The case of the three UK judges sacked for viewing pornography using their official IT accounts raised some serious questions for the people involved, and their employers.
The obvious question is how could men in these roles make such a terrible misjudgement and become involved in what the Lord Chancellor and the Lord Chief Justice called “wholly unacceptable conduct for a judicial office holder"? And secondly, how aware were the judges that their actions could compromise the cyber security of their organization?
As the AXELOS cyber resilience team is more interested in the latter question, one answer points to a complete lack of cyber awareness and a failure to observe best practice for cyber resilience.
Why awareness is key
It’s unclear whether the judges knew they shouldn’t browse pornography.
What is clear is that it’s possible to activate a filter on a firewall to stop users browsing undesirable content like, in this case, pornography. Unless all three judges took steps to avoid this control – which is possible – we can only assume that this simple control was not activated. Perhaps those responsible for running the firewall were not aware of the feature or the best practice principle to activate it.
On balance, I believe it was probably down to a complete lack of an effective, efficient and consistent awareness campaign. Assuming that the judges had undertaken a cyber induction or awareness programme during their time working in the judicial system then it clearly failed and there are a number of reasons why programmes of this nature can do so:
- The intended messages were unclear
- The way they were delivered didn’t resonate with the audience
- The audience simply chose to ignore the message.
Often these programmes are delivered through a series of “don’t do this” and “don’t do that” diktats from on high. But this is insufficient; people need to be equipped with information that highlights the risks of certain cyber behaviour and how that in turn can affect the individual and the organization.
Pornographic sites are often infected with malicious code, such as Trojans and viruses, that are designed to compromise and sometimes steal a company’s important, private information, but this was either unknown or not compelling enough for the three judges in this case.
A lack of cyber awareness can also lead to an assumption that having anti-virus software (AVS) means there’s nothing more to worry about or do. Yes, AVS can and does help, but cyber attackers are finding and developing new and malicious ways to get around it. Moreover, AVS needs to be continuously updated to remain effective and this is something that is regularly overlooked. AVS is definitely important in the fight against cyber attackers but people need to be aware of its limitations.
Best practice guidance
Alongside AVS, organizations need to ensure that awareness material, like AXELOS’ upcoming Cyber Resilience guidance, is accessible to everyone. The material needs to resonate with the audience, provide sensible and consistent advice that can be used in their everyday lives and must be delivered in innovative ways.
As with any good marketing campaign, the messages being conveyed must be delivered constantly, avoiding the compliance-led, once-a-year approach that is, sadly, typical across many organizations. This approach simply does not work. Regardless of what is implemented, there is always the risk that, despite best efforts, individuals may still chose to ignore the advice and persist with bad habits. Take the issue of smoking, for example: smokers are repeatedly told how much smoking causes health-deprivation and yet many continue to ignore the warnings.
It can be difficult to decide on an awareness campaign that can truly benefit your organization and really help prevent people from indulging in high risk cyber behaviour. So when looking at an awareness campaign, ask yourself:
- Do all staff, regardless of seniority, complete the training?
- Are the messages relevant to and does the delivery style resonate with the audience?
- How are you measuring the effectiveness of the awareness campaign?
From the perspective of people who, like the judges, have lost their jobs through a lapse in judgement it couldn’t have been much worse. But, for the organizations where they worked, their employees’ lack of cyber awareness could result in something far more damaging.