A lack of understanding of how to mitigate employee negligence is leaving firms wide open to cyber-attacks, a whitepaper published by defence and security consultancy QinetiQ has warned. In an analysis of government data and work with its own clients, QinetiQ has identified a clear gap between employee knowledge and their actions, concluding that security training alone will not change employee behaviours, with QinetiQ advocating a more holistic approach to security, designed with the integration of people, process and technology in mind.
Recent government data has shown that 81% of large organisations that were victims of hacking in 2015 stated that the actions of their employees aided the attacker, with 90% of large organisations suffering some sort of overall breach. Despite widespread awareness of this threat, the security consultancy found that most organisations lack a clear understanding of the complex interaction between human behaviour, technology and organisational process. This often leaves cyber security processes below par, and creates an ideal route for attackers to cause serious damage and disruption to major companies and organisations.
QinetiQ’s paper presents a number of ways to address employee-aided routes for attackers, which can include phishing tactics, social engineering, device drops and social profiles.
The potential consequences of an attack can be devastating and span both financial and reputational damage as seen in the now infamous TalkTalk breach of 2015. Whilst many now acknowledge this threat to their business, QinetiQ suggests that businesses must recognise that there is no silver bullet to preventing an attack. Improving security culture throughout the business requires a long-term, diverse approach.
QinetiQ advises that technology alone cannot deliver sufficient security, rather businesses must address the issue at the heart of the company and create a natural environment for secure employee behaviour.
Advice includes:
- Ensuring company best practice is written in plain English is of utmost importance. Policy should provide context and relevance to employee’s day to day lives, and be drafted and considered in line with the wider goals of the business. Analysis has shown that employees will often sign/agree to policy documents without reading the contents because of too much jargon, leading to situations where employees are unaware of protocol when they are most needed.
- Human behaviour analysis should form the bedrock of any security strategy and should actively steer policy direction. A clear assessment process can give a 360-degree view, often yielding invaluable knowledge of where security is optimal or needs improvement. With this knowledge, businesses can save significant investment and maintain a clear view of the performance of security policies, such as monitoring recent training and how this has impacted employees across different sectors of the business.
- Training must be designed to be regular, relevant, short, engaging and empowering to bolster its effectiveness and prevent employees from unwittingly (or deliberately) causing a security breach. The common pitfalls of training practices are often that it is long and laborious, but infrequent.
Simon Bowyer, Senior Consultant, Human Performance, QinetiQ and co-author of the paper said: “To educate and influence the behaviour of employees is to restrict the easiest attack route into a business. When employees have a natural inclination towards security by virtue of an integrated company ethos, they are motivated to remain alert to risks and unusual behaviours.
If firms are to stand a chance against cyber threats firms must design their security strategy taking into account human behaviour and propensity of employees to act in a security conscious fashion. Firms must work towards a vision, where employees recognise the importance of cyber security best practice and how even actions that we all take for granted, like checking a Facebook page at lunchtime, could provide cyber criminals with an avenue into a business.
“Cyber security is no longer the sole responsibility of the IT department. It is the responsibility of everyone. It needs to be closely integrated with the aims of the business and the entire employment lifecycle.”
