Cyber Resilience: it’s all about behaviours

Cyber Resilience: it’s all about behaviours

A summary of a presentation given to the Digital Leaders Conference on 9 December 2015

Here are two short, true stories:

Nick WildingIn the spring of 2013 the CEO of a global energy organization was finalizing the details of a significant commercial bid with his board colleagues. On 10 April he received a call. It was from a Director from his country’s intelligence service advising him that his organization had suffered a significant cyber-attack. A detailed forensic analysis identified the commercial organization behind the attack as well as the active support they were receiving from their nation state and that they had successfully targeted and compromised the highly sensitive information in their strategic bid. The result was that the bid collapsed. How did the attack succeed? It was a targeted spear-phishing attack on one of the board directors involved in the bid.

In another country the CISO of a well-known retail bank recently wanted to adopt a new approach in communicating his monthly cyber update to his main board. He asked them a set of multiple choice questions. The first asked how many phishing emails they believed their bank received every month. The answer was 40 million. 4,000 of these found their way through their technical defences to their staff. As the CISO went on to say: “The attackers only need to be lucky once, I need to be lucky all the time, every time

What can we learn from these stories? Firstly that no matter how large or technically advanced your organization is, you are at risk. All organizations no matter their size or sector will be attacked and breached at some time - if not already. Do you know how you’re going to respond effectively in the face of these attacks to best protect what’s most valuable to you – your reputation, the trust you have with your customers, your hard fought competitive advantage or your finances.

Secondly both stories demonstrate the critical ‘human factor’ in effective cyber resilience. It’s regularly been estimated that 90% of all breaches succeed because of human error (see Verizon’s 2015 Annual Data Breach Report). That’s why people, not technology, must sit at the heart of any effective cyber resilience strategy and action plan.

The CISO and their security and IT teams can no longer defend their organizations most valuable information on their own. Cyber resilience requires collaboration across the organization – the Boardroom needs to set the right tone from the top and all other staff need to be given the awareness and skills of a cyber resilience workforce. There’s too much at stake if you don’t manage cyber resilience as organizational resilience.

Typically most organizations still rely on annual information security awareness eLearning to ‘educate’ their people. Typically this approach fails to engage and does not influence new behaviours. We need a different approach.

We need an approach that acknowledges that people learn in different ways and at different speeds and which adopts some core learning principles:

  • To have ongoing and regular learning throughout the year - short modules with refreshers that can also provide key learning tips in response to the latest attacks;
  • To have adaptive and personalized learning - have content that is tailored to different skill levels and individual learning styles;
  • To be engaging, fun and competitive - exploit new learning techniques (games, apps, simulations, animations) that immerse the user in the learning that can be taken anywhere;
  • To easily demonstrate business value – show how behaviours are changing over time helping the organization to manage their cyber risks more effectively.

More and more organizations are adopting this approach in realizing that their people’s behaviours represent their strongest security control… no matter the size or shape of the organization. Are you ready for the change?

If you want to find out more about AXELOS’S RESILIA Awareness learning please contact [email protected]  

View Nick's presentation on the Digital Leaders website.

Read more AXELOS Blog Posts from Nick Wilding

Cyber Resilience: it’s all about behaviour, not bits and bytes

Cyber Resilience: We need to TalkTalk

Cyber Resilience: developing a new language for all

Looking for Business Leaders in the Cyber Resilience Race

Read more AXELOS Blog Posts from Nick Wilding

Did you know you were a whale?

Cyber resilience: How important is your reputation? How effective are your people?

21st century cyber awareness for a 21st century threat

A cyber resilience Q&A with Karoliina Ainge, head of Estonian cyber security policy - Part 2

A cyber resilience Q&A with Karoliina Ainge, head of Estonian cyber security policy - Part 1

Cyber Resilience: it’s all about behaviour, not bits and bytes

Cyber Resilience: We need to TalkTalk

Cyber Resilience: developing a new language for all

Looking for Business Leaders in the Cyber Resilience Race

Current rating: 0 (0 ratings)

Comments

There are no comments posted.
You must log in to post a comment. Log in

Suggest a Blog

If there's something you'd like us to cover in a new AXELOS Blog, please complete our Suggest a Blog form and tell us what you'd like to see.

Send us your Blog idea