Devleoping a cyber security culture through continuous learning

Published

Cyber security can seem technical and obscure, but in many cases it is about dealing with the risks that arise from common human behaviours.

Using and re-using simple passwords, replying to emails without checking the identity of the sender and cutting corners close to project delivery deadlines may seem like common slip-ups but can often constitute cyber breaches.

It is important to realise that these types of scenarios play out across organisational boundaries and at all levels of seniority, including the C-suite. As a result, the chance of a cyber security breach occurring within an organisation is heightened when people believe that dealing with cyber security is “someone else’s problem”.

To avoid this, organisations need to cultivate a widespread and adaptive security culture that is driven by leaders and decision-makers who continuously learn and update their knowledge and skills.

A Government survey of large UK businesses – the FTSE 350 Cyber Governance Health Check 2018 – showed that company boards are increasingly recognising the importance of cyber security. Alarmingly though, this recognition is rarely followed up by the actions needed to develop and establish sound security practices.

One insight into this is that whilst 72 per cent of responding businesses recognised themselves as having high exposure to cybersecurity risk, only 54 per cent rated their board’s understanding of their data assets as comprehensive.

Furthermore, only 16 per cent of respondents reported that their boards had a firm grasp of the wider impacts and losses associated with a cyber security incident.

Taken together, these points suggest that executives often lack the necessary depth of knowledge and understanding needed to make a proper determination on whether or not to take action.

According to the Research Institute in Trustworthy Industrial Control Systems – a multi-university research programme led by the Institute for Security Science and Technology at Imperial College London -  this shortfall in knowledge can be attributed to the inaccessible technical language that is often used when discussing cybersecurity.

This language barrier can play a significant role in impeding the timely escalation, examination and mitigation of risks within a company.

In a recent speech, Baroness Dido Harding - CEO of TalkTalk when it suffered a major cyber breach in 2015 - argued that in spite of recent high-profile cyber security incidents, boards and senior staff are potentially not asking the right questions about cybersecurity risk within their organisations.

The problem of risk communication is also reflected in the FTSE 350 survey, where only 33 per cent of businesses reported that they had a written board position on cyber security risk that had been widely disseminated across their organisation.

Faced with a lack of clear information, employees will often use their own judgements on cyber security best practice, which can lead to negative security consequences for the business.

In addition to clearly communicating risks to employees, investment is also needed when striving to achieve organisational resilience.

The FTSE 350 survey suggests that this is not happening at a healthy level across businesses, revealing that only 46 per cent of organisations with a cyber security strategy (and nearly all respondents claimed to have one) could point to a dedicated budget for it.

This, at least in part, may be due to the fact that cyber security is still seen by many as a purely technical issue rather than a broader organisational challenge, meaning that provision for dealing with it is assumed to be taken care of within IT budgets.

Of the businesses surveyed, 29 per cent said that their cyber security strategy was largely focussed on technology improvements and implementation. Whilst technology is clearly a vital component of any cyber security solution, it is crucial that businesses do not enclave their efforts solely within specialist teams, as this only promotes the issues of compartmentalisation and poor communication discussed above.

Furthermore, business leaders must keep abreast of what new technologies mean for cyber security. Leaders without a base level of technical competence in cyber security will struggle to ask good questions of technical specialists and contribute effectively when identifying and prioritising security risks, enacting appropriate measures to minimise exposure, dealing with crisis events and generally driving the continuous development of the security culture within their organisations.

Only around 20 per cent of the boards in the 2018 FTSE survey reported that they had undertaken crisis simulation exercises on cybersecurity in the last 12 months and data from the previous year’s survey shows that only 28 per cent of businesses reported that their boards had received training on how to deal with a cybersecurity incident in the previous 12 months.

A separate Government survey of UK businesses, the Cyber Security Breaches Survey 2019, undertaken by the Department for Digital, Culture, Media and Sport highlights similar issues beyond the board with only 27 per cent of businesses reporting that staff had attended internal or external training on cyber security in the previous 12 months. Of the businesses who did provide cyber security training, only 29 per cent of the trained staff were not cyber security or IT specialists.

The overall picture that emerges is that companies and organisations striving to improve their cyber security capabilities need to develop a culture where leaders are kept knowledgeable, risk communication and collaboration across teams is effective and investments in mitigations span solutions that are broader than technology. Achieving this means that decision makers must be engaged in continuous learning so that they can understand, adapt and react to emerging cyber security threats effectively. Picking the right blend of solutions for an organisation will be an enduring challenge – there is plenty of snake oil out there.

Published