Strengthen Cyber Defences Through Culture Change

Steve Williamson, Audit Account Director, Security and Data Privacy, GSK (GSK: LON)

Steve Williamson, Audit Account Director, Security and Data Privacy, GSK (GSK: LON)

In the cyber world, a continuous war is playing out between the Defender and the Attacker (White hat and Black hat). The job of the defender is to ensure safeguards are in place to prevent, detect or recover from cyber-attacks and data breaches. These safeguards cover Process, People and Technology. As defenders improve safeguards, the attackers evolve their game plan to target the weakest defences. For example, the defender may reduce their patching cadence to 72 hours (process) and implement machine learning based intrusion detection (technology), but if staff security awareness remains weak, then social engineering will become the predominant attack vector. The 2021 Verizon Data Breach Investigations Report highlights that 85 percent of data breaches involved a human element. By human element, they mean actions such as phishing attacks, using easily guessed passwords and human error. Similarly, the Cloud Security Alliance (CSA) recently released a report on the top cloud security threats – The Egregious 11. According to this report, the biggest threats now come from issues like misconfigurations and insufficient identity and access management, where the customer is solely responsible for security. For example, a staff member making use internet facing cloud storage (for a legitimate business purpose) and setting it up with open access or failing to enable 2 factor authentication. If we assume that staff do not intentionally place sensitive company data at risk, then the root cause of such breaches would be poor security awareness and inadequate training. A strong human defence requires effective education and a security conscious organisational culture. Fortunately, the security awareness industry has evolved greatly over the years. Phishing simulation exercises are common-place and organisations are increasingly using gamification. Such educational interventions are effective because they are engaging. Point-in-time security awareness training is still necessary, but no longer enough. Modern online learning courses have a degree of interactivity built in, such as asking the user to match concepts to definitions. However, gamification adds much more. For example, an online Escape Room game, where team members work together to identify the red flags in a scam situation, then progress to different levels (escape rooms) whilst going against the clock, introduces fun, challenge and competitiveness.

Similarly, a secure-coding challenges (with a leader board), where developers create an avatar, choose their programming language, identify source code vulnerabilities and select the best alternative code-block, introduces fun and competitiveness. It is the characteristics of fun, challenge and competitiveness that make gamification-based learning engaging, and the lessons learned from these games stick with the individuals and carry forward into their day-to-day jobs. The SANS Security Awareness Maturity Model (see below) is a powerful benchmarking tool, which can help organisations to quickly determine why their security awareness programme may not be having the impact they want. On a 5-point scale, Level 2 means an organisation is meeting its Legal and Compliance obligations through mandatory training. For Level 3, content is communicated in an engaging and positive manner that encourages behaviour change. Level 4 is characterised by a strong security minded culture, which is built into almost all operational aspects of the organisation.

In Today’s Hyper-Connected World, Organisations Build Their Cyber Defence Using Layers of Safeguards Covering People, Process and Technology

The need to develop a strong security culture is increasingly recognised as a high priority for many organisations. Culture can be thought of as the attitudes, beliefs and behavioural norms of employees within an organisation. It is exhibited through Behaviours, Attitudes to compliance, Communications and Responsibilities. For example, if someone accidentally emails a sensitive file to unauthorised individuals external to the organisation, a positive security behaviour would be for the individual to promptly self-report the incident to ensure corrective action can be taken (which may include notification to impacted parties or regulatory bodies). A strong awareness of responsibilities with respect to data protection is another cultural dimension. Individuals should always know the classification level of the information they are handling and should be aware that they are responsible for its security, especially when it needs to be shared with others. A positive behavioural norm would be to grant access only on a need to know basis, minimise copies and delete files when they are no longer required.

Conclusion In today’s hyper-connected world, organisations build their cyber defence using layers of safeguards covering People, Process and Technology. Data breaches and cyber-attacks often arise from human behaviour. Social engineering, especially phishing, is a highly effective tactic which gives the attacker a foothold in the network, and data loss incidents are most frequently caused by human error. Therefore, to build a strong cyber defence, organisations should have a Security Awareness Programme targeted at creating a security conscious culture. Such a programme needs to be engaging, continuous and relevant to the job roles, and would likely include gamification, culture assessments and management metrics.