- Security TWENTY
- Women in Security Awards
In an analysis of government data and work with its own clients, the firm says that it has identified a clear gap between employee knowledge and their actions. Concluding that security training alone will not change employee behaviours, QinetiQ is advocating a more holistic approach to security, designed with the integration of people, process and technology in mind.
Despite widespread awareness of hacking – and that the actions of employees aid the attacker – the company found that most organisations lack a clear understanding of the complex interaction between human behaviour, technology and organisational process. This often leaves cyber-security processes below par, and creates an ideal route for attackers to cause serious damage and disruption, it’s claimed.
QinetiQ’s paper presents a number of ways to address employee-aided routes for attackers, which can include phishing tactics, social engineering, device drops and social profiles.
The potential consequences of an attack can be devastating and span both financial and reputational damage as seen in the now infamous TalkTalk breach of 2015. While many now acknowledge this threat to their business, QinetiQ suggests that businesses must recognise that there is no silver bullet to preventing an attack. Improving security culture throughout the business requires a long-term, diverse approach, it suggests.
Simon Bowyer, Senior Consultant, Human Performance, QinetiQ and co-author of the paper said: “To educate and influence the behaviour of employees is to restrict the easiest attack route into a business. When employees have a natural inclination towards security by virtue of an integrated company ethos, they are motivated to remain alert to risks and unusual behaviours. If firms are to stand a chance against cyber threats firms must design their security strategy taking into account human behaviour and propensity of employees to act in a security conscious fashion. Firms must work towards a vision, where employees recognise the importance of cyber security best practice and how even actions that we all take for granted, like checking a Facebook page at lunchtime, could provide cyber criminals with an avenue into a business.
“Cyber security is no longer the sole responsibility of the IT department. It is the responsibility of everyone. It needs to be closely integrated with the aims of the business and the entire employment lifecycle.”
QinetiQ advises that technology alone cannot deliver sufficient security; rather businesses must address the issue at the heart of the company and create a natural environment for secure employee behaviour.
Ensuring company best practice is written in plain English is of utmost importance. Policy should provide context and relevance to employee’s day to day lives, and be drafted and considered in line with the wider goals of the business. Analysis has shown that employees will often sign/agree to policy documents without reading the contents because of too much jargon, leading to situations where employees are unaware of protocol when they are most needed.
Human behaviour analysis should form the bedrock of any security strategy and should actively steer policy direction. A clear assessment process can give a 360-degree view, often yielding invaluable knowledge of where security is optimal or needs improvement. With this knowledge, businesses can save significant investment and maintain a clear view of the performance of security policies, such as monitoring recent training and how this has impacted employees across different sectors of the business.
Training must be designed to be regular, relevant, short, engaging and empowering to bolster its effectiveness and prevent employees from unwittingly (or deliberately) causing a security breach. The common pitfalls of training practices are often that it is long and laborious, but infrequent.