Speaking at the InfoSecurity Europe 2019 conference in London this week, representatives from these UK firms revealed how they foster good security habits among staff
For all the time, money and resources being poured by businesses into sophisticated software tools to minimise exposure to an information security breach, the basic principle of fostering good security habits among staff is a tactic not to be overlooked.
According to the latest government figures, 32% of UK businesses identified cyber security breaches or attacks in the past 12 months, with almost half of these companies reporting efforts to undermine their IT systems on a monthly basis.
But it is the personal side of a business that can often leave it most vulnerable to attack, with human error accounting for the vast majority of information security incidents within a business.
How to address this issue, and enact a behavioural change towards good security habits across the workforce was the topic of discussion at a keynote event at the Infosecurity Europe 2019 conference in London this week.
Representatives from HSBC, William Hill and Anglian Water each gave their interpretations on the theme of fostering best practice to strengthen resilience against cybercrime.
Different approaches to fostering good security habits within a business
As the UK’s largest water utility company by geographical area, with six million customers and around 8,500 affiliated staff members, Anglian Water shoulders a lot of responsibility to keep both its customer and operational data secure.
Three years ago, the company launched an internal communications campaign to raise awareness among staff about the need to be vigilant online and develop good security habits.
This took the unusual form of a posse of cartoon “monsters”, each designed to represent a specific information security risk, with employees encouraged to learn the techniques required to vanquish the cyber “nasties”.
Anglian Water’s head of internal communications Linda McCormack explained: “We took a technical message and translated it into a very simple plan of action that we then rolled out across the business to very targeted and segmented audiences.
“Because we know the business and the audience, we were able to say to individuals ‘This is your risk, this is where you have a problem and this is what you can do about it’.
“We wanted to bring our campaign to life in a very visual way, and looking around at what was on the market everything you see about cyber security was very dark and sinister, and a bit scary.
“But part of the emotional connection that we made with our audience was bringing their families, their children into it.
“We brought the risk home – so that by changing behaviour at home, we’d hopefully change their behaviour at work as well.”
This tactic of distilling the often complex world of cybersecurity into “top trumps”-style cartoon characters proved an effective strategy for Anglian Water.
After nine months of dealing with the cartoon monsters – Cloud, Phish, Cipher, Hack, Viro and Data – 79% of the workforce said they better understood the risks faced by Anglian Water and would actively seek to do something about it.
In the same period, there was a 200% increase in the number of emails being sent to the company spam bin, while the number of clicks on suspicious links fell from 46% to just 3%.
To even get to the stage of implementing a company-wide information security strategy, there must first be a willingness at the executive level of the business to do so.
Bookmaker William Hill’s chief information security officer (CISO) Killian Faughnan explained how board members need to be convinced of the urgency of devoting time, money and resources to tackling an invisible threat.
In this sense, Mr Faughnan’s job becomes more about marketing and perception than about information security – something he admits can be a “discomforting” role for someone who works in an industry that “thrives on fact”.
He said: “What we are doing when we talk to the board is marketing a product to our customer – and security is our product.
“If you can sell your vision to the board and they understand what you are selling, it makes the rest of your job a lot easier.
“Your product needs to be simple, practical and pragmatic. It needs to be obvious to everyone in the room once you put something up on a slide what it is and why it is there.”
Mr Faughnan stressed the need to treat board members as individuals, not as a single entity, and that success in selling security to them depends on recognising that an executive board is really “a collection of people who have different views on what ‘good’ looks like”.
He also recommended keeping pitches simple, and avoiding the temptation to throw huge amounts of information at board members to illustrate the importance of cybersecurity initiatives.
“Don’t overcomplicate it. If you confuse your customers, if you distract them with data they will buy from someone else – hire someone else,” he warned.
“Data has its place, graphs are brilliant, they have their place, but that place is mostly in your dashboard.
“Your job is to take all that data and crunch it down into something meaningful – and then to present that to the board in a way which makes them feel that you know what you’re doing and they trust you.
“If I try to land more than three messages I will confuse myself and I’ll confuse them, and the message will get lost beneath all the detail, and you customer will tune out.”
The HSBC approach to cultivating good security habits across its global operations has been to implement a “cyber champion” programme, which now includes 1,500 staff members who contribute their time to promoting better cyber-awareness within the business.
HSBC employs around 235,000 workers across 66 countries, so the potential for human error leading to an information security lapse is significant.
Paula Kershaw, the bank’s CISO for Europe and the UK, described how the aim of the scheme was to address workers on a personal level – promoting safe and secure IT habits at home, as well as in the workplace.
This approach, she explained, helps to more effectively deliver the information security message by getting people to “connect emotionally” with cybersecurity issues.
“There have to be advantages for the individual to participate and for the organisation to invest the time and money necessary to do this,” she said.
“Colleagues develop the knowledge and skills on how to protect themselves, their families and the people they care about.
“If we can engage our staff and teach them how to protect themselves, they will bring this back into the workplace.
“And we will get that emotional engagement from them, and the willingness to learn.”
The cyber champion scheme runs monthly events to engage with its community of “cyber shields”, which are usually based on a theme – such as phishing, SMiShing or social engineering – to keep the programme “relevant” and “not about HSBC or financial services”.
Last October, the network held 114 separate events to tie in with National Cyber Security Awareness Month, which attracted more than 20,000 HSBC staff to attend in person and a further 85,000 to register to the network and its newsletter.
It also hosts an awards event as well as webinars, calls and videos to keep staff members engaged with information security throughout the year, and to spread word about the scheme throughout the wider workforce.