When asked about cyber and information security risks to the business, most think about the technical controls against cybercrime: making sure the IT team has protections such as firewalls and patch management in place; making sure password protection and BYOD policies are implemented. Consideration can be expanded to the physical security of your building and making sure your employees are aware of the current threats and what criminals look out for when attempting to break into your systems. However, there is a big risk that is not being considered.
Cultural vulnerabilities to your business
We are seeing more and more behavioural challenges within businesses that are compromising information security. This is something that needs highlighting in all organisations and should be addressed as a priority.
Here are 3 cyber and information security behavioural risks that every business should be aware of:
We still hear:
It’s not going to happen here!
Why would anyone want to target us?
We’re not big enough to be of real interest!
You may read about breaches in the press, but you don’t know an organisation that has suffered a cyber-attack. Therefore, you are conscious of it, but don’t feel the need to worry about it. You have an IT team in place who maintain your IT systems and security – they have it under control. Whilst you may not be a big name outside of your industry, you might have some big name clients.
Are you sure there are no fellow businesses which have been attacked? Does your IT team have enough resource, time and the right skills to manage the security of your systems as well as the day to day running of your IT? Do you have a recovery plan in place that you know works?
Any business that is reliant on its IT systems to function, has money in its accounts and information that could be of interest to an outside party; is at risk of being targeted by a criminal.
Whilst you may have people managing information systems for you, you should make sure that processes and procedures are being followed; that the right amount of budget is being invested; and that your in-house or outsourced team believes they have everything in place to best protect your business. Cyber and information security should be a Board-level consideration, to ensure that it’s addressed each month to flag issues and changes, thereby keeping it at the forefront of the Board’s thoughts at all times.
Security isn’t an annual consideration, it’s a 24/7/365 commitment.
2. Oversharing company information
This risk isn’t about the intentional theft of information, but more about the unintentional sharing of information, some of which may be business confidential.
We are in a society of ‘oversharers,’ especially when it comes to social media. Many of your employees have LinkedIn or Twitter accounts – on some of which they officially represent an organisation. Do you have a policy in place to make clear what employees can and can’t share on social media?
What about other information discussed during and of outside company hours? What do employees share with partners, friends, family without thinking about commercial consequences, or realising the sensitive nature of what they are sharing? It may seem obvious to you, but are you clear to employees what is and isn’t to be shared?
What about when you have meetings. Do you have the door closed? Employees won’t necessarily be trying to listen in to your meeting, but when sitting nearby with a door open, they can hear what is being said. This also applies when the meeting room walls are thin or conversations are taking place via loudspeaker in a meeting – these conversations can often be overhead. This is most dangerous during the hot weather when windows are opened, thus potentially allowing passers-by on the street to hear the conversations. Within the office environment, that ‘gossip’ goes around and then to external conversations – what is the impact of this information getting out?
Have employees been briefed about working on business documents in public places? Ignoring the obvious threat of using public WIFI, who else might be looking over their shoulder? Do they access company information from personal devices? It’s important for anyone in your company to understand what policies are in place and what can (and cannot) be accessed or saved on personal devices. When people understand why, they are much more likely to follow the rules rather than find ways around them!
3. Bypassing procedures in hierarchical organisations
One of the biggest risks that we have seen recently, and on several occasions, relates to C-suite positions and VIP’s being able to bypass security controls in the business; these individuals can the biggest culprits when it comes to bending the rules! Relaxed security controls for VIPs may be fine for speeding up business processes but very dangerous when it comes to information security. We often hear it from the IT or operations teams that it is easier to turn off the controls for executives or else they have been ‘directed’ to do so. An example of this is allowing USB ports to be active on an executive’s laptop when company-wide it is policy not to.
However, it is the C-suite which are typically targeted by criminals. Executives are the people that hold the most valuable information and can command the biggest influence in the business. Whether that is to directly attack the executive or to hack their credentials and then send internal emails, they are a rich target. Through impersonation, they can execute a number of business transactions such as approving a payment or changing payment details; request an order; authorise the sending of some information or similar document out. The names of senior management are typically available in multiple places such as the organisation’s own website, personal LinkedIn profiles when they have listed their employment or Companies House website, and therefore easy to find.
Cyber & information security in your business
Information security practices need to be implemented from the Board-level down to be successful and the security team needs to be supported by the Board when they make recommendations and implement controls. By creating a cyber security culture at work, businesses will be better at protecting their organisation and its information, and addressing the behaviours highlighted above.
If you would like to speak to one of our Consultants about addressing the cultural vulnerabilities in your organisation, please contact our Consultancy team on 020 7877 0060 or email our Practice Lead, Paul Gribbon on firstname.lastname@example.org.