Do you need a patch for stupidity?
Research into the cause of cyber security breaches almost invariably shows that insiders – employees – are to some degree responsible for the vast majority of them.
“What can we do?” ask the poor, hassled IT managers who are being blamed for the breaches. “There’s no patch for stupidity!”
Well, while cyber security breaches are frequently caused by employees, the cause isn’t generally stupidity. The reasons that employees become a threat to cyber security are much more complex than that.
Some breaches have a simple cause. It could be greed or revenge. But these are the minority. In fact, according to PWC, 10 per cent of breaches can be attributed to deliberate action by insiders, while 26 per cent can be attributed to accidents.
If it isn’t stupidity, what causes all these accidental cyber security breaches? Here are ten triggers.
- Incomprehensible policies. Most organisations have formal information security policies. But how useful are they? When they extend to 30 pages or more, as many do (or indeed three pages or more), the answer is “completely useless”. No one will read them.
- A lack of effective training. Too many organisations rely on a tick-box approach to training. It might simply be, “Read the (incomprehensible) policy.” It might be a once-a-year mention at a company meeting. It might be a requirement to pass a short online test once every few months. None of these approaches will deliver any meaningful knowledge about how to avoid cyber security risks.
- Unusable systems. If you design cyber security systems that stop people doing their day jobs effectively then they will simply find ways round them. This is a particular issue with the credentials (such as passwords) required to log on to IT systems.
- Overwork and a lack of awareness. Even if you give people the best training, they won’t always remember what they should be doing to keep safe. When things get busy or they get tired, they start to make mistakes. That’s why you need active cyber security awareness campaigns, as well as training, to keep people on track.
- Social pressures. Most people want to be part of a wider team. They want to be liked. So they try to be helpful and trusting. Hackers are masters at using the helpful and trusting nature of people to break into systems. It’s far easier than using technology.
- Follow my leader. We are all influenced by someone. It could be the chief exec. It could be our bosses. It could be the cool new intern. Whenever an influential person behaves unsafely, you can be sure that others will follow their lead.
- Lack of belief. Your company has never had a breach. So you are not likely to have one in the future, are you? Yes you are!
- It’s not my responsibility. Everyone knows it is up to the guys in IT to sort out cyber security. Unfortunately, they can’t do it without your help. Unless everyone in an organisation takes at least some personal responsibility for keeping information safe, then accidents will quickly happen.
- I’m too important. No one is too important to keep data safe. The more senior you are, the more access you are likely to have to sensitive information. So the more careful you need to be.
- I can handle it. A little knowledge is a dangerous thing. Most people aren’t equipped to tangle with a skilled hacker, even if they think they are. If something looks as though it has gone wrong, the sensible course is to ask for help before the damage gets worse.
Stupidity doesn’t get a look in with these causes. That doesn’t mean they are easy to handle, though. Attention to policies, effective training, usable systems, awareness campaigns and cultural change programmes are all needed.
If you want to find out more about managing internal cyber risk, then join Jeremy Swinfen Green, author of The Weakest Link (Bloomsbury Press, 2016) for a full day workshop in London on 9 May 2017. To find out more, or reserve your place, contact Lace on 020 8349 6458 or email firstname.lastname@example.org.