‘It takes 20 years to build a reputation and five minutes to ruin it’ (Warren Buffett)
Board meetings will never be the same again! Following a number of high profile cyber-attacks and embarrassing boardroom apologies in the UK over the last six months, business leaders are now realising the real damage that a cyber attack can have on their organisation. Hard won reputations, both corporate and personal, competitive advantage and market value are all at risk.
Directors and non-exec directors in organisations of any size and in any sector increasingly regard cyber-attack as one of the greatest risks they face. But typically there remains a gap between their awareness and understanding of the risk and managing an informed cyber resilience strategy that helps to enable rather than hinder the business strategy. The board have to be asking the questions required to properly understand how their cyber risks are affecting their mission, customer trust, intellectual property, commercially sensitive information and their operational capabilities. The risks of doing nothing are too great. Critically they need to understand the role all their people must play in protecting the information that will drive their future growth and success.
The impacts of a successful cyber-attack can be devastating. It’s been said that a week is a long time in politics – today, 24 hours can be a very long time for a board in managing a cyber crisis in the critical glare of international press and media. The questions will keep coming: Who has been affected by the attack? What information has been lost? How did the attack happen? Where was the information and how were you protecting it? When did you know about the attack? What steps are you taking to mitigate the risk and minimise the harm felt by your customers? Simple questions but difficult to answer effectively in front of the cameras. Is this a situation you want to face and are you ready?
The harsh reality in today’s digital age is that no organisation can ever be bullet-proof, no organisation can ever say that they’re safe from attack and no organisations or individual is immune from being targeted. As Ian Livingston, former Chief Executive of the BT Group said at Davos in January 2013: ‘There are two types of CEO, those that know their systems are being hacked – and those that don’t. For pretty much any company I’ve come across, it should be one of the top three risks.’ Cyber-attacks are now business as usual and cyber resilience should be a standard agenda item at board meetings.
Global investment on cybersecurity technologies continues to rise. PWC’s ‘Global State of Information Security Survey 2016’ reports that they ‘…discovered more than 430 million unique new pieces of malware in 2015, up 36 percent from the year before. Perhaps what is most remarkable is that these numbers no longer surprise us. As real life and online become indistinguishable from each other, cybercrime has become a part of our daily lives. Attacks against businesses hit the headlines with such regularity that we’ve become numb to the sheer volume and acceleration of cyber threats.’
But there’s something missing between our continued investment in and expectation that technology can solve our problem and the growing number of attacks.
Verizon’s 2015 Annual data breach report highlighted one stark fact. The great majority – estimated to be 90% – of successful cyber-attacks succeed because of human error. Anyone in any organisation, irrespective of their role or seniority, can enable an attack to succeed – typically through their unwitting actions. Cyber attackers often find it easier to communicate and engage with our people than we do. We need to work harder in providing our people with simple, practical, relevant guidance delivered in engaging and innovative ways to help them make the right decisions, every time they’re exposed to different cyber risks. How confident are you that your people are displaying the appropriate behaviours and understand the practical things they need to do to effectively protect the information and systems that are most precious and valuable to you?
The challenge appears clear. All our people must be playing a more significant and specific role in our organisational resilience. How many times do we read or hear that our staff are our weakest link? Yet they are only as weak as the strength of the awareness learning we provide them – does it engage?, is it relevant to the learner?, does it provide simple, practical guidance? and is it focused on giving them the confidence to change their existing behaviours and to discuss incidents with their colleagues?.
The sad truth is that most organisations typically educate their people in their annual information security awareness e-learning. It’s widely acknowledged that this yearly, compliance ‘tick-box’ approach to learning fails to engage and has little or no impact on your people’s cyber behaviours.
Can e-learning really change behaviours?
Yes. But not in its current form – a one-off course, required once, designed once, delivered once, completed once and forgotten at once. In this vital area of staff training and development, one size doesn’t fit all. The current ‘all staff, once a year’ approach simply does not influence or change behaviours. At best it reminds us of some essentials, at worst it’s treated as unnecessary, a distraction and as something we have to do. Annual eLearning will not instil and sustain the cyber resilient behaviours that employees need today. We’re trying to ‘program’ our people in the same way we program computers to do certain things, in certain ways at certain times. It doesn’t work.
Instead, there needs to be a range of learning techniques that truly engage all our people. During January 2016 Axelos Resilia carried out research in the UK with IPSOS Mori amongst those responsible for information security awareness learning in their organisations. We wanted to find out how well-prepared the UK’s workforce is for a cyber attack in the companies they work for. The results were telling.
While it was positive to note that 99% of business executives responsible for cyber awareness learning said that information security awareness learning is ‘important to minimise the risk of security breaches’, less than a third of them (28%) judged their organization’s cyber security awareness learning as ‘very effective’ at changing staff behaviour. A similar minority (32%) were ‘very confident’ that the learning is relevant to staff, whilst 62% were only ‘fairly confident’ that their learning is relevant.
Imagine how your customers would respond if told that ‘we’re fairly confident that your precious information is safe from attack’. Equally, reporting to a board that the level of confidence in the organization’s information security awareness is only ‘fair’ would be given short shrift. If UK company boards are not asking those responsible about the current effectiveness of their awareness learning among their people and what is being done to improve their cyber resilience, then they should be. Now!
The picture of preparedness painted by our research suggests that the current, compliance based approach relied upon by the majority of organisations’ current approaches is failing.
A new approach is required – one where information security or cyber awareness learning is conceived of a continuous, ongoing and sustainable campaign over time. Just as our technical security controls will evolve and adapt to suit changing cyber threats and vulnerabilities so we need to ensure all our people maintain their awareness and are provided with the appropriate, practical guidance on a continual basis that fits the needs and requirements of the particular organisation.
Without all of this it is just a matter of time before you’ll be expected to respond to a successful attack or significant data breach. Where would you rather be?
Nick Wilding is General Manager of Cyber Resilience at Axelos Global Best Practice – a joint venture company co-owned by the UK Government and Capita plc – which owns and develops a number of best practice methodologies, including ITIL and PRINCE2.
