Various scandals over the last few years – from the hacking of Global shipping giant Maersk to the breach of Yahoo’s email system, have highlighted that cyber security affects everyone.
Whether we need to safeguard our personal information online, or the integrity of an entire organisation’s IT systems, everyone needs to be savvy enough to protect themselves from the ne’erdowells who would wish us harm.
So what’s new? According to Ina Wanca, New York University’s professor of cyber security, the big shift in recent times has not been in developing ever-more complex firewalls, but an appreciation of where the problem really needs to be tackled. Cybersecurity is not a technological problem, she says – it's a human one, because eighty to ninety per cent of data breaches happen through human error.
The original approach to cyber security: the framework and technology with which we’re still living today, was developed by the military. It was built for an environment which can rely on strict command and control structures when it comes to the behaviour of the people using technology. So it created a mind-set that cybersecurity is all about technology. But it's not.
Ina suggests that what’s been lacking all along has been an understanding of the human element of the problem. In organisations this means employees creating risks by unwittingly succumbing to the different types of tricks that hackers use. And even if people say they ‘get it’ and understand security, according to Ina the continued success of cyber-attacks suggests otherwise.
And it’s not something you can tackle with a single solution; it requires a multi-pronged approach which includes your organisation’s culture, management systems and developing individual employees’ skills through cybersecurity training:
Culture: Every employee needs to understand not just the risks, but their implications for the organisation and the people it serves. This narrative needs to hit home so that every employee ‘gets it’, and recognises their responsibility for being vigilant.
Management: The organisation’s culture needs to be backed up with appropriate disciplinary or control procedures from the bottom to the top of the organisation. And there need to be clear procedures for everyone to follow if they spot something that doesn’t look right. No one can afford to be in any doubt that your organisation means what it says when it comes to cybersecurity.
Skills: There’s little point having the culture and procedures in place if the employees don’t have the necessary savvy to protect themselves. They need cyber security training which will help them spot risks such as phishing emails. They need to be able to understand the techniques being employed by hackers to suck them in; and to understand concepts like cognitive bias and how their own biases are being targeted.
Clearly, none of these approaches have anything to do with firewalls. That’s not to say those IT system protection measures are not also vital – but they will never come close to doing the job on their own.