The government’s digital strategy has correctly identified the need for more training to mitigate the rise of cyber threats. However, this approach will only go so far. According to Ross Tuffee, CEO of DOGFI.SH Mobile, in order to drive real change, it is critical that organisations understand why employees persist with bad security habits, leaving firms exposed to hackers and breaches and how this might be addressed.
Last week the government launched its digital strategy, designed to keep the UK at the forefront of the digital revolution in the wake of its impending exit from the EU. The plan highlighted key strands including skills, connectivity and cyber security, which are integral to embracing digital transformation and making the UK the safest place in the world to live and work online.
While many have welcomed the strategy, there have been concerns raised amongst industry practitioners questioning the lack of concrete detail associated with certain strands, particularly cyber security.
While efforts are being made to address external threats, one persistent thorn in the side of organisations centres around internal threats. Tuffee discusses this in more detail:
“There is a large amount of research available to demonstrate that the biggest risk for an organisation doesn’t necessarily come from external threats, but originates instead from your own employees. In practice this might include staff using the same password across multiple devices, sharing log-ins, working while remaining connected to public Wi-Fi and accessing social media via work computers.
“These well-known traps that employees fall into regularly leave firms exposed to threats. As part of its digital strategy the government has looked to reduce this by placing a bigger emphasis on improving skills and training when it comes to cyber security. While this is undoubtedly a positive step, education will only take you so far. For a lot of people, security failings stem from bad habits, and ultimately it is important to understand the triggers which drive these in order to bring about change.
“Habit-forming technology has been widely used in the B2C space to increase user engagement. Look at the successes of apps such as Facebook, Twitter and Snapchat – these are apps which are used out of impulse. Its principles are built on identifying the ‘Triggers’, ‘Action’ ‘Rewards’ and ‘Investment’, which keep users and consumers engaging in products, apps and services.
“Increasingly, we are seeing a need in the corporate world to instil these principles and apply them in a business-to-business context. An example of this would be better security practices amongst employees – as we’ve seen, one of the traps staff fall into is poor password management.
“Understanding, habit-forming principles and the psychology behind it is why people leave passwords unchanged or use the same credentials across multiple platforms. From this you are then able to identify the nudges and reward systems needed to drive behavioural change. In practice this might involve creating a community network amongst staff which is focused on providing access to sharing and implementing best practice information to enhance resilience, and help build a stronger and safer working environment.
“In reality the growing threat landscape means that organisations can no longer afford to assume that their staff fully understand each manifestation of the risks. Putting them on training courses will only go so far in addressing this, so it is imperative that organisations leave no stone unturned in their efforts to reduce threats. By leveraging the habit-forming principles of how we use technology, organisations can understand the triggers which drive actions and then devise the necessary solutions needed to bring about change.”
