So much for the immediate responses to a cyber attack – what of the longer term impact? How can your responses be used to drive positive change throughout the business? Certainly technology transformation is important, and addressing any known areas of risk. To this can be added the governance piece, and ensuring current policies and procedures are enforced across the business (and supply chain/third parties wherever possible).
But there also exists a third pillar that demands similar attention: culture.
Indeed, prevailing mindsets can often hamper efforts to improve technology and governance. Particularly when long-serving employees are asked to ‘move away’ from older systems and applications that they’re familiar with (and therefore comfortable using despite the security risk).
In addition, there’s the fear that in a complex, interconnected technology landscape, making changes or turning older systems off will lead to key capabilities becoming ‘broken’. Convincing people otherwise can be difficult, and lead to investments being focused elsewhere. Which is why in a peculiar way a cyber attack can end up being a blessing in disguise, by ‘waking’ the business up to the need for change – and in building the impetus needed to see it through.
It’s the same with the physical behaviours of staff in office locations. In part this relates to the idea that you can’t ‘legislate for stupidity’, and that communicating security policies is one thing but actively enforcing them is another. For example, one attendee described how “our security team does frequent sweeps throughout the office. We’ll note computers not locked down or inappropriately secured and then do a naming and shaming of culprits. Importantly this includes executives, as we want to highlight the communal nature of the responsibility. It’s done in a challenging yet constructive way, but there’s also a serious side: three strikes can lead to a performance disciplinary”.
Another attendee explained that my team does a similar sweep on occasional evenings, looking to find items such as passwords written on sticky notes and placed on desks. We rip them up, then await calls to the helpdesk for a reset – which is where we’re able to push the educational piece”.