SMEs failing to address cyber security threats despite risks

Small to medium enterprises (SMEs) are failing to prepare adequately to address cyber security threats – despite the growing risks.

SMEs failing to address cyber security threats despite risks

Despite the WannaCry and Petya global cyber attacks, only 42% of SME IT decision makers polled in the UK, US and Australia are concerned about ransomware.

In fact, ransomware ranked lowest among concerns, with new of malware infections topping the list, followed by mobile and phishing attacks, according to a survey commissioned by security firm Webroot.

However, Webroot’s threat research from June 2017, which is based on data from a variety of businesses, reveals that more than 60% of companies have already been affected by ransomware, with the financial and retail sectors being hit the hardest.

In the UK, the research highlighted a false sense of security among IT decision makers. Even though 72% of UK respondents admit their businesses are not prepared to address external threats, 87% are confident their staff would be able fully address or eliminate an issue.

According to the survey report, when a business suffers a cyberattack, the consequences are felt both internally and externally.

Almost 58% of UK respondents, compared with 65% globally, believe it would be more difficult to restore the company’s public image than to restore employee trust and morale.

Underscoring the need for proactive security solutions, respondents estimate a cyber attack on their business where customer records or critical business data were lost would cost an average of £737,677 in the UK compared with an overall average of £773,483.

SMEs typically face the same threats as bigger organisations, but lack the same level of expertise and other security resources.

Addressing the growing threat, nearly all respondents plan to increase their annual IT security budget in 2017 compared to 2016, according to the report.

SME with 100 to 500 employees currently manage IT security in various ways, the survey revealed. In the UK, 22% of SMEs have in-house employees who handle IT security along with other responsibilities, compared with the average of 20%.

A third of UK SMEs use a mix of in-house and outsourced IT security support, compared with an average of 37%, while 25% have a dedicated in-house IT security professional or team, compared with 23% on average.

In the UK, 92% of respondents believe outsourcing IT solutions would protect their organisation against threats and increase their bandwidth to address other areas of their business, compared with an average of 90%.

Using a third party cyber security provider

Among businesses that do not currently outsource IT security, 82% of UK SMEs will likely use a third-party cyber security provider in 2017, compared with an average of 80%, which represents a big opportunity for managed security service providers (MSSPs), the report said.

The lack of planned investment in cyber defences is surprising in the face of increased attacks, the costs associated with those attacks, and the fact strong cyber security has the potential to give SMEs an opportunity to stand out from competitors, with as many as one in 20 claiming to have gained an advantage over a competitor because of stronger cyber security credentials.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Half of UK SMEs spend less than £1,000 on cyber security

Almost 50% of UK small to medium enterprises plan to spend £1,000 or less on cyber security in the next year and 22% do not know how much they will spend, insurance firm Zurich has found.

Almost 50% of UK small to medium enterprises plan to spend £1,000 or less on cyber security in the next yearAs many as 875,000 small and medium-sized enterprises (SMEs) in the UK – 16% of the total – have been hit by a cyber attack in the past 12 months, according to the latest Zurich SME Risk Index.

Businesses in London are the worst affected, with almost a quarter (23%) reporting suffering a breach within this period.

Of businesses that were affected, more than one fifth (21%) said it cost them more than £10,000 and one in 10 (11%) said it cost more than £50,000.

Yet despite the volume of attacks and potential losses, the survey of more than 1,000 UK SMEs showed that business leaders are not committing to investing significantly in cyber security in the year ahead.

The survey, by YouGov on behalf of Zurich, found that 49% of SMEs admitted they plan to spend £1,000 or less on their cyber defences in the next 12 months, and almost a quarter (22%) do not know how much they will spend.

The lack of planned investment in cyber defences is also surprising in the light of the fact that business leaders report that strong cyber security is giving them an opportunity to stand out from competitors, with as many as one in 20 claiming to have gained an advantage over a competitor because of stronger cyber security credentials.

This trend is confirmed by a separate survey of SMEs by security e-learning firm CybSafe, which showed that half of SMEs polled have had cyber security conditions included in contracts with enterprise customers in the past five years, and one-third of respondents said they have had their cyber security measures questioned as part of winning contracts in the past year.

Also, 44% said they have been required to hold a recognised cyber security standard, such as ISO 27001, by their enterprise customers in the past five years and 28% in the past year alone, demonstrating a clear trend in enterprise approach to supplier information security.

“While recent cyber attacks have highlighted the importance of cyber security for some of the world’s biggest companies, it is important to remember that small and medium-sized businesses need to protect themselves too,” said Paul Tombs, head of SME proposition at Zurich.

“The survey results suggest that SMEs are not yet heeding the warnings provided by large attacks on global businesses.”

However, Tombs said that although the rate of attacks on SMEs is troubling, it also shows there is an opportunity for businesses with the correct safeguards and procedures in place to use this as a strength and gain an advantage.

In September 2016, a report by Juniper Research revealed that 74% of UK SMEs believed they were safe from cyber attack, despite half of them admitting having suffered a data breach.

The report showed that 86% of the SMEs surveyed thought they were doing enough to counter the effects of cyber attacks, and 27% believed they were safe from attack because they were small and of no interest to cyber criminals.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Defence minister opens £3m cyber security centre in

UK minister for defence procurement has opened a new cyber security centre aimed at boosting UK cyber defence capability and skills.

UK minister for defence procurement has opened a new cyber security centre aimed at boosting UK cyber defence capability and skills.

The Cyber Works centre, which employs 90 people, will enable Lockheed Martin to work more closely with UK partners to share knowledge and best practice, undertake research and develop new cyber defence capabilities.

In February 2017, Lockheed Martin announced that it would support the UK government’s CyberFirst scheme to inspire and support young people considering roles in cyber security.

The Cyber Works centre is designed to deliver cyber capabilities to UK government as well as support the development of skills and careers in cyber security and intelligence.

Harriett Baldwin, UK minister for defence procurement, said that with its £1.9 billion National Cyber Security Strategy, the country is a world leader in the field.

“The opening of today’s cutting-edge centre is a great example of how partnerships with industry are at the heart of that strategy,” she said. “Together, we are developing solutions to national security risks.”

A key part of the Cyber Security Strategy is partnerships with industry, with £10 million being invested in a new Cyber Innovation Fund to give startups the boost and partners they need

Baldwin said the UK is already leading Nato in its support for offensive and defensive operations in the fight against Islamic State (IS) and complex cyber threats. “This centre will further boost the UK’s cyber capabilities,” she said.

Lockheed Martin is the world’s largest aerospace and defence company and a longstanding leader in the fields of cyber security and intelligence.

The company pioneered the development of the cyber kill chain, an analysis method for cyber network defence that has been broadly adopted across industries and sectors.

Lockheed Martin is also a top provider of capabilities to defence and intelligence communities around the world and operates facilities to defend its own networks across 70 countries.

As well as investing in the new facility, Lockheed Martin plans to take part in the National Cyber Security Centre’s £6.5 million CyberInvest scheme to support cutting-edge cyber security research in the UK.

With National Offensive Cyber Planning allowing the UK to integrate cyber into all of its military operations, defence plays a key role in the country’s cyber security strategy, according to the Ministry of Defence (MoD).

Offensive cyber is being routinely used in the war against IS, not only in Iraq but also in the campaign to liberate Raqqa and other towns on the Euphrates, the MoD said.

In defence, the MoD said the £800m Innovation Initiative has already boosted investment in UK research and business, with multimillion-pound competitions to develop artificial intelligence and automated systems.

In January next year, the ministry will open a dedicated state-of-the-art Defence Cyber School at Shrivenham, bringing together all military joint cyber training into one place.

The MoD also has a key role to play in contributing to a culture of resilience, which is why the Defence Cyber Partnership Programme was set up to ensure its industrial partners protect themselves and meet robust cyber security standards, the ministry said.

 

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

 

Major cyber incidents accelerating, says NCSC

The UK is seeing an acceleration in major cyber security incidents, according to the country’s cyber security protection agency.

The UK is seeing an acceleration in major cyber security incidents, according to the country’s cyber security protection agency

In the eight months since inception, the UK’s National Cyber Security Centre (NCSC) has recorded 480 major cyber incidents requiring its attention.

However, there has been big rise in these types of incidents in the past few months, in part due to an improved ability to spot them and a greater willingness to report them, according to John Noble, director of incident management at the NCSC.

“This increase in major attacks is mainly being driven by the fact that cyber attack tools are becoming more readily available, in combination with a growing willingness to use them,” he told The Cyber Security Summit in London.

Although the WannaCry ransomware attacks in May 2017 came very close, Noble said there had been no C1-level national cyber security incidents to date.

The majority of the major incidents the NCSC has dealt with were C3-level attacks, typically confined to single organisations. These account for 451 incidents to date.

The remaining 29 major incidents were C2-level attacks, significant attacks that typically require a cross-government response.

Across these nearly 500 incidents, Noble said there were five common themes or lessons to be learned.

1. There is still a need for organisations to get the basics right

“We are still seeing organisations that are not getting the basics right, like software security patching, antivirus updating and putting in basic protections and controls for system administrators, who are typically big targets for attackers to steal their credentials,” said Noble.

2. Failure to get the balance right between usability and security

“In the vast majority of incidents we see, victim organisations have got this balance wrong, leaning too far in the direction of convenience and usability leading to things like logging being turned off to optimise performance,” said Noble.

“The decision-making around where to strike that balance is typically confused because of the complexity of the enterprises being defended, and because of a lack of understanding about what they are trying to prevent and which data really matters,” he said.

3. Legacy systems and equipment

The existence of legacy systems and equipment in the enterprise presents opportunities to attackers, said Noble. “Often, when we investigate incidents, we find it is in the legacy systems that the compromise has begun,” he said.

4. Outsourcing

“In early 2017, we reported on a major compromise of managed service providers, which provide a tremendous opportunity for bad actors,” said Noble, alluding to Operation Cloud Hopper that was uncovered in April.

“MSPs enable attackers to obtain security credentials in one country, traverse across their network, and then compromise a company or series of companies in another country, and exfiltrate the data through a third country,” he said.

In response, Noble said the NCSC had published a list of questions organisations should ask their MSPs in terms of security.

“Similarly, organisations need to understand the security implications of their supply chains, who they are connecting up to, and what risks are involved,” he said.

5. Mergers and acquisitions

In mergers and acquisition, cyber security is often overlooked in the due diligence process, said Noble. “As a result, the cyber risk is not understood and not addressed effectively,” he said.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Key lessons from Petya cyber security ransomware attack

The recent Petya cyber security attack does not follow other recent attacks.

The recent Petya cyber security attack does not follow other recent attacks.

Security researchers are struggling to reach consensus on whether the ransomware responsible for the latest global attacks is a new version of Petya or not, and even whether it was true ransomware, but what they have learned so far could help guide security strategies.

Those in support of retaining the Petya name point out that it essentially behaves in exactly the same way because it is designed to:

Encrypt files on disk without changing the file extension.
Forcibly reboot the machine upon infection.
Encrypt the Master Boot Record on affected machines.
Present a fake CHKDSK screen as a cover for the encryption process.
Present a near-identical ransom demand screen after completing its activities.

According to the latest update on the malware, Kaspersky Lab says code analysis has revealed it is technically impossible to decrypt victims’ disks.

To decrypt a victim’s disk threat actors need the installation ID, and in previous versions of “similar” ransomware like Petya/Mischa/GoldenEye, this installation ID contained the information necessary for key recovery, researchers at the security firm said.

However, they found the new malware – which they have dubbed ExPetr – does not have any such recovery mechanism, which means the threat actor could not extract the necessary information needed for decryption.

In short, victims could not recover their data even if they paid the ransom, the researchers said, which again calls into question the motive behind the malware.

This discovery not only further endorses the security community’s earlier advice not to pay the ransom, but also raises further questions about the true purpose of the malware and is likely to fuel further speculation that it may have been intended purely as a means to cause disruption on to mask some other malicious activity.

This view is supported by the latest statement from the UK National Cyber Security Centre (NCSC) that while managing the impact to the UK of the incident, the NCSC’s experts have found evidence that questions initial judgements that the intention was to collect a ransom. “We are investigating with the NCA and industry whether the intent was to disrupt rather than for any financial gain,” the NCSC said.

Whatever the true purpose, analysis of the malware has confirmed some of the lessons learned from WannaCry and added others which organisations should consider in order to improve their cyber defence capabilities against future threats.

The key lessons from the cyber security attack that have emerged so far are:

1. Having the latest versions of software and ensuring they are patched up to date will go a long way in reducing organisations’ vulnerability to cyber attack.

2. Malware is increasingly using legitimate tools for malicious activity to go undetected. In the case of ExPetr, two common Windows administrative tools, Windows Management Instrumentation Command-line (WMIC) and PsExec were used.

3. Malware is hijacking software updating mechanisms to spread malware, and is likely to use this technique increasingly in future.

4. An appropriate and well-tested backup and recovery plan for critical systems and data will go a long way to mitigating the effects of ransomware and other malware attacks, regardless of its particular characteristics.

5. Malware is abusing security tools to discover usernames and passwords, which means organisations should ensure they have appropriate systems and procedures in place to prevent credential abuse.

ExPetr uses the publically available Mimikatz tool to obtain credentials of all Windows users in plaintext, including local administrators and domain users to spread itself on local networks. You can find more details at: https://github.com/gentilkiwi/mimikatz

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

UK firms buying bitcoins for ransomware attacks

Large UK firms are prepared to pay out more than £136,000 on average to cyber criminals who launch ransomware attacks.

Large UK firms are prepared to pay out more than £136,000 on average to cyber criminals who launch ransomware attacks.

The amount firms with 250 employees or more are willing to pay ransomware attackers is up nearly four times compared with a year ago, according to a survey of 500 IT decision makers by One Poll.

The survey, commissioned by secure connectivity firm Citrix, also shows that more than two-fifths are stockpiling bitcoins in case of a ransomware attack, compared with a third a year ago.

On average, UK firms are stockpiling bitcoin cryptocurrency worth around £46,000, while a third have bitcoins worth more than £50,000 on standby.

The survey also shows that smaller companies are more likely to keep a supply of cryptocurrency such as bitcoin on hand than larger businesses.

Half of the businesses with 250-500 employees polled said they were stockpiling digital currency, up from 36% of this group a year ago. In comparison, just a quarter of businesses with 1,000 or more employees are accumulating cryptocurrency, which is unchanged from 2016.

The decision to stockpile digital currency reflects a widespread attitude that paying a ransom may be necessary. Only 22% of businesses polled said they would be unwilling to pay anything if struck by a ransomware attack, down from 25% a year ago.

UK firms unprepared for ransomware cyber security attack

The 2016 research revealed that one-fifth (20%) of companies with 250-500 employees did not have any contingency measures in place in case of a ransomware attack, however this has fallen to just 7% in 2017.

While many businesses are preparing to block ransomware attacks or pay out if hit, others are missing out on simple cyber hygiene procedures which can limit the impact of a ransomware attack. For instance, over half of large UK firms (55%) still do not back up their data at least once a day.

“Cyber criminals are resorting to ransomware to exploit the vulnerabilities that exist within UK organisations,” said Chris Mayers, chief security architect at Citrix.

“This is no secret, with global attacks hitting the headlines, yet many businesses are still being caught out. Organisations must ensure they’re prepared for the reality of this threat and take action to safeguard the IT network for an attack and protect mission-critical data,” he warned.

Stockpiling a potential ransom may alleviate concerns about ensuring constant access to data, but Mayers said there was no guarantee that data would be returned once a ransom had been paid.

“Instead, committing to robust cyber security techniques and ensuring specific contingency measures are in place to deal with an attack can reduce the chances of falling prey to ransomware in the first place.”

“While more companies are preparing to pay out, many still fail to back data up each day. Organisations should look at dedicated techniques, from encryption to virtualisation, to keep data and apps safe across all devices and desktops – and out of reach of today’s persistent cyber attackers,” he said.

 

 

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Europe faces shortage of 350,000 cyber security professionals by 2022

European companies are expected to go on the world’s biggest cyber security hiring spree in the next 12 months, driving demand for cyber talent that will far outstrip supply, a report has revealed

European companies are expected to go on the world’s biggest cyber security hiring spree in the next 12 months, driving demand for cyber talent that will far outstrip supply, a report has revealed

Nearly 40% of European firms want to grow their cyber security teams by at least 15% in the next year, according to the latest report based on the 2017 Global Information Security Workforce Study.

The study, commissioned by information security certification body (ISC)2, is based on a survey of 19,000 cyber security professionals around the world, including nearly 3,700 respondents in Europe.

Although European organisations have the most ambitious hiring targets in the world, two thirds say they currently have too few cyber security professionals.

Europe faces a projected skills gap of 350,000 workers by 2022, according to the report, which calls for employers to do more to embrace newcomers and a changing workforce.

The study revealed that 92% of hiring managers admit they prioritise previous cyber security experience when choosing candidates, and that most recruitment comes from their own professional networks.

Hiring managers also admitted that they are relying on their social and professional networks (48%), followed closely by their organisation’s HR department (47%), as their primary source of recruitment.

Globally, the report shows that strong recruitment targets, a shortage of talent, and disincentives to invest in training are contributing to the skills shortage, with 70% of employers around the world looking to increase the size of their cyber security staff this year.

The demand is set against a broad range of security concerns that continue to develop at pace, the report said, with the threat of data exposure clearly identified as the top security concern among professionals around the world.

Concern over data exposure is linked to new regulations aimed at enhancing data protection around the world, including Europe’s General Data Protection Regulation (GDPR).

The deadline for compliance with the GDPR is 25 May 2018. After that date, organisations found in breach of the regulation faces fines of up to €20m or 4% of global turnover, whichever is greater.

The report describes a revolving door of scarce, highly paid workers with an unemployment rate of just 1% in Europe.

Organisations are struggling to retain their staff, with 21% of the global workforce saying they have left their jobs in the past year, and facing high salary costs, with 33% of the workforce in Europe in particular making more than £78,000 ($100,000) a year.

“The combination of virtually non-existent unemployment, a shortage of workers, the expectation of high salaries, and high staff turnover that only increases among younger generations creates both a disincentive to invest in training and development and a conundrum for prospective employers of how to hire and retain talent in such an environment,” the report says.

The report recommends that organisations adapt their approach to recruitment and draw from a broader pool of talent. This is backed by findings that show workers with non-computing-related backgrounds account for nearly one-fifth of the current workforce in Europe and that they hold positions at every level of practice, with 63% at manager level or above.

The report also highlights a mismatch between the skills recruiters are looking for and workers’ priorities for developing a successful career, suggesting skillsets may not be keeping pace with requirements.

Currently, the top two skills workers are prioritising include cloud computing and security (60%) and risk assessment and management (41%), while employers prioritise looking for communication (66%) and analytical skills (59%). Only 25% and 20% of workers are prioritising communication and analytical skills, respectively.

Other recommendations include:

Looking beyond social and professional networks as the main channel of recruitment to open doors for new, younger and more diverse talent.
Accepting the need to invest in development and training because more talent is needed to stem the high levels of movement on job markets.
Better communication of current employer requirements because workers prioritise different skills for their professional development than what employers look for in the workforce.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Twenty years of online banking has increased financial awareness

Online banking is helping people manage their finances better and reduce their debt as a result

More than two-thirds of consumers can keep on top of their finances because of the arrival and evolution of online banking, and even more control is guaranteed as competition in the banking sector drives investment in technology.
Download this free guide
94.4% of cloud apps are not secure enough for enterprises

Twenty years after Nationwide launched the UK’s first online banking service, the building society has surveyed 2,000 people in the UK to find out how online banking has changed the way they manage their money.

The survey revealed that 22% of people are in less debt because they can keep a closer eye on their finances. Almost 70% of people said online banking helps them keep on top of their finances and 40% said it helps them budget better.

Saving time is another benefit identified for online banking, with 28% of people saving at least an hour a week by not having to carry out traditional banking tasks such as waiting at ATMs and visiting branches.

Although 10% of people still don’t use online banking services, the pace of take-up and use has accelerated in recent years as the fintech revolution leads to more customer acceptance. Nationwide itself has reported a 73% increase in the number of customer logins in 2016 compared with 2015.

James Smith, Nationwide’s director of mobile and digital, said: “People are using the ability to log on any time, anywhere to try to ensure they are staying well in control of their finances and attempting to avoid any unnecessary debt.”

Smith said consumers are increasingly being drawn to new ways of making their money management easier. “Innovation in personal finance is clearly something that intrigues people, as three in five believe we will be paying for everything via our thumbprint by 2037,” he said.

According to the survey, about half (55%) of people think phones or watches will be used to pay for everything by 2037, and 40% think cash will stop being used in the next 25 years.

But despite the undoubted consumer thirst for online banking services, a recent major survey of UK consumers revealed that bank branches are more important than mobile apps.

The report, conducted by PwC and the British Banking Association, surveyed 2,000 consumers in the UK about their banking preferences. It showed that 68% of consumers think a bank branch is essential when opening a new current account, compared with 25% who favour a mobile app.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Top UK firms’ websites violate key GDPR principle

Over one third of all the public web pages of leading UK companies that collect personal information violate a key principle of new European data protection

Over one third of all the public web pages of leading UK companies that collect personal information violate a key principle of new European data protection

With just a year to go before the deadline to comply with the EU General Data Protection Regulation (GDPR), many UK firms’ websites are capturing personal data insecurely, a study shows.

More controls are needed because most data capture forms found on websites fall within the scope of the GDPR, according to new research by digital threat management firm RiskIQ.

h3::
The EU regulation requires that provisions should be in place to ensure that personally identifiable information (PII) is captured and processed securely.

In the UK, the Information Commissioner has provided guidance that, in the case of data loss where encryption software has not been used to protect the data, regulatory action may be pursued.

The study revealed that 34% of web pages of FT30 firms that collect PII are doing so insecurely, 29% are not using encryption, 3.5% are using vulnerable encryptions algorithms, and 1.5% have expired security certificates.

While the insecure collection of PII is a violation of the GDPR, the study said the loss of personal data, profit and reputation resulting from the use of insecure forms is a legitimate concern for consumers and shareholders.

In addition to personal claim liability, Article 83 provides guidance on fines for GDPR faults, which start at €10m or 2% of global annual turnover for the preceding financial year, whichever is greater – or even double, depending on the infraction.

This applies to all companies actively engaging with European citizens, regardless of whether the firms have a physical presence in Europe.

The GDPR also requires companies to state clearly at the point of capture how they will use an individual’s data. Permission to use their data must be explicit and demonstrated through an action such as ticking a box – a significant departure from the “opt out” process most organisations currently have in place.

The challenge for large, global organisations is the sheer volume and complexity of websites and web applications that need to be accounted for, not only for security purposes, but also for regulatory compliance, such as the GDPR.

Information commissioner Elizabeth Denham called on businesses to see the benefits of sound data protection and act now to prepare for what she called “the biggest change to data protection law for a generation”.

However, 24% of companies polled in the UK and US expect to miss the GDPR compliance deadline and 30.6% said they had no timetable for being GDPR compliant, according to security firm Guidance Software.

Almost 18% said they were in the moderate planning stages and 11% said they were only in the initial stages of implementing processes to ensure compliance.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

People can be strongest link in cyber security, says NCSC

People are often seen as the weakest link when it comes to cyber security, but that must change, says the National Cyber Security Centre (NCSC).

People are often seen as the weakest link when it comes to cyber security, but that must change, says the National Cyber Security Centre (NCSC).

Information security has traditionally been led by technology and, as a result, the role and value of people has been overlooked. That is the view of Emma W, people-centred security team lead at the UK’s National Cyber Security Centre.

From a hacker perspective, many organisations are still leaving the front door open and the windows unlocked. Failure to protect and handle data correctly can also result in punitive actions for companies participating in the digital economy. Wake up and get the knowledge to get protected.

The perception of people as the weakest link is unfair and a natural consequence of a technology-led security culture.

“We have not always had people working in cyber security with a deep understanding of human behaviour or the input of psychologists, social scientists and the like to tell us why people behave the way they do.

“As a result, organisations tend to treat users as people who should do as they are told, but they don’t always, and often the reason is because they can’t.

“However, these reasons are often not recognised, and instead users are seen as either being unco-operative or stupid, but this is not true and is a perception that we have to turn around,” she said.

An example of where end-users are typically blamed for failures is around passwords, but many organisations have unreasonable expectations.

Most people find it challenging to remember multiple passwords, especially when organisations insist on long and complex passwords that must be changed regularly.

Instead of being critical of employees who fail to adhere to unreasonable password policies, organisations need to have a more sophisticated understanding of how humans can be a security asset, she said.

“They need to understand that if humans appear to be poor at security, it is because they are being required to do things that are difficult or impractical to do.”

The NCSC believes this indicates a need to reshape the relationship between the IT security team in an organisation and users of the IT systems.

While some information security professionals understand that their role is to support and enable the business, Emma W said less progress has been made in understanding how to relate to end-users.

Users still commonly see security as policing role, she said, and do not feel confident enough or too afraid to talk to security teams about the challenges they have and where they feel the need to bend or even flout security rules in order to get their jobs done, for fear of being sanctioned in some way.

“This is the relationship we need to reshape, and a critical part of that is enabling two-way communication between security teams and the rest of the organisation, rather than users’ current common perception that security just sits in its own silo and tells everybody else what they need to do,” she said.

“In reality, security professionals don’t have all the answers and users have a contribution to make in supplying some of the answers. Security professionals need to start listening to what users are trying to do and understand that they can be the strongest, not the weakest link in security.”

End-users should be viewed as a positive asset who have information that security professionals do not have about how the business runs and how it needs to run, rather than be seen as a liability that has to be managed, said Emma W.

“Security professionals need to review how they gather information about security, so they can get the right support to discover the real problems facing their business and fix them,” she said.

Security professionals also need to understand that occasional security awareness training and a poster-based awareness campaign are no substitute for meaningful two-way communication that enables them to know what people need from security and how security can help to support the business.

“It is about security teams finding out what is really going on in an organisation, and why people are not doing the things the security team want them to do – and it is probably not because people are weak, stupid or deliberately trying to sabotage security efforts,” said Emma W.

“Mostly people are well-intentioned and know what they are supposed to be doing, but they are trying to get a work task done and the organisation is not giving them the right way to do it,” she said, with the result that the task may be getting done, but not in the most secure manner possible.

Where employees feel they cannot work within the system or that they are running the risk of being punished for things beyond their control, they will look for alternative ways of working and that is what gives rise to shadow IT and real work processes being driven underground, she said.

For this reason, the NCSC is championing the view that people are potentially organisations’ strongest link when it comes to cyber security and are encouraging organisations to move towards generating positive, collaborative solutions that give users a chance to show that they are the greatest assets in security, as much as they are in business.

Users are typically blamed for failings around passwords, but this is mainly because most people find it difficult to follow company policies on passwords.