“Make them feel empowered and they feel engaged.”
Slick technology aside, old fashioned employee cyber training was a hot topic on the first day of Infosec London, with CEO and founder of “human risk protection” platform OutThink and former head of IT security at Bank of Ireland, Flavius Plesu, noting inculcating secure behaviour is still one of a security team’s biggest challenges.
This isn’t just in terms of making employees aware of what a malicious link in an email is, or of the damage a phishing campaign can do, although he did note that they must be made aware of the security mechanisms in place. No, a bigger issue is making sure that there are actually willing to comply; and it starts with the right security culture…
(This includes not plugging in gift USBs handed to you by mysterious personages: Ed Tucker, the CEO at Byte TM Ltd said he was gifted one by a “Chinese visitor” to his company’s stand: needless to say, this particular gift looks likely to be opened in a virtual machine and scrutinised curiously for any unexpected behaviour…)
Just had a Chinese visitor to our stand who left us with this……😳😳😳
— Ed Tucker (@Teddybreath) June 4, 2019
Flavius commented: “They must have the intention to comply and you need to measure that. If they are disengaged, if they’re under a lot of pressure at work, if you’re laying people off, do you think they’ll get your awareness training or your acceptable use policy? They won’t… If they don’t have the intention to comply they might even do the opposite. They might take some information with them to their next job.”
A risk companies run, says Flavius, is that they can over-complicate the process: “If I’m in this part of a bank and it’s my job to send 100 emails a day with attachments, and you’re giving me WinZip, the encryption tool and you’ve just told me I should encrypt attachments. I have the intention to comply. I believe I can do it.
“But, when I actually sit down and start doing it I realize this is adding three extra minutes per email, 300 minutes a day, that’s five hours. Am I gonna do it.”
“I’m simply going to ignore security awareness and all that messaging and all the effort people have put into it.”
Make Employees Take Good Practice Home?
Getting that messaging to stick in the first place is always a challenge for organisations. How do you ensure that workers are going out of their way to have good cybersecurity practices?
This is something that banking and financial services giant HSBC thought about and one of its solutions was to make employees bring cybersecurity practices home with them.
Paula Kershaw CISO for HSBC’s European and UK told the Infosec audience: “This is probably the most important for me. Colleagues develop the knowledge and skills on how to protect themselves, their families and the people that they care about.”
“If we can engage our staff and teach them how to protect themselves by very nature they will then bring that back into the workplace and by very nature we then get that emotional engagement from them and they’re willing to learn.”
To do this HSBC initiated a Cyber Champion Programme last year, which is essentially a cyber hub full of resources such as videos, posters and tip sheets.
Everything is positioned towards building what they call a ‘human firewall’. A key factor in HSBC’s security team’s approach was to make their colleagues feel supported: “Make them feel empowered and they feel engaged,” Kershaw notes.
She believes that anyone can build this kind of organisational culture; that size is not an issue, be the organisation large or small.
For instance HSBC has over 35,000 employees worldwide and they work in eight official languages. They found that once they engaged people, individuals in their own time translated the message across all of the languages and helped to deliver it to the whole company. While they themselves built their internal programme, the free resources to do so are out there and at the end of the day its more about a cultural change than a knowledge change.
Kershaw states: “So set a target, be realistic. And be very clear about what you actually want to achieve, and why?”
And perhaps remind employees not to plug in any strange USB sticks…