Historically cyber security has been regarded as a function of the IT department. Data is stored on computer systems, so the IT Director is made responsible for protecting it.

And it remains true that many of the security measures used to protect data are IT-based. Firewalls, permissions, encryption – all are technical solutions to the problem of preventing data loss, theft and leakage.

In recognition of these superior security safeguards, cyber criminals are having to develop more advanced methods of attack. Bypassing perimeter firewalls is no longer enough to gain access to your network.

Modern attacks now take place on multiple levels – and they are no longer purely technical. Criminals are using your own employees against your defences – although most of these people will have no idea they are doing anything wrong.

People are your biggest security risk

The unfortunate truth is that people represent the biggest risk to corporate security. Not hackers – your own employees.

Despite increased awareness of the dangers of fraudulent emails, it remains the key point of entry for most cyber attacks. UK Government figures suggest that 72% of attacks in 2017 were launched via email.

Again, perimeter defences are very good at detecting and blocking malware and ransomware, but bad messages still get through sometimes. In most cases the malware lies dormant until someone opens the infected attachment, triggering the payload.

The same scenario is repeated with compromised webpages, infected removable drives and insecure personal devices connected to the corporate network. The IT team will implement automated systems to minimise these risks – but staff have a part to play too.

And this is where the importance of culture comes into play

Everyone has a role to play

With so many potential attack points, the key to improving security is to create a culture of healthy suspicion. In the era of openness and social business this approach may seem counterintuitive, but the stakes are too high to continue making basic mistakes with security.

An effective security culture will mean moving from the traditional “trust but verify” model, to a new “verify then trust” alternative. This means that any email, file or approach by a third party should be considered hostile until employees prove otherwise.

The reality is that Advanced Persistent Threats (ATP) use multiple vectors to compromise your security – including spoofing communications from trusted sources. Maintaining a healthy level of scepticism helps to reduce the risk of these more subtle techniques successfully infiltrating your systems.

Lead from the top

Cultural change always starts at the top of the business. The IT Director may define what needs to change, but the rest of the C-Suite is responsible for communicating those changes to the rest of the business.

More than simply defining a vision however, employees will need regular training. First, they need to be able to identify new attacks, and then ensure they continue to apply that knowledge.

Because people play an important role in starting or preventing ATP attacks, it is critical that your people are properly prepared for their role in improving security. Data protection may not be an explicit aspect of most jobs, but everyone now has a part to play.

To learn more about security culture and how to use technology to complement it, please get in touch.

Marco Borza

Written by Marco Borza

I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.

Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA