DCN December 2016 - Page 13

centre of attention Ruskin University – to share their thoughts on the subject. Here’s what they had to say: Cassini Review’s Paul Bevan pointed out that blaming security breaches such as phishing or slack password usage on inadequate or poorly trained employees is a well worn path. In order to prevent security breaches he believes that there is clear argument for providing better targeted and more relevant training to address these skills gaps as opposed to putting everyone through the same training – the ‘sheep dip’ approach. However, he thinks there is even more mileage in understanding and developing the right culture and attitudes towards security amongst employees. Paul also stressed that as the world becomes more digitally interconnected, the opportunities for hackers and the risk of data breaches will continue to rise because the number of organisations that deal with (the same) data is continually growing. A different perspective on the problem is needed he feels. Boards need a much better understanding of the risks that can occur as a result of data breaches and they need to develop more robust risk assessment and management. He also believes that security experts/technicians need to find better ways of articulating those risks for boards. Dr Theresa Simpkin agreed. She says there is a tenuous link between skills development and more of a connection between culture, risk mitigation and instilling unconscious behaviours that subscribe to a more secure way of working. Theresa said that as technology advances, the risks associated with cyber extortion and data security breaches become more prevalent. Increasingly, there is more liability on a company’s management and board if their employees make a mistake (or intentionally breach security protocols). Theresa believes that about 70 per cent of training is wasted due to it being poorly targeted, delivered at the wrong time or not seen to be relevant. So whilst training has a small part to play in how to use technology, it won’t diminish the risk over time. She said that the best way of securing the organisation against such mistakes is by embedding subconscious behaviours; the behaviour and attitudes that happen automatically because they are ingrained. This behaviour needs to come from the leaders and is not as easily delivered by a one-size-fits-all approach to training. Training needs to be targeted to the needs of each individual to have the maximum impact. CNET Training’s Sarah Parks believes there is also a need for each employee to understand their own important responsibilities and the accepted behaviour needed to protect the organisation. This message needs to be clear from the time they join an organisation. It needs to be driven by the board to ensure it gets through to each and every employee. Sarah also said that there is a need to develop the right culture and attitudes towards the training. They find that time and time again clients interpret the need for training, or the actual action of undergoing training, as a huge negative. Rather than seeing it as the organisation investing in its staff and its future, they often perceive it as a total weakness. At Cognisco we advocate that the first step towards driving cultural change is for companies to first benchmark the status quo. They need real insight and accurate data about their people – what they understand about their jobs and where the gaps lie and critically, how they think, act and behave at work – their attitudes. With this insight, organisations can identify their cultural issues and start to tackle them. This may pinpoint individuals who behave in risky ways, who ignore set processes or side step them. They can find out if individuals misunderstand aspects of their job and if they have the correct attitude and behaviour. With this kind of accurate evidence, boards can make better strategic decisions about how to deliver change, how to promote a different culture and how to embed that culture, whether or not there is the right education and training for staff in place in terms of security and whether they need to provide better support to help their staff develop their knowledge, understanding and confidence. Listening to our experts, it is clear there isn’t a simple answer – the issue is complex. But, it is clear that organisations can no longer just blame security breaches on errant staff. If they really want change, they need to look at how their employees behave at work and the impact their actions have on their colleagues and then delve deeper to check whether or not their workplace culture needs an overhaul. 13