person sat opposite me wearing multiple ‘hats’ and spinning far too many plates. If they are, are they likely to be listening when we give them a presentation telling them “Think before you click”?
We need to develop our emotional intelligence if we’re going to develop training that changes people’s behaviour and attitudes towards the protection of data. How do we do this? Firstly we need to recognise there is a problem with the approach we’ve taken for the last 20+, years. Boards, CEO’s and business owners need to recognise that they are ultimately responsible and accountable for the protection of data because they set the culture within their organisation.
If we are to improve cybersecurity, we need to bring other people ‘along on the journey’ with us and that means moving out of the IT room and speaking to other people asking, “What concerns you about Information Security in your department and others?” This is more effective than just assuming you know what is best for the business.
If you have a marketing function, you can also ask them to help you inject a little fun and life into your cybersecurity programme. Cybersecurity may be a serious topic, but it doesn’t mean you can’t have fun with it!
Finally… some tips
The following steps require commitment and dedication. If you were hoping for advice, such as “Install a firewall”, you’ve come to the wrong blog. Google “Top ten tips for Cybersecurity” and I’m sure you’ll find some steps you can take that will make things feel better for a while. If you’re looking for ways to improve cybersecurity and build something that will continually improve for the long term, the following just might get you there.
Improving Cybersecurity – top tips
Leaders, get involved
There’s really no point moving forward unless you have leadership that is committed to this task. It’s not enough for them to point at you and say “Make IT work!” Ask them why this is important, ask them to support you. They need to demonstrate that they are committed to this task and to supporting you. This is no time for ‘lip service’.
Start with the end in mind
Develop a clear picture of the outcome of your cybersecurity journey. What are your objectives? What will ‘success’ look like? Write down a clear vision of what the future will look like.
Develop a clear strategy
Once you know what you’re looking to achieve, write down how you intend to get their. What is your strategy? If your objective is to get 100% of people to know about cybersecurity, your strategy might be to run training for every team for the next six months.
Finding friends…and foes
Who are your allies and who is against cybersecurity? Do a little analysis within your business to see who can help you with getting the message across and of how important this topic is. Maybe the head of HR or Finance? What are their concerns? What keeps them awake at night? Look for the positives in what cybersecurity brings and help them see how it will help, not hinder them.
Build a plan
Cybersecurity is part of a bigger picture (information security) so build a plan that goes beyond the narrow confines of the IT department. Now you have got leaders involved (and hopefully supportive) and you have a clear picture of your objectives and identified your supporters, you can now write your plan of action.
You should see cybersecurity as an enduring programme but still approach it like a project, with clear milestones and outcomes.
There are many ways you can improve cybersecurity but don’t expect to do it overnight if you wish to do it well. Yes, of course, you can look to implement Cyber Essentials and that will be a fantastic first step, but….to make a real difference, it takes time and effort.
Remember; cybersecurity is a journey, not a destination.