We should “stop talking nonsense” about people being the weakest link in our cyber security, according to the head of the UK’s National Cyber Security Centre.
Ciaran Martin, the organization’s CEO – speaking at the CBI’s Cyber Security Conference 2017 in London on 13 September 2017 – told delegates that an effective business response to cyber threats is critically underpinned by people and their behaviours.
“This is the most important point: only 20% of people had training in cyber security in the past year and only 15% of them showed the right behaviours following training.
“We need to fit the task to the human and make sure that what we put in place for staff has to be usable. What are the blockages to people behaving more safely? Are they getting ‘guidance fatigue’ and doing something wrong but not knowing what to do right?
“Getting cyber security right is about connecting the human factors to the boardroom so everyone knows how to use a network safely. And leaders at all levels should check if they can follow the security procedures they ask their staff to follow.”
His keynote address, opening the CBI’s third annual cyber security conference, highlighted the global strategic challenge of cyber security in which everyone has a role to play, including government, business and individuals.
Citing that almost half of UK businesses had recognized a cyber breach in the past year, Martin suggested the approach for the UK was to see cyber security as a threat to our way of life and critical services as well as a threat to prosperity through damage to consumer confidence. Yet we need to see better resilience to growing attacks as an integral part of and balance with our organizational growth and transformation.
New regulations – including a UK data protection bill and EU regulation, the GDPR – would, he said, create a more robust approach for businesses needing to report cyber breaches and facing financial penalties for data loss.
“Boardrooms need to have the conversation about the understanding and experience of all their staff, what information on their network do they most care about, who has access to it, who administers it and whether the same information is backed up. They need to understand the answers to these questions and keep asking questions – there are no stupid questions in cyber security.”
Returning to the importance of our people and their behaviours he concluded “Human factors techniques can maximize human performance while ensuring safety and security. And I think this is the most important shift in thinking over the past year or so - the wider recognition of the user.”