“What is important to you?” This is the first question to ask before planning any cybersecurity strategy, according to John Scott, Head of Information Security Education at the Bank of England, talking at the recent Cybersecurity UK Roadshow event in Birmingham (notes here). Because if you don’t know what a client or company values, if you don't understand their business priorities, you can only talk in absolutes.
As Scott gently points out, 80% of people working in the Security Awareness field come from a background in IT or security and there is tendency to talk in absolutes. While things are moving towards more nuanced conversations around risk, finding people who can both listen and communicate well on this topic can be difficult. The result in many large organisations is an environment of enforced compliance; getting workers to care and engage beyond that is a tough sell.
'From compliance to culture, awareness to action' was the title of Scott’s talk. He said compliance and awareness aren’t enough; it’s building a culture of mature security that is required to stay safe. Scott then rated security culture on a scale of -1 (negative behaviours) to 0 (compliance behaviours) to +1 (security maturity and positive behaviours), and outlined the Bank's encouragement of the following ‘cyber seven’ practices to move from compliance towards maturity (more of which below):
0 = don't share passwords
+1 = use a password manager
0 = don't click on suspect email links or open attachments.
+1 = report suspicious emails (whether clicked or not)
3. Document classification
0 = classify documents when saved into document management system
+1 = mark docs clearly, dispose of confidential documents safely
4. Clear workspace
0 = don't leave confidential material on your desk
+1 = also check printer, whiteboards, keysafe when you leave
5. Remote working
0 = make sure you are not overlooked when working on trains
+1 = keep your remote token separately from your laptop when travelling; report loss of devices immediately
6. Social media
0 = don’t post photos of the Bank on social media or get involved in discussions related to the Bank’s mission on social media without permission
+1 = audit your social media profile – make sure you’re aware of what you and other people are saying about you.
7. Report it
0 = if you see anything that worries you, tell us – 'See it, Say it!'
+1 = if you've done something yourself or caused a problem, report it
This final point raised a lot of questions in the audience – wouldn't a major breach be a sackable offence, for example? Why would employees admit their error? Scott suggested awareness and education, perhaps telling stories about how coming forward has worked and to try to build trust with your employees.
It's always better to know that a breach or a vulnerability has occurred so you can address it but you need people to feel secure in coming forward. As the Regional Organised Crime Unit noted in their talks at the roadshow, one of the biggest issues in cybersecurity is the lack of reporting.
Thanks to John Scott and Metsi Technologies for use of the slides.