Carrot or stick? It’s a question for the physical security world as much as cyber – if someone does something wrong that makes the workplace less secure, whether click on a phishing email that’s sent by a scammer or hacker; or, leave a fire door wedged open for the office smokers to go in and out, or hold a door open so that an unauthorised person can walk in unchallenged – should the response be to punish the offender, or educate them to learn from the error?
Is an error to be treated any differently, any less severely, if the offender was only trying to make life easy for themselves and others, or even trying to do a good turn, rather than acting out of malice? And in any case should the security professional’s focus be rather on rewarding good behaviour?
The ‘insider threats’ are mostly unintentional, due to human error and behaviour, point out researchers under the umbrella of the UK’s Centre for Research and Evidence on Security Threats (CREST). If you choose to punish – whether by taking away the IT assets used to click on something the user shouldn’t have, or making them take some training, or ‘naming and shaming’, or even firing them; what is the impact on staff productivity and well-being?
Hence a virtual workshop on Tuesday morning, July 14, discussing the findings from a Simulated Phishing and Employee Cyber security behaviour (SPEC) project funded by CREST. Speaking will be Dr Matthew Francis, Executive Director of CREST; from the cyber risk control advice firm CybSafe, Dr John Blythe, Head of Behavioural Science, and CEO and founder Oz Alashe; and the end users Elizabeth Murray (HSBC), John Scott (Bank of England) and Reena Shah (Refinitiv). To sign up to the webinar, visit https://www.cybsafe.com/punishment-in-cyber-security/.
Carrot or stick is among the features in the July 2020 print edition of Professional Security magazine (from page 48), as one of the topics debated by chief information security officers (CISOs) at webinars early this month in lieu of the physical annual exhibition Infosecurity Europe.
The Covid-19 crisis has triggered a sharp rise in phishing attacks targeting businesses and individuals with realistic scams promising financial support and purporting to be from HMRC, according to Stav Pischits, CEO of Cynance. He says: “All it takes is a single employee to accidentally hand over confidential company information, such as bank account details, a username or password for a potentially catastrophic data breach to occur. For many companies It’s not a question of if, but when. It’s therefore vital that all companies invest in improving cybersecurity procedures, particularly with millions of employees working remotely for the foreseeable future. Key to this is fostering a people-processes-technologies focused approach. It is essential to invest in employees’ security training, cyber awareness and review and refresh internal procedures that deal with email security and teleworking.”
The UK official CPNI (Centre for the Protection of National Infrastructure) meanwhile has brought out a ‘Covid-19 Workplace Actions behaviour change campaign’, based on what it put together for its own workplace use. Offered are downloadable, editable print and digital posters to publicise clean-hands, clean-desk and social distancing. Visit www.cpni.gov.uk.
