Reinforcing the human firewall – changing behaviours

Random cyber-attacks will always be difficult to combat. After all, they’re random – carpet-bombing the digital world and waiting to see who makes a mistake.

In our first blog on Cyber Security following our Roundtable co-sponsored by Bluefin Insurance, Milsted Langdon and Royds Withy King, we looked at ways for SMEs to protect themselves against this. However, what about targeted attacks?

Increasingly, cyber criminals are hitting individual businesses with highly sophisticated attacks, such as spear-phishing. The attacker first gathers information about individuals or groups – then uses it to personalise the attack. For example, using your first name or manager’s name to lure you into a false sense of security or panic. So you’re much more likely to click on a malicious email link or other content.

As Search Security says, “The success of spear phishing depends upon three things: The apparent source must appear to be a known and trusted individual; there is information within the message that supports its validity; and the request the individual makes seems to have a logical basis.”

When good data goes bad

Spear-phishing is just the start. Targeted attacks come in many shapes and sizes – from espionage and blackmail, to fraud and theft of millions of pounds. The one common denominator is that criminals are using big data and, especially, social media to harvest their information.

As Mike Punter, Chairman of Innovecom, said at our Roundtable, “These are highly professional criminal organisations who invest masses of time in aggregating data, to the point where they can make a very convincing call or approach.”

The social dilemma: to share or not to share

Barclays are spending millions on educating customers on the dangers of social media. Just this month, we heard John Terry suffered a huge robbery because thieves trolling his Facebook account saw he was on holiday. But businesses are much bigger targets, so are we taking these risks seriously?

What is your company’s social media giving away? What are your employee’s private social media accounts giving away? What’s hiding if someone zooms into a picture of an office party or corporate day?

Here’s where the conflict lies: on the one hand, we’re all being encouraged to make the most of our presence on Facebook, LinkedIn, Twitter, Instagram, etc., but what information is actually safe to share?

John Terrington, Director of Capability at Altran says, “We’ve become blasé about the value of information.”

Mike Punter agrees, “People share information today with a worldwide internet society that in past decades they’d only share with a highly trusted half a dozen.”

The perils of flexible working

It’s not just our social habits that are helping the criminals. Modern working is a double-edged digital sword – more and more of us are working from home, on the train, in cafés and so on. James Sage, Employment Partner with sponsor Royds Withy King explains, “People work from home and use their own devices for work… are these systems properly secure? If people are taking confidential stuff home, how well is it protected?”

The answer is not technical – it’s behavioural

As with random attacks, no amount of technology or IT security can protect you from the habits or absent-mindedness of every single employee. Cultural changes within the business are the best way to mitigate these risks.

At the Roundtable, 100% of invitees supported this view. Cyber security expert Oz Alashe, Operations Director at Cybsafe, believes this is reflected in a fundamental shift in business attitudes: “I think we’re migrating away from people just wanting to be compliant; they want to change behaviour.”

So how do you bring about this cultural change?

The digital revolution has transformed global business. Now there needs to be a ‘cultural revolution’ to face up to the related dangers.

The Centre for the Protection of National Infrastructure (CPNI) says this in their blog Embedding Security Behaviour Change: “Security behaviour change requires a clear vision as well as a coordinated strategy….there is no one right way to deliver change. A bespoke approach, suited to the particular needs and requirements of your organisation will ultimately work best.”

Five basics for cultural transformation:

1. Develop robust policies

In the CPNI’s extensive guidelines for behaviour change, they point out: “Some of the security vulnerabilities can be obvious, such as posting or sharing confidential organisational information that puts staff, processes or assets at risk. Others may be less so, such as search engines storing search history or smart phones logging data which can be exploited by those with malicious intent.”

They stress the importance of strict digital policies for staff and suppliers – with constant education and action plans for breaches.

2. Err on the side of caution

Jessica Bent, head of the Technology and Media at sponsor Royds Withy King says: “As lawyers, we’re really careful about the information we disclose. It probably means I’m not the best on Twitter, but better to be safe than sorry, as so many cases have shown us.”

3. Educate and train

In Cyber Security Awareness Campaigns: Why do they fail to change behaviour?, Dr Maria Bada and Professor Angela Sasse write, “Changing behaviour requires more than giving information about risks and correct behaviours – firstly, people must be able to understand and apply the advice, and secondly, they must be willing to do so. …Since the vast majority of behaviours are habitual, the change from existing habits to better information security habits requires support.”

Training cannot be a one-size-fits-all solution; only relevance can have the potency to change habits. So whoever is helping you needs to develop bespoke programmes that work for you.

4. Keep control

It’s amazing how many businesses hand over their social media feed to the newest trainee, or someone young who ‘gets it’. But do they get the risks? Tom Annear, Head of Business Development at Epoch Wealth Management, says, “I control the Twitter accounts, the LinkedIn accounts, the website…and I make sure that anyone else who may interact with those platforms understands how things need to be done.”

5. Enforce

It’s too easy to take things lightly – most people don’t view sharing ‘harmless’ information as seriously as, for example, trade secrets. But you need to be vigilant and responsive when you know employees are being careless – whether it’s test emails, or random monitoring of social media accounts. And there needs to be consequences.

One guest at our Roundtable said, “We’ve lost staff in the past because of things they’ve said on Twitter or Facebook.”

Ultimately, you never want it to reach this point. A considered approach to training can greatly reduce the worry of cyber-attacks and data sharing.

If you have any cyber security related queries, or would like to discuss changing your company’s digital culture, don’t hesitate to call on 0117 332 1002, or contact us at HGKC today. We might not be specialists in cyber security, but we have many contacts who can help, if we cannot.


Author Peter Quintana