Nudge, Nudge

Maybe the best way to attack the big issue of cyber security is to think small.

It’s all a bit too much isn’t it, this cyber security lark? Every day there are more threats, every day there are more reports about companies failing to mitigate the risk and there is a seemingly never ending range of products, services and standards that you need to meet.

And if that wasn’t enough, the fact of the matter is that the IT in your organisation actually does work. There might be an odd sticky moment, but it’s taken years and far too much money to get to a point of relative stability. Things slowly improve, there is always that push – pull with the IT front runners and those of a more mature vintage who are quite happy with how things used to be.

To compliment all of that, you are running your business or organisation and trying your level best to focus on that. This cyber ‘thing’ as many are starting to call it is just a little bit ’too much’, it’s a bit ‘too big’ to take on right now.

But maybe we are incorrectly looking at it as a big issue, a big problem, maybe we should look at it differently with just a few gentle nudges in the right direction.

If you are not aware, ‘nudging’ might just become your best ally is getting your staff motivated to become more cyber aware and vigilant. I’ve recently been reading the book ‘Think Small’, by Owain Service and Rory Gallagher, both of whom worked inside The Behavioural Insights Team (BIT) that was set up as the world’s first government institution dedicated to the application of behavioural sciences. It was given the nickname of the ‘nudge unit’

The basic premise of the book is that small nudges in individuals behaviour in the right direction can have a dramatic positive effect on resolving a problem, or improving a process. So, could ‘nudging’ be a viable tool to use in cyber security?

None of us like to be dictated too, least of all by technologists or those who speak in a language that we find hard to comprehend. The IT gurus may be correct in what they are asking us all to do, but if we could be a little more empowered then that natural friction between IT and the rest of the business could be reduced.

Take some of the five key technical controls in Cyber Essentials as an example. Firstly, they are ‘technical’ so to a ‘non-technical’ person, they probably don’t think that this is in their remit or responsibility. So why not remove the word ‘technical’ and just make them ‘controls’, making them slightly more palatable to the vast majority of the company who are not techies.

One of these controls is ‘access control’, which means that only those who should have access to systems have access and at the appropriate level. Who is best placed in your organisation to determine that? IT? HR? Perhaps the people who are doing the work. For years, they will have needed access in one form or another to data and will have found workarounds when what they need is not immediately available.

Perhaps a simple change, a nudge, in policy could help here. When the time comes for an annual staff appraisal, ask them what data, what server shares, what they need access to in order to do their duties. Allow them to be open, honest and explain any unorthodox methods of getting this.

The results of this could then be passed from HR back to IT to implement, as opposed to the traditional way of IT setting it up based on their best judgement call at the time. Could this improve an individuals productivity? Only one way to find out.

Another couple of controls are malware protection and patch management. Both are normally centrally controlled and will be updated in line with existing policy. However, most people have smartphones and are now very used to updating apps, patches and operating systems on an as needed basis. Therefore, could this internal IT process be distributed across the workforce. This could empower those to feel they are more responsible for their IT and almost generate a pride in having a safe and secure working environment – or am I living in a bit of a utopian world here?

We all know that cyber security is a BIG issue, one that needs a great deal of effort to resolve, but maybe a few gentle nudges in the right direction is all it needs to get it started.

Let’s not think big, but let’s think small. Nudge, nudge.

Share: Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInPin on PinterestEmail this to someone