Ok, it’s a Friday and the Bank Holiday weekend is upon us. Chances are you have knocked off early and are probably having a chat over a drink with friends and colleagues.
Now if cyber security crops up in amongst the topics of conversation would you be able to put your hand on your heart and say “Yep, after years of threat reports and advice, we have taken action and have a formal approach to cyber security”? I bet many of you can’t and if you can’t then you are in what the recent Cyber Security Breaches Survey 2017, from the UK Government would call a ‘sizeable portion’.
This report, that has been expertly analysed by Forbes magazine, points out that virtually all UK businesses covered by it are exposed to cyber security risks. Yet only a paltry 33% have a formal policy that covers cyber security risks and just 32% document such risks in business continuity plans, internal audits or risk registers.
Irrespective of all the data, advice and support that is now available in the open market with regard to mitigating cyber security risk, and the lip service that is being paid to it in boardrooms across the county that this is a ‘priority’ it’s clear that there is still a very long way to go.
Could the answer be in a company’s cultural approach to this issue?
According to SC Magazine changing a company’s culture to a ‘cyber security first’ is possible. They reference the example that in the wake of the attacks in New York on 9/11 New York City’s Metropolitan Transportation Authority came up with a tagline intended to make citizens aware that each person is on the front line when it comes to defending the metropolis against another terror attack. “There are 16 million eyes in the city. We’re counting on all of them.”
This was designed to cultivate a culture of awareness and communicate that everybody has a role to play when protecting themselves and their wider community safe and thus could easily be adapted and applied to the risk of cyber attack.
The article goes on to discuss how there is a blame culture developing around hacks and other data breaches and suggests that all staff members should be made aware of the cyber crime risks. How could this be done? They offer the example of by undertaking a simple exercise of sending out an internal bogus phishing email, to see how many employees click on the suspect link. This data could then be used to show how easy it is to be fooled and thus kick start an internal awareness raising campaign.
We all know that changing culture takes time and the effects are seen slowly, however it can work and as the SC Magazines article states “by starting early you can have time to plan and implement a thoughtful culture initiative”
But don’t be too disheartened if you are in that aforementioned sizeable portion without a formal approach to cyber security, or if you have so far not managed to get your cyber awareness and cultural change plans off the ground because you are in illustrious company.
None other than the current occupant of the White House across the water in the USA has missed his own self imposed deadline on strengthening US cyber security.
A story posted by the Independent relayed that before he was sworn in, Mr Trump said in a statement the US needs to “aggressively combat and stop cyber attacks.” He vowed to “appoint a team to give me a plan within 90 days of taking office.”
We have now passed the 90 day marker with no team, plan, report, or executive order on anti-hacking.
Maybe he has just knocked off early for the Bank Holiday and is enjoying a having a chat over a drink with friends and colleagues too. Oh, hang on, it’s not a Bank Holiday in the USA, no excuse then!
For links to all these stories and more, or to contribute with some comments join us by searching for the National Cyber Skills Centre on our social channels of FaceBook, LinkedIn and Twitter, or just click the relevant links from our website.