Since we were all at school, we’ve been trained in what to do in the event of a fire – how to recognise the warning signs (smoke), sound the alarm (break the glass) and how to leave the building safely (don’t use the elevator).
It is an emergency response that relies entirely on the people in the building knowing what to do in the event of an emergency. It prioritises trust, awareness and training alongside the more process and structural aspects of firefighting.
We’re protecting empty offices
For many organisations, the focus has traditionally been on protecting the workplace. The people, assets and infrastructure that exists ‘at work’. What 2020 has taught us is that we can work from home – and be effective, but our cybersecurity focus hasn’t followed the people.
Before the pandemic hit, most of the apps and devices used were owned and managed largely behind your own firewalls (in your offices). Now, with most of your team working remotely, the situation has changed.
In addition, data and information is being shared externally with contractors, partners, suppliers and outsourced teams daily. You have less control and traditional perimeter-based systems and access controls are no longer enough to protect your business. Your risk profile is completely different.
The perimeter is no longer the network, or the office. The new perimeter is your people and your cybersecurity needs to reflect this.
Over 90% of cybersecurity breaches are due to human error. That is why it is crucial that companies adopt a people-centric approach to security, focussing on protecting the people and using them alongside existing methods to protect the business further.
What is people-centric security?
Hackers hack humans to hack companies and that is why they are your best line of defence.
This isn’t just about employee awareness training. This is about monitoring behaviours and identifying challenges and then building a cybersecurity strategy around that. Finding systems and policies that work with people, not against them.
In today’s flexible working environment, employees are logging on from multiple locations on multiple devices that organisations don’t support, using infrastructure they don’t manage and channels they don’t own. Each one is a potential avenue for cybercriminals.
Trying to stop this behaviour is often counterproductive. Instead, by improving trust through increasing individual accountability, businesses can create far more effective methods of protection for themselves. Treating employees as a guard for corporate data rather than a vulnerability.
People-centric security (PCS) supports your employees’ rights to work in a certain way, but with that comes great responsibility.
For example, an organisation can let employees use their personal phones for corporate emails and it is up to them to decide how to use the protective security solutions offered by the IT team. However, if any confidential data is lost or compromised, they could lose that privilege.
Building people-centric security
Education is still an important underlying element. For this to work, it is important that employees know the threat landscape, your protection policies and procedures and the best home working practices.
When educating them, messaging needs to be engaging and explain clearly why certain practices are in place, so they understand the risks involved.
Be transparent with the consequences of their actions. Share information such as how much a data breach would cost the company and what reputational damages are at stake if there is a data breach.
Let them know they are the first line of defence and that you trust them.
Get the right security tools
Having the right cybersecurity tools in place is also key to supporting employees to be more mindful and secure in their practices.
Adopting foundational security measures such as least privilege, which is based on the Zero Trust concept, can reduce the threat landscape by only allowing employees access to the information they need in order to do their job.
A Virtual Private Network (VPN) lets employees connect to the corporate network from wherever they are, encrypting any data that’s sent.
Best practice advises implementing multi-factor authentication, conducting regular updates and being aware of limits/using rate limiting to prioritise employees that need higher bandwidth, to support a safer network for everyone.
Inclusive rather than exclusive cyber culture
Part of what makes a successful PCS strategy is the people behind it. It is crucial your organisation has the best cybersecurity talent, but also that security skills and leadership are embedded across the organisation.
Bringing it back to our analogy at the start, a cyber champion should be part of every team much like fire marshalls at a school; ready to guide, train and monitor colleagues. This way we move the trust and empowerment for cyber risks one step closer to the point of need.
Looking to the future, organisations must prioritise the human element into their larger security strategies. Only then can they be in the best possible position to defend and adapt to this rapidly changing landscape.