Cybersecurity: it’s not all about the tech

March 5, 2020

Says Lynne Coventry, director of the Academic Centre of Excellence in Cyber Security Research at Northumbria University

Using technology and building secure infrastructure to protect your company’s network, data, customers and reputation from external threats are important; however, technology alone will not fully mitigate the risk to an organisation.

Alarmingly, human error remains the principal cause of personal data breaches (PDBs). According to figures from the Information Commissioner’s Office (ICO) obtained by data security solutions provider, Egress, 60 per cent of PBDs reported between January 1 and June 20, 2019, were the result of human slip-ups. These slip-ups are a consequence of busy employees trying to maintain their productivity and cybersecurity feeling like a barrier to this. While many companies have invested heavily in technology to stop attackers breaking into their organisation, the same level of investment has not been made in staff and understanding how their behaviours can weaken a company’s security.

Attackers now find it easier to metaphorically go in the front door via staff, than break in through technology.

Shaping the cybersecurity research landscape

To stop today’s advanced attacks we need to adopt a people-centric cybersecurity strategy and explore how to design security technology and policies that support employees in working both productively and securely, rather than security simply adding to their burden.

Last year, Northumbria University was one of just two universities to be newly recognised as an Academic Centre of Excellence in Cyber Security Research (ACE-CSR) by the National Cyber Security Centre and the Engineering and Physical Sciences Research Council.

The ACEs-CSR scheme is one of a number of initiatives outlined in the UK Government’s £1.9 billion National Cyber Security Strategy 2016-2021. At Northumbria, our holistic, multidisciplinary approach to cybersecurity integrates diverse knowledge from specialists in technology, human behaviour, business, law and design.We believe proactive assessments of an organisation’s cybersecurity behaviours are needed to identify the vulnerabilities that attackers may uncover and exploit. Ascertaining the human-related root causes after an incident occurs is also crucial and an area of analysis, which is currently lacking. This means acknowledging how employees really work, the underlying reasons for not adopting security behaviours, and how we can facilitate them to achieve their goals without resorting to insecure practices that may result in unintended cybersecurity related harms to the organisation.

Adopting a behaviour change approach

Companies need to adopt a behaviour change approach to cybersecurity – here are five points to bear in mind when doing so.

Involve staff in designing policies, procedures, and technology and behaviour change interventions. Design these around how people actually work, and how they maintain productivity to reduce the need for workarounds. Create a secure culture where everyone in the company, regardless of their job title, walks the walk and does not just pay lip service to policies. Ensure workloads and fatigue are not undermining security – high workloads and email overload are risk factors. Inattention, poor decisions and the need to get the job done at all costs are a cyber attacker’s way in. Make employees aware of the scale of the threat, what they can do about it and how their behaviour, no matter how insignificant it may seem, will make a difference.

Lastly, make sure that a human aspects analysist is part of any incident analysis. Organisations are given technical toolkits, but it is important to assess the role human behaviour played in the incident, as well and how it can be prevented in the future.

Northumbria University
To find out more about Northumbria University’s work in cybersecurity and engage with its community, please visit: www.northumbria.ac.uk/cyber

– Advertising feature –

Share