Fostering security buy-in within your organisation

It’s an unpleasant fact of modern life that rarely a week will go by without news of a high-profile data breach, leak, or targeted attack. Even multi-million-pound organisations, with IT teams larger than some businesses, frequently find themselves the victims of inadvertent leaks or phishing attacks, underlining the fact that – although many may wish it so – effective cyber security is not just a matter of throwing money at the problem.

In a world where around three-quarters of data breaches continue to involve the human element, it is naïve to believe that a robust defence can be achieved without first ensuring that understanding, compliance, and support is present at all levels of the organisation – whether it’s an NHS trust, university, or private business. This naturally includes the basic training and awareness that most organisations will already be conducting, but it also goes much further – for the greatest success, the organisation needs to foster legitimate buy-in from all those involved.

Though they may not be involved in the nuts and bolts of a cyber defence solution, this still includes the organisation’s leadership team. Without ensuring that they are fully behind the effort, even exhaustively planned implementations can end up under-funded, deprioritised, or completed half-heartedly – leading to an unsuccessful implementation and ultimately achieving little other than spending organisational time and resources. Similarly, in-house IT teams will need to be fully invested in any cyber security effort, as they’ll be the ones primarily responsible for implementing and maintaining the measures put in place – as well as being on the front lines should an attack or breach occur. Without their commitment, potentially sound implementations risk languishing without ongoing reviews and maintenance, leaving the organisation vulnerable to new and emerging threats. Finally, the rest of the staff in the organisation will need to be kept abreast of developments and engaged in training, as they’ll likely be interacting with the system on a daily basis. Without suitable training, every member of staff in the organisation can represent a potential security vulnerability, whether it’s through manipulation by social engineering, stolen credentials, privilege misuse, or simple error.

It might be taken for granted that the leadership team would rally behind a robust cyber security implementation, given the threat of attacks or breaches down the line. After all, such an incident could mean devastating financial and reputational loss for the company, even putting aside the disruption to productivity and operation that would occur immediately afterwards. However, it’s likely that many within the leadership team will have gone through enough business continuity policies and crisis contingency plans that they may feel somewhat inured to the prospect; if it hasn’t happened yet, they may think, who’s to say it ever will? Or, perhaps more alarmingly, if it’s going to happen eventually, why bother trying to avoid it at all?

The leadership team will be the most likely group to value the health and reputation of the business, and so hopefully they will already be fully aware and on board with implementing effective cyber security measures. If they still need some persuading, however, there are a few avenues that can be explored. Conducting some basic security testing within the organisation – for example, sending out false phishing emails internally – can be an effective method of gathering hard evidence of the resilience of the organisation’s current security measures, which can then be taken to the leadership. While it’s easy to put theoretical threats out of mind, being presented with evidence that, had a real attack occurred, the company could have been compromised is more likely to catch their attention. If the proposed implementation would involve partnering with a specialist, the case can also be made that they may identify and eliminate inefficiencies and redundancies in the current system, improving organisational productivity generally.

An organisation’s internal IT team is another group that might be assumed to have pre-existing buy-in regarding refactoring and strengthening cyber defences. However, in many cases these internal teams are stretched to such an extent that just keeping the existing estate running is taking up the vast majority of their time. It can be a very tall order to then expect them to carve out the time to implement new measures without having it impact the rest of their responsibilities.

There are two approaches that might help dampen these concerns. Firstly, it’s worth emphasising that pre-emptively putting in place a solid security foundation will undoubtedly take much less time and effort – and result in less stress – than attempting to remedy a situation after a substantial breach or successful attack. Secondly, contracting with a specialist third-party partner to take ownership of the task can not only help achieve outcomes beyond what might be possible using internal resources, but these partners can also provide optimisation and management services that will lighten the day-to-day workload placed upon in-house IT teams. This might take the form of locating bottlenecks in outdated or underperforming hardware, or ensuring interoperability between systems that previously didn’t communicate correctly, and reducing the number of tickets raised by the wider staff.

Speaking of the wider staff, one of the most effective ways to ensure that everyone is working towards the same goal is to build a culture within the organisation where cyber security is a frequent topic of focus. If the subject is one that people only encounter once a year when they’re tasked with training exercises, it’s more likely that they will view it as something that only needs to be thought about during those periods. This doesn’t need to take the form of endless corporate training – framing information in terms that will help individuals in their personal lives can help them to ingest the important details, and learn skills that will be equally applicable at home or work. Quizzes and informal tests can also help, but it’s important that individuals don’t feel that they’ll be penalised for getting something wrong, either in the test or in a real-life scenario. The last thing an organisation wants is for an individual to feel afraid to bring attention to a potential mistake and instead hope it just goes away.

Most of all, remember that you don’t need to do all of this on your own. An experienced partner will help you to clearly elucidate the goals and importance of strengthening your defences, as well as providing the experience and skills required to bring these goals to fruition, without straining your internal teams even further than they currently are. Get in touch with us at security@itgl.com to start a discussion around your organisation’s needs, goals, and how we can help you achieve these.