While security threats are constantly evolving and becoming more sophisticated our industry’s approach to cyber safety has - in the main - not developed at the same rate.
Frequently, businesses have a ‘set it and forget it’ approach, tackling cyber security when an employee first joins an organization and then holding a refresher course once a year.
By companies not giving cyber safety and resilience the prominence it deserves, many organizations are validating a belief among employees that it is a commodity; security technology should ‘just work’ - you flip a switch and you are safe.
Equally, putting more focus on what employees cannot do, instead of what they can do to help in security, businesses are affectively encouraging people to have a more passive role in addressing the cyber security challenge. Even if an organization has the latest and greatest technology to prevent an attack, insider threats (inadvertently or on purpose) can cause irreparable damage.
What to do
So what should business be doing, rather than not doing? An effective, robust approach to cyber security requires a cultural change that begins at the top and works its way down; security awareness needs to become a daily habit of every employee, not just a security team or department.
To move to this positive, collaborative approach business leaders must begin by ensuring security is not an afterthought but an integrated part of the business. Then, based on the individual security needs and maturity of their business, senior leaders should consider things such as training and appropriate access management, e.g. what do individuals need to know and have access to?
A clear message
Communication around cyber and physical security is also critical to success. Messaging should be open and transparent and, importantly, explain why the business is asking their employees to do (or not do) something. Procedures/polices need to be explained, ensure they make sense and employees understand how and why their behaviour can make a difference.
Organizations should be encouraging an ethos of ‘see something, say something’ in their communications. To tackle security properly and instill positive behaviours, employees should raise any issues they see rather than assume someone else will. Often, security safety is given only enough thought or airtime when things go wrong. Businesses, however, should inspire proactivity and give a mandate to employees to expose issues before they become problems.
The importance of what’s said in employee outreach, frequency is key too. Often, businesses can go from one extreme to another, with communications either annual and therefore forgettable, or so frequent that employees tune out.
An ongoing challenge
Once a robust approach to cyber security is established that isn’t the end for the organization. Just like IT service management, cyber safety requires continuous improvement. Businesses must constantly look at how they can develop and advance their resilience to the evolving risks and threats and remember that what works now most definitely will not in five to 10 years.
Ultimately, nothing is ever perfect and that’s true of technology, processes and employee education. In fact, it’s particularly the case when it comes to training new staff as they come in to the business.
As well as considering emerging threats, companies should also be thinking about the challenges that are no longer a heightened issue. For example, if you’re no longer seeing an incident happening does it really need to be at the front of the training manual? Businesses should always be looking at what’s new and what people are doing now.
By thinking of cyber security as an ever-evolving entity and applying the same processes and behaviours that have become more commonplace in IT Service Management, businesses can ensure their resilience in the face of a crisis. What’s key is momentum and ensuring cyber security isn’t a tick box exercise.
See our RESILIA™ section for more information about cyber resilience.
Read more AXELOS blogs from Adam McCullough
Do businesses really need Business Relationship Managers?
Why should businesses do CSI?
I’m ITIL® Foundation certified - now what?
The real ROI of ITIL training