A Hitch-Hacker’s Guide to the Galaxy – Developing a Cyber Security Roadmap for Executive Leaders
In this blog series, I am looking at steps that your organisation can take to build a roadmap for navigating the complex world of cyber security and improving your cyber security posture.
There’s plenty of technical advice out there for helping security and IT teams who are responsible for delivering this for their organisations. Where this advice is lacking is for executive leaders who may or may not have technical backgrounds but are responsible for managing the risk to their organisations and have to make key decisions to ensure they are protected.
This blog series aims to meet that need, and provide you with some tools to create a roadmap for your organisation to follow to deliver cyber security assurance.
Each post focuses on one aspect to consider in your planning, and each forms a part of the Cyber Security Assessment service which we offer to our member organisations in the UK Higher and Further Education sector, as well as customers within Local Government, Multi-Academy Trusts, Independent Schools and public and private Research and Innovation. To find out more about this service, please contact your Relationship Manager, or contact us directly using the link above.
View all episodes.
Episode 15: Don’t Train in Vain
“So long, and thanks for all the phish.”
Douglas Adams, A Hitchhiker’s Guide to the Galaxy
[ Reading time: 9 minutes ]
If you’ve been following this series from the beginning, you’ll have picked up that there are many pieces to the cyber security jigsaw puzzle. We can think of these in four “pillars” (thank you UUK): technology, culture, assurance and governance.
There’s lots to say about technology, and I’ve devoted 11 episodes so far to covering all the angles. But that’s only 1 of the four pillars. In the last 2 episodes I talked about Incident Response and Business Continuity, which we can put under the Governance pillar.
In this episode I’ll look at Culture, and why having a “security first” mindset in your organisation is critical to success, and how to go about building it.
The new frontline of cyber security
Earlier in the series, I talked about how the traditional view of an organisation’s IT was “the network” and how security activity was focussed on protecting “the network”. Mobile devices and cloud storage have pushed the boundaries beyond the network to devices and data—and the people who use them. So while protecting the network is still important (don’t take your eye off that one), you need to ensure your people know how to work safely with the devices and data you give them. And that starts with training.
All organisations should have a mandatory training programme. This applies when staff join the organisation and usually every year thereafter. Along with fire safety, modern slavery and manual handling, you might have cyber security and data protection. Whilst all of these are worthy topics for coverage, lumping them together in one monolithic block of mandatory training tends to result in a click-through “let’s get this over with” mentality. For sure, you’ve put the tick in the box for ensuring all staff have had the appropriate training, but has it achieved its objectives of embedding security awareness and safe working practices?
Nudge, nudge…
The old days of cyber security training being little more than being able to recognise a phishing email by poor spelling and grammar are long gone. The use of AI by threat actors means that they can generate emails that look like the real thing, and attacks are getting more sophisticated year on year. And that means your staff need to skill up and the training programmes you use need to refresh their content regularly.
There’s lots of evidence that doing training in small doses on a regular basis—little and often—is far more effective in raising security awareness than having one big training session once a year. far more effective in raising security awareness than having one big training session once a year. This use of “nudge theory” is embedded in some software tools which can prompt when a risky behaviour is spotted, like clicking on a suspicious email link, downloading an attachment, or clicking on a web advert.
When going phishing, avoid the red herring
Phishing campaigns are popular tools within security programmes, but there’s a bit of debate as to just how effective they really are. For sure, they give you a metric to report on, but what are they really assessing? There are lots of reasons why people click on links when they shouldn’t, and the real culprit isn’t always the individual who clicked. You might reasonably ask how effective is your awareness training? Was the individual over-worked, tired, or stressed when this happened?
People use links in emails for many good and valid reasons, like facilitating the sharing of information. There can be a danger with phishing campaigns that you inculcate the attitude that all links in emails are to be treated as suspicious, and stop people using email effectively.
It’s my view that phishing campaigns do have value, but under a certain set of conditions, and are not (and must never be) the be-all-and-end-all of security training. So, here’s when phishing campaigns are useful:
- You have done some phishing training before the campaign starts. Build capability and confidence; don’t spring these on people without warning.
- You have an effective follow-up programme for anyone who clicks through. These should be prompt after the event, short, factual, and non-blaming.
- Where you have “repeat clickers”, you need to take some time to understand what is going on. If someone is not understanding the security messages or refusing to comply, ultimately they represent a risk to your organisation and you may need to review their duties and remove or re-assign as necessary.
- You focus on “high-risk/high-value” teams and individuals. IT/Helpdesk, Finance, Payroll, HR, Student Records and Executive teams are all targets for sophisticated “spear phishing” or social engineering attacks. So expose these teams to more regular phishing campaigns and craft the messages appropriately, e.g. a request to the Payroll team from HMRC for tax details for an employee.
It’s important to say here that naming and shaming isn’t effective for changing behaviours. All it does is engenders bitterness and negativity. If you have a phishing campaign, by all means trumpet the team which achieved the best level of reporting; you don’t need to publicly call out the worst offenders (although you should follow these up).
We are the champions
Security leaders can’t do your organisation’s security on their own. It’s a team effort and it’s everyone’s responsibility. Devolving that responsibility is a great way to embed security practice.
People tend to respond most to those they are closely associated with, such as their team colleagues. You are more likely to listen to a member of your own team when they talk about cyber security than yet another message from the CISO. If you can have some team members volunteer as security champions, it gives you a really effective way to get messages out and use them to model secure behaviours. The security team can provide information and training to the champions, who can then cascade that out to their own teams.
Raise your game
Most things in life are better when they’re fun. That’s as true of cyber security as it is of the Christmas night out. So put some effort into making it enjoyable. “Gamification” is where DuoLingo™ meets cyber security. Have regular challenges and award teams which do well. This could be quizzes, training challenges, or phishing campaigns. Make it part of your monthly or quarterly meetings or bulletins.
There are lots of opportunities within the calendar year to promote security messages. We all know about the scam risks around Black Friday, but there’s Safer Internet Day in February, World Password Day in March, and Cyber Security Month (can you believe it) in October. And many more besides.
Lead from the front
Just as security leaders need a network of champions to deliver security, they need the support of the executive team as well. People get tired of hearing the same voices giving the same messages about cyber security. Don’t underestimate how impactful it can be to have a strong security message coming from someone other than the CISO or IT team. This series is about giving you the confidence to do that.
Ultimately, the executive team will set the agenda for your organisation’s attitude to security. Your people will take their lead from you. If they think that it’s not important to you, that you never discuss it, that you always hand it over to the CISO or IT team, they’ll take their cue from you. So, speak up, do the training, model the attitude and behaviours that your organisation needs, and don’t expect to enjoy special exemptions!
A final [deep] thought
In the next episode of A Hitch-Hacker’s Guide to the Galaxy, we’ll be returning to the Governance security pillar. The Good, The Bad and the Policy.
For now, you can take useful steps forward by checking out your organisation’s training and awareness programmes. Do you cover cyber security in your mandatory training? Do you refresh the content to keep it fresh and up-to-date? Do you run phishing campaigns? How do you monitor and follow-up the results? What specialist training do you provide for your high risk teams? Do you have a network of security champions or are you reliant on your CISO or IT team to do all the heavy lifting? How do you promote security messages in your monthly or quarterly meetings and bulletins?
James Bisset is a Cyber Security Specialist at Jisc. He has over 25 years experience working in IT leadership and management in the UK education sector. He is a Certified Information Systems Security Professional, Certified Cloud Security Professional, Certified in Information Systems Risk and Control and is a member of the GIAC Advisory Board.