centre of attention
Ruskin University – to share their
thoughts on the subject.
Here’s what they had to say:
Cassini Review’s Paul Bevan
pointed out that blaming security
breaches such as phishing or slack
password usage on inadequate or
poorly trained employees is a well
worn path.
In order to prevent security
breaches he believes that there is clear
argument for providing better targeted
and more relevant training to address
these skills gaps as opposed to putting
everyone through the same training –
the ‘sheep dip’ approach. However, he
thinks there is even more mileage in
understanding and developing the right
culture and attitudes towards security
amongst employees.
Paul also stressed that as
the world becomes more digitally
interconnected, the opportunities for
hackers and the risk of data breaches
will continue to rise because the
number of organisations that deal with
(the same) data is continually growing.
A different perspective on the
problem is needed he feels. Boards
need a much better understanding of
the risks that can occur as a result
of data breaches and they need to
develop more robust risk assessment
and management. He also believes
that security experts/technicians need
to find better ways of articulating
those risks for boards.
Dr Theresa Simpkin agreed. She
says there is a tenuous link between
skills development and more of a
connection between culture, risk
mitigation and instilling unconscious
behaviours that subscribe to a more
secure way of working.
Theresa said that as technology
advances, the risks associated with
cyber extortion and data security
breaches become more prevalent.
Increasingly, there is more liability on
a company’s management and board
if their employees make a mistake (or
intentionally breach security protocols).
Theresa believes that about 70
per cent of training is wasted due to it
being poorly targeted, delivered at the
wrong time or not seen to be relevant.
So whilst training has a small part to
play in how to use technology, it won’t
diminish the risk over time.
She said that the best way of
securing the organisation against
such mistakes is by embedding
subconscious behaviours; the
behaviour and attitudes that happen
automatically because they are
ingrained. This behaviour needs to
come from the leaders and is not as
easily delivered by a one-size-fits-all
approach to training. Training needs
to be targeted to the needs of each
individual to have the maximum impact.
CNET Training’s Sarah Parks
believes there is also a need for each
employee to understand their own
important responsibilities and the
accepted behaviour needed to protect
the organisation. This message needs
to be clear from the time they join an
organisation. It needs to be driven by
the board to ensure it gets through to
each and every employee.
Sarah also said that there is a
need to develop the right culture and
attitudes towards the training. They
find that time and time again clients
interpret the need for training, or the
actual action of undergoing training,
as a huge negative. Rather than
seeing it as the organisation investing
in its staff and its future, they often
perceive it as a total weakness.
At Cognisco we advocate that
the first step towards driving cultural
change is for companies to first
benchmark the status quo. They need
real insight and accurate data about
their people – what they understand
about their jobs and where the gaps
lie and critically, how they think, act
and behave at work – their attitudes.
With this insight, organisations
can identify their cultural issues
and start to tackle them. This may
pinpoint individuals who behave in
risky ways, who ignore set processes
or side step them. They can find out if
individuals misunderstand aspects of
their job and if they have the correct
attitude and behaviour.
With this kind of accurate evidence,
boards can make better strategic
decisions about how to deliver change,
how to promote a different culture and
how to embed that culture, whether
or not there is the right education and
training for staff in place in terms of
security and whether they need to
provide better support to help their staff
develop their knowledge, understanding
and confidence.
Listening to our experts, it is
clear there isn’t a simple answer –
the issue is complex. But, it is clear
that organisations can no longer just
blame security breaches on errant
staff. If they really want change, they
need to look at how their employees
behave at work and the impact their
actions have on their colleagues and
then delve deeper to check whether
or not their workplace culture needs
an overhaul.
13