Caroline Poynton considers why cyber security should be the responsibility of all employees throughout an organisation
Caroline Poynton is a freelance journalist.
The recent news that ‘state sponsored’ hackers stole data on 500 million Yahoo users, in what could be the largest publicly disclosed cyber breach in history, is just the latest in a series of stories about major companies that have suffered attacks.
Verizon, which acquired Yahoo in July, announced that it had only just learned of the attack, which occurred two years ago, which also involved about eight million user accounts in the UK. And just days later TalkTalk was fined a record £400,000 for failing to stop a cyber attacker who accessed the personal data of 156,959 customers ‘with ease’ last year.
It seems that organisational processes and communication failures are exposing companies to potentially massive operational and reputational damage. And much of this may stem from poorly managed internal issues. While the security incidents of recent years have highlighted the myriad threats from external sources, these may actually obscure the fact that, for the majority of organisations, cyber-attacks still come from within. Internal resilience may be a critical first step to ensuring external threats are minimised.
Rachel Thornton, founder of internal communications agency scarlettabbott, says: ‘Some companies’ strategies to mitigate these risks focus on cyber security and hacker protection, but overlook a significant root cause – their own employees. Research suggests that employee errors account for nearly 60 per cent of data breaches.’
Indeed, research carried out by Axelos, a joint venture between the UK government and Capita, found that 75 per cent of large organisations suffered staff-related security breaches last year. Thornton cites common problems like workstations being left unlocked, emailing files to home and personal accounts and falling foul of phishing scams, the sending of un-encrypted files, weak classification of documents and lax attitudes to company reputation through employees’ social media activity.
If companies are serious about addressing cyber threats, they have a lot to do to get their own houses in order. And communications teams have a huge role to play.
At the moment, it seems that communications of any description in this area are pretty woeful. A recent survey of in-house communication professionals by Regester Larkin, for instance, found that over 60 per cent of organisations do not have cyber-specific communications plans in place.
And, despite the fact that 80 per cent of communication professionals believe scrutiny over cyber incidents will increase over the next two years, nearly half (46 per cent) say their organisation is not sufficiently prepared to communicate on the issue. No wonder companies are getting lambasted over their failure to speak out when breaches occur.
But the problem goes deeper than just a failure to speak out. Roberta Ramsden-Knowles, a director at Regester Larkin, believes there is a lack of cyber awareness across all levels of an organisation, from executive and management teams to front-of-house staff. ‘There can also be a general lack of understanding about what constitutes a cyber-attack and how it could impact an organisation. Communication teams must understand the data and information that their organisation holds, how it is protected, and what can be done with it by cyber criminals,’ she says.
It doesn’t help either that there is little drive from the top for this. ‘Cyber security responsibility at a board level is still relatively uncommon with just three in ten (28 per cent) businesses having cyber security represented within their senior management boards,’ says Emma Carr, head of technology at Hanover Communications. ‘This could also mean that those on the board simply don’t know where to start in addressing this as an issue.’ Ramsden-Knowles agrees. ‘Corporate boardrooms recognise cyber risk but there is often still no clear owner,’ she says.
All of this means a paucity of communications of any kind – either to help defend a company from attack or minimise the damage post-breach. ‘Many businesses recognise the inevitability of a cyber-attack or data breach and have heavily focused on investing in preparing their technical response,’ says Ramsden-Knowles. ‘For some organisations, this has meant they have not yet addressed the complex, and different challenges cyber-attacks present for the communications response.’
There are two sides to this internal work then: first, getting the right people, processes and strategy in place to understand, detect and communicate risks and/or problems; and, second, educating and training staff at all levels to engage in the right behaviours that will protect their organisations from threats.
Resilience as a process
Ramsden-Knowles argues that senior executives need training, not in the technical world of ‘cyber’ but in the questions they should ask of information security and IT so as to inform their decisions in a crisis. ‘If there isn’t buy-in at a senior level, the communications team can influence this by setting out the potential reputation, and therefore commercial impacts, of not responding effectively to an incident,’ she says.
This then needs to be followed up by firm-wide processes that link up internal teams. ‘A cyber-incident response requires an integrated response involving the executive and technical teams as well as key functions, such as the communications team, across the organisation,’ says Ramsden-Knowles. Crisis exercises will be necessary too, she adds, to ensure teams work together effectively during an incident and to rehearse their response and to reflect on
the unique challenges a cyber-attack could bring. ‘Exercises quickly highlight challenges and opportunities for improvement around decision-making, strategy, process, procedures and information flows. As well as involving teams across the organisation, many are now also exercising with partners and suppliers.’
Carr agrees, adding that preparation should be tested regularly, so it becomes second nature and should include details on what information to gather and share both internally and with external stakeholders.
The employee challenge
The second piece – getting employees on side – may, however, be the more difficult proposition. This is because, as Thornton says, it’s not just about implementing a better process, but also about changing mind-sets and behaviour.
‘The biggest challenge we face is establishing a culture of awareness and responsibility from the top to the bottom of the society,’ says Eloiusea Giles, internal communication business partner – IT & group security at Nationwide Building Society. ‘The ideal is for all employees to fully understand and know how to respond and spot the signs of a cyber-attack. We want this to become second nature.’
Nationwide’s head of cyber security Matthew Rowe adds that it’s about getting employees to think about cyber security in the same way they think about health and safety, such as fire drills. ‘The steps we take to prevent and act in that situation are embedded and everyone knows what to do and feels they have a responsibility to act,’ he says.
The problem is that, unlike the immediate threat of fire (highlighted by an ear-splitting bell), it’s much easier to ignore or underestimate the risks of a cyber-attack – especially if it seems to have little immediate relevance at a personal level. That devil-may-care attitude can then pervade the atmosphere.
Thornton argues, for example, that colleagues are more likely to have a lax view of security if they suspect their peers share the same opinion. That then is bolstered by ‘false consensus’ which makes ‘employees over-estimate the degree to which others agree with our beliefs, values, attitudes and behaviours’. And then there is the bystander effect. Thornton describes a study in which a group of people were tasked with completing a survey while smoke was released into the room.
‘Less than a third of the group took any direct action, waiting for someone else to take the lead. In that same situation, an individual in the room alone almost always reported the smoke. In a workplace environment, this means that colleagues facing security breaches often expect someone else to take action.’
Education, education, education…
Success means driving or changing behaviours – evolving a culture into one ‘that is rigorously security conscious’, says Thornton. At scarlettabbott this means working with clients on an AREA model.
A Awareness, of the tangible consequences to companies and individuals of security breaches.
R Responsibility, on each individual to protect customer, business and colleague data actively and consciously.
E Energy, where leadership sets the pace for change.
A Action, agreeing specific steps and behaviours needed to improve data security.
‘Training, coupled with regular communications, is the key to building awareness and understanding across the organisation,’ says Ramsden-Knowles, adding that she has seen many companies appoint someone responsible for educating and training employees to raise awareness of the risks. ‘Educate employees so they know what action they can and should take to protect themselves and the organisation.’
At Nationwide, employee messaging spans a variety of channels. ‘These messages provide information on the employees’ role in helping to report suspicious activity as well as giving employees awareness of what is happening in the outside world,’ says Giles. ‘To help embed these messages further, we also run regular knowledge checks and phishing tests. We make sure employees can relate to the messages, as this makes them more likely to be read and understood.
‘This year the company has also launched a major companywide campaign, with a different focus each week. ‘We started out by demystifying cyber and letting employees know what it really means, followed by a ‘rogue’s gallery’ focusing on telling the stories of real life cyber-crimes and the impacts these can have on individuals and companies.
We then went on to cover what we’re doing specifically within Nationwide to protect ourselves against these attacks, and finally ending with education for employees, under the banner of Scam Smart Awareness.’ This has all been tied
together with weekly knowledge checker quizzes, which have helped with embedding key messages, keeping the conversation going and, as much as possible, ensuring the subject remains front of mind.
As well as giving advice on what to do at work, the company also shares general advice that employees can follow at home. Giles thinks this helps employees to think about cyber as part of their everyday life.
One of the great challenges with cyber security is that no matter how prepared you might make your company, you can’t prevent attacks altogether. And when they do occur, they are complex, often difficult to detect and take time to resolve. It is still not clear, for instance, exactly when Yahoo first realised its data had been breached.
This is difficult for communication professionals. As Ramsden-Knowles says, communication professionals may recognise that scenario-specific plans are needed, but producing them for all scenarios, internal and external, and covering all likelihoods including the loss of data, loss of access to data or loss of confidence in the data’s integrity, is challenging.
Her advice is for companies to develop a ‘playbook’, which can guide decisions based on the cyber threat. For Nationwide, it is about taking a measured approach, depending on the situation.
‘We would work collaboratively with our media relations and group security teams to make sure all internal and external messages were aligned and consistent,’ says Giles. ‘In terms of messaging we would encourage a transparent and timely approach. We’d be conscious not to inflame a situation, as in many cases these attacks thrive on ‘publicity’, which is why we work so closely with the group security team specialists.’
Given the number of variables, she adds that it is vital to offer regular and honest updates, even if there is nothing new to say. ‘It’s important that employees feel informed and kept up-to-date, even if that is simply knowing that the situation has not materially changed,’ she says.
There is clearly plenty of fear around this communications issue – companies know cyber security is a huge issue but seem somewhat paralysed when addressing both the internal complacency that drives lax security processes and the complexity of breaches when they occur. It doesn’t help that leadership teams are still slow to embrace this at a board level, despite the clear reputational repercussions of responding badly to a successful breach.
‘There are very few businesses out there that couldn’t be doing more to communicate the problem of cyber security to their staff; ensuring this is kept front of mind at all times both at work and home,’ says Carr. But she also says that the process shouldn’t be time consuming, resource draining or overly complicated. ‘There are plenty of tools out there that can provide a starting point for businesses,’ she says.
For many communication teams, it’s surely time to get cracking.