In the wake of the crippling WannaCry ransomware attack, experts at the UK’s National Cyber Security Centre (NCSC) are keen to point out that a technology-led approach to cyber security means that the strengths of staff in the fight against cyber-crime are being overlooked.
According to recent reports from the NCSC, too much of a technology-led security culture in an organisation can mean that unreasonable expectations are placed upon people in terms of making them do things that are difficult, impractical, and bordering on unrealistic in the name of security.
A prime example is a password policy that expects people to remember multiple, complex passwords that have to be frequently changed.
Evidence shows that when people in organisations are forced to use IT security systems that are impractical, incongruent with the flow of work and where people feel that they are unable to reveal that they can’t work within the system (for fear of punishment / sanctions), the results can be:
- Employees are blamed for password failures and are accused of being incapable or uncooperative.
- Employees look for other (unauthorised) ways of working and take matters into their own hands so that they can get their work done on time while avoiding punishment e.g. Shadow IT. The term ‘Shadow IT’ refers to apps and services that employees bring into the company systems without going through the approved channels. These are their own ideas to solve their own specific work problems.
New Relationship Needed
Experts at the NCSC now believe that, rather than locking themselves away in a kind of IT ‘bunker’ and issuing orders, there needs to be a change in the nature of the relationship between the IT Security Team in an organisation and the users of the IT systems. IT Security Teams may be able to achieve more effective results for the organisation by adopting a collaborative approach with employees.
Employees As Assets
If IT Security Teams work on the assumption that employees are assets who have information that the security professionals do not have about how the business runs and how it needs to run, through meaningful communication and collaboration, lessons can be learned, and systems and security can be improved in a more realistic way.
This re-framing and new IT security paradigm can mean that old, often ineffective security assumptions are challenged e.g. the idea that long, complex and regularly change passwords provide more than just a little extra protection.
What Does This Mean For Your Business?
Cyber and data security are vital to businesses, but only by collaborating, communicating, and creating a culture where employees are listened to, empowered and supported can businesses build security systems that are practical, effective, and work in harmony with the day-to-day business.
Although there are of course security and compatibility issues based around the idea of people introducing their own unapproved IT methods to the workplace (Shadow IT), some businesses find that allowing it to continue can mean that innovative and up-to-date solutions are found that can ultimately work better than the approved ways of doing things.
It is worth remembering that a large amount of cyber-crime now relies upon social engineering and human error to be successful. Businesses, therefore, need to provide IT and data security education and training to all employees, and understand that a chain is only as strong as its weakest link.
Author: Ben Armytage