Your Cyber Frontline: people, leadership, and resilience
"We need to talk Nick!”
A CEO of a FTSE250 organisation had contacted me to share his story about how his executive leadership team had been the target and victims of a recent cyber-attack. His business had lost nearly £500k. His story highlighted how it’s your people, not technology, who typically hold many of the keys to unlocking how you can become more prepared and resilient to attacks. More on that at the end of this piece.
Business leaders and the boardroom have undoubtedly become far more alert and responsive to the cyber risks their organisations face over the last few years. Most now report it as a strategic risk to their business.
What is clear is that your organisation, whatever you size or business, is vulnerable. The risks are very real. On 18th April 2023 the UK Government and National Cyber Security Centre (NCSC) issued a warning to all businesses in the UK’s critical national infrastructure (including Financial Services, Energy, Water, Transport, Government and Health) that they are at significantly increased risk from cyber-attack over the coming months. The CEO at the NCSC said: “The UK needs to have greater resilience to all threats, whether they come from nation states or cyber criminals. Resilience must urgently move towards the top of our investment shopping list."
The challenge is that maintaining resilience requires complicated trade-offs between reducing risk and keeping pace with business demands. Cyber risk is like no other business risk. It can fundamentally change, adapt and impact your business with the click of a button, in a matter of seconds. But there is one constant for all organisations that they can influence directly – their people.
Many organisations continue to invest in multiple layers of intelligent technical controls and technology to protect themselves from attack. Yet attacks and data breaches continue to grow in their scale and impact. There’s something missing in our organisational response.
Cyber-criminals will target your people not technology. Every year, different trusted research reports show that ‘human error’ is by far the biggest reason why cyber-attacks succeed. Whether you’re in the boardroom or on the frontline, you’re vulnerable. That was all too apparent to my CEO friend. The cyber attackers had exploited the secrecy and urgency of a sensitive project with his colleagues on the board.
When we spoke, we agreed to share some essential advice for other boards, focused on people and culture, to help you not suffer the same pain:
- We need to talk! Cyber-criminals rely on us not to report mistakes or suspicions in case we appear at fault. We must build a culture and environment that welcomes openness, speedy reporting and
does not blame anyone for mistakes that will be made.
- We need to understand the challenges our employees face in trying to comply with company security policies. We need security to be delivered around their jobs not the other way around. It’s often said: “Security that doesn’t work for people, doesn’t work.”
- We need to demystify cyber security with language, use cases and shared stories that builds understanding and the motivation to do the right thing.
- We need to deliver short, highly relevant, engaging and context- based security awareness training, nudges and interventions, little and often. Remember this awareness is the first step – it needs to be supported with open and consistent communication.
- We need leaders to champion security in their business. Take an active interest in how your workforce are engaged and trained in security and be seen to be doing the same training and leading the discussions with your security champions.
As the CEO highlighted: “We were one quick face-to-face chat away from not losing nearly £500k. We really do need to talk!"