In the second of our monthly ‘A Conversation with’ series we chatted with Oz Alashe MBE, CEO and founder of CybSafe.
Oz Alashe: “There are so many reasons but one of the biggest has got to be a lack of measurement. Unlike something like sales figures or web traffic, culture isn’t easy to pin down. It isn’t easy to take a quick measure of what culture is today, and then what culture is tomorrow to see if culture has actually improved. I think in the absence of metrics, it becomes tricky to work out whether what you’re doing is actually working. So people abandon all hope – and you can hardly blame them. There are a million and one other things on the to-do list. Why spend time doing something when, for all you know, it could be entirely counter-productive?
In order to implement a cyber-secure culture, we need to try to monitor culture – and that’s something we’re really excited to be working on at the minute at CybSafe. Already the CybSafe platform goes further than most to help Information Security officers measure culture – at least in terms of cybersecurity – so they can begin to nurture the kind of cybersecurity culture that we know is so important, but that’s so often elusive.
OA: “I think a lot of people would answer this question with “people”. There’s a lot of talk in cybersecurity about the “people problem”. “People are the weakest link” is a line you hear over and over again. You hear it because research continually finds that the overwhelming majority of breaches involve some form of human error. An old IBM study found human error to be a “contributing factor” in as many as 95%* of all breaches – which just about says it all. Thanks to studies like that, more than a few security professionals believe one of the biggest threats businesses face to be their own, well-meaning people.
But I think you can flip that on its head. If people are involved in 95% of breaches, then people have the power to prevent 95% of breaches – or at least a very significant proportion of that 95%. If, for example, instead of clicking malicious links, people report them, then the chances are they’ve prevented a breach. People are not the “problem”. They’re the solution.
What are the most common threats faced by businesses today? Not people – but our failure to meaningfully help our people stay safe online.”
OA: “This relates to the key problem with typical security training – in that it focuses, quite single-mindedly, on raising an individual’s security awareness. I think the thinking is that if the training raises security awareness, people will behave in a secure manner. The reality is they don’t. Knowing what to do and actually doing it are two different things. And when you’re busy and you need to download something to get something done and a security warning pops up asking you to reconsider, what do you do? You might know the risks. But you’re perfectly willing to gamble. And that’s what causes problems.
To reduce the threats posed by insider vulnerabilities – what we call “human cyber risk” – security training needs to go beyond raising awareness to look at advancing security “ABC”, which stands for awareness, behaviour and culture.
If information security officers can monitor those things – awareness, behaviour and culture – then they know where they’re vulnerable, and they can address vulnerabilities to demonstrably reduce cyber risk. That’s pretty much the thinking that goes into the CybSafe platform. Measure awareness, behaviour and culture. Then implement a series of interventions developed in partnership with psychologists and behavioural scientists. Then measure awareness, behaviour and culture again, learn and repeat.”
OA: “It’s a lack of engagement. Criminals are developing new threats all the time and it’s impossible to say where they’re going to go next – it’s outside of our control. What is in our control is motivating our most under-used cyber defence: our people. How do we get people to care a bit more about cybersecurity?
You’d be surprised at how many simple methods are being overlooked, but one of my favourites is to stop trying to change people’s knowledge levels and to start trying to change their behaviour instead. We tend to think our attitudes are what shape our behaviours. But, actually, it’s a proven two-way relationship – our behaviours also influence our attitudes. If, for example, you hear a political message and you happen to be nodding at the time, you’re more likely to agree with the message than you would be if you were shaking your head. That’s proven. The same goes for security. If you behave in a secure manner, you start to think you’re the kind of person that sees security as important. So your behaviours start to shape your attitudes.
Again, by focusing on advancing awareness, behaviour and culture in one, an organisation’s people can keep its networks safe. Your people can become your ultimate defence.”
XQ: Thanks Oz
CybSafe’s intelligent software harnesses collective lessons across the cyber security community in a low cost per-user subscription to help businesses of all sizes improve cyber security behaviour and reduce cyber risk both internally and within its supply chain.
The GCHQ-accredited software helps business to mitigate cyber risk with greater certainty, greater impact, and more cost effectively.
CybSafe is a British cyber security technology company. It is headquartered at Level39, the prestigious technology community based in Canary Wharf, London. Visit their website at www.cybsafe.com
You can also follow CybSafe and Oz on Twitter: