- Effective hackers target people, not technology. Consider the high risk, high impact cyber events that could befall your organisation, before identifying the associated high risk individuals who would be faced with ‘moments that matter’ pre-, during or post-event. The success of your security culture is reliant on these key influencers.
- Acknowledge that cybersecurity is NOT a technical problem that can be solved with a technical solution. Cybe-rspace is often mistakenly addressed from a purely technical perspective. However, new technology and associated working practices amplify people’s propensity to make mistakes and circumvent controls. In the very worst cases, technology can also ‘automate’ stupid decisions, creating a catastrophic domino effect. Anyone remember the cumulative Terminal 5 PR disaster?
- Communicate effectively in order to incentivise the behaviour you want. Like any other subject, the manner in which cybersecurity is communicated impacts how it is interpreted and acted upon. Here is where the IT and/or Information Security department would really benefit from asking their Marketing, Public Relations (PR) and Internal Communications colleagues for advice on messaging using the communication tools that are right for your corporate culture.
- Cyber risks are not personal. They must be analysed and communicated from a business perspective. Key decisions, or ‘moments that matter’, always appear to be less risky when an individual believes them to be under their control. Underestimating (or not even being told) the reputational, operational and financial consequences of bypassing security policies may make people more likely to think they are safe operating within a ‘personal risk appetite’.
- Consider behavioural risk when purchasing and developing technology. The design and development of your key platforms, applications, mobile devices etc. must be mindful of how people will actually behave when it comes to using them on a day-to-day basis! Technology should suit your people (more increasingly the millennial demographic) – not the other way round. For example, the majority of businesses are now investing in technology that makes it easy for employees to easily switch between personal and corporate applications, logins etc. This keeps work data separate and secure, whilst also allowing content to be wiped in the event that an employee leaves the business.
