People are often seen as the weakest link when it comes to cyber security, but that must change, says the National Cyber Security Centre (NCSC).
Information security has traditionally been led by technology and, as a result, the role and value of people has been overlooked. That is the view of Emma W, people-centred security team lead at the UK’s National Cyber Security Centre.
From a hacker perspective, many organisations are still leaving the front door open and the windows unlocked. Failure to protect and handle data correctly can also result in punitive actions for companies participating in the digital economy. Wake up and get the knowledge to get protected.
The perception of people as the weakest link is unfair and a natural consequence of a technology-led security culture.
“We have not always had people working in cyber security with a deep understanding of human behaviour or the input of psychologists, social scientists and the like to tell us why people behave the way they do.
“As a result, organisations tend to treat users as people who should do as they are told, but they don’t always, and often the reason is because they can’t.
“However, these reasons are often not recognised, and instead users are seen as either being unco-operative or stupid, but this is not true and is a perception that we have to turn around,” she said.
An example of where end-users are typically blamed for failures is around passwords, but many organisations have unreasonable expectations.
Most people find it challenging to remember multiple passwords, especially when organisations insist on long and complex passwords that must be changed regularly.
Instead of being critical of employees who fail to adhere to unreasonable password policies, organisations need to have a more sophisticated understanding of how humans can be a security asset, she said.
“They need to understand that if humans appear to be poor at security, it is because they are being required to do things that are difficult or impractical to do.”
The NCSC believes this indicates a need to reshape the relationship between the IT security team in an organisation and users of the IT systems.
While some information security professionals understand that their role is to support and enable the business, Emma W said less progress has been made in understanding how to relate to end-users.
Users still commonly see security as policing role, she said, and do not feel confident enough or too afraid to talk to security teams about the challenges they have and where they feel the need to bend or even flout security rules in order to get their jobs done, for fear of being sanctioned in some way.
“This is the relationship we need to reshape, and a critical part of that is enabling two-way communication between security teams and the rest of the organisation, rather than users’ current common perception that security just sits in its own silo and tells everybody else what they need to do,” she said.
“In reality, security professionals don’t have all the answers and users have a contribution to make in supplying some of the answers. Security professionals need to start listening to what users are trying to do and understand that they can be the strongest, not the weakest link in security.”
End-users should be viewed as a positive asset who have information that security professionals do not have about how the business runs and how it needs to run, rather than be seen as a liability that has to be managed, said Emma W.
“Security professionals need to review how they gather information about security, so they can get the right support to discover the real problems facing their business and fix them,” she said.
Security professionals also need to understand that occasional security awareness training and a poster-based awareness campaign are no substitute for meaningful two-way communication that enables them to know what people need from security and how security can help to support the business.
“It is about security teams finding out what is really going on in an organisation, and why people are not doing the things the security team want them to do – and it is probably not because people are weak, stupid or deliberately trying to sabotage security efforts,” said Emma W.
“Mostly people are well-intentioned and know what they are supposed to be doing, but they are trying to get a work task done and the organisation is not giving them the right way to do it,” she said, with the result that the task may be getting done, but not in the most secure manner possible.
Where employees feel they cannot work within the system or that they are running the risk of being punished for things beyond their control, they will look for alternative ways of working and that is what gives rise to shadow IT and real work processes being driven underground, she said.
For this reason, the NCSC is championing the view that people are potentially organisations’ strongest link when it comes to cyber security and are encouraging organisations to move towards generating positive, collaborative solutions that give users a chance to show that they are the greatest assets in security, as much as they are in business.
Users are typically blamed for failings around passwords, but this is mainly because most people find it difficult to follow company policies on passwords.