In the world of cyber resilience, barely a week goes by without another company falling victim to cyber-attack – and to the penalties that can arise as a result.
In February 2015, the UK Information Commissioner’s Office (ICO) fined insurance broker, Staysure, £175,000 after its customer records were hacked and used for fraud. If that wasn’t bad enough, more than 5,000 of the broker's customers had their credit cards used by fraudsters. According to the report in industry publication, Insurance Times, “the company had no policy or procedures in place to review and update IT security systems, and had twice failed to update database software which could have prevented this incident”.
This was another reminder of companies’ increasing vulnerability to cyber assault and the punitive actions at the disposal of regulatory authorities. But it was lucky to stop there: identity theft, as recently reported by Experian, now accounts for more than half of all detected fraud in the UK. This has led to so-called class actions against companies in the USA and it could eventually happen here too.
And yet the ability of a hacker to get access to a company’s IT systems is often through the unwitting actions of a company employee: a successful hack often requires an individual within an organization to click on a link or attachment contained in a phishing email, so enabling the hacker to wander (virtually) around the victim’s network identifying the information they want to steal.
Currently, this mode of illicit entry happens in more than 80 per cent of cyber breaches and is, therefore, the best place to stop it happening at all. While there might be good technology out there to warn companies of an intrusion on their network, the technological route is essentially an “arms race” against the attackers and their ever-more sophisticated means of disguising their actions. And expensive technology isn’t necessarily a viable option for many companies.
What organizations need more of is people at every level who are increasingly cyber aware; alert to the cyber threat, persuaded of how and why it is relevant to them and so capable of making the right response at the right time. Developing this cyber awareness among a company’s people is often more efficient, effective and affordable than technological solutions!
Awareness for cyber resilience
To date, cyber resilience training has been very compliance-led; while that might tick a box to say the company is compliant, the training is not always inspiring or relevant to the trainees. And, as history has shown, nor does it equate to better cyber security. The challenge is to make awareness resonate with everyone in an organization, from the chairman to the receptionist, and offer advice that is sensible and pragmatic.
The AXELOS approach to cyber awareness is designed to help people change their cyber behaviours resulting in better cyber-related decisions. Learning is not a one-size-fits-all approach. By recognizing that individuals consume content in different ways and delivering a range of content types, user engagement increases. This results in greater retention of knowledge which leads to behavioural change. But this gives rise to the question: “how do you know whether behaviour has changed or not?”
We are currently developing methods which use a series of inputs from across the business to measure how effective the awareness has been and what has changed in an organization as a consequence. It will also have the added benefit of identifying which messages and delivery mechanisms are working best.
This will help those responsible in the organization for cyber resilience (and that begins with the board) to answer the following about their awareness programme:
- How effective has it been? Who’s done it? How well did they do? How have people improved?
- How “sticky” has it been? Are people wanting to use it across the organization? Which departments are using it or not?
- What’s changed as a consequence?
Awareness is a critical factor: technology is sadly not a silver bullet. Building awareness at every point in the cyber eco-system is an effective and cost efficient way to mitigate cyber risk and to achieve greater cyber resilience.