Address
1st Floor, North Westgate House, Harlow, Essex, CM20 1YS
Cyber security affects our lives and most industry sectors as we interact with technology. Cyber security is how individuals and organisations minimise the risk of cyber-attacks with the application of technology, processes and controls. ISO also defined cyber security as protecting the interests of a person, society or nation, including their information and non-information-based assets that need protection from risks relating to their interaction with cyberspace.
Advancements in technology have brought solutions to our daily lives. The digitalisation of information in different industry sectors has brought improvement and efficiency, but it also presents some challenges. Some of these challenges are an increase in the attack surface (i.e. the number of points through which an attacker can extract data from a system), vulnerability to cyber-attacks, ransomware and potential consequences of data breaches.
While technical controls have been applied in defending organisations’ information assets, breaches continue to occur. Some of the breaches have often been linked to human behaviour as users interact with information assets. Human error can cause security incidents such as exposure of records and unintended disclosure of information through unsafe security behaviour. Employees are still estimated to be the highest source of security incidents. This could be the reason why employees have been referred to as the weakest link in the cyber security chain.
Given this, it is crucial to understand the human aspect of cyber security necessary to help cultivate the culture of security needed to address behavioural issues about protecting organisations’ information assets. Having a robust Cyber Security Culture (CSC) in place can be valuable in minimising the threats posed by human error to the protection of an organisation’s information assets.
There needs to be more than just technical controls to address the challenges of cyber security breaches that many organisations face. Technical controls need to be complemented by CSC, which encourages acceptable user behaviour as interaction takes place in cyberspace. CSC has been described as incorporating the assumptions, attitudes, beliefs, values and knowledge needed by individuals to interact with an organisation’s systems and conduct daily tasks and activities through the utilisation of procedures and processes.
With the reference made to human attributes above, it becomes clear that it is necessary to influence employee behaviour and cultivate a strong and effective human defence or firewall needed to foster CSC and keep information assets secure. This approach will minimise cyber security incidents which could occur as a result of human error.
With time and with the buy-in of employees, the CSC can spread across the organisation, with good cyber security practices being adopted by many. To further develop CSC as a means of protecting information assets, it will be essential to understand the behaviours and perceptions of employees or users on the concept.