Recently I moderated a workshop on cyber strategy, attended by persons in the Chief Information Officer function at large(r) companies and institutions. As a 70 minutes workshop does not get a cyber strategy for a company, I aimed for creating awareness that cyber security is more than just thinking about the PC’s or servers of a company and installing more difficult passwords. It looked like everyone went home with a few new insights to deliberate when creating a cyber strategy for their respective companies and institutions. To give away one hint, I started with this question: “You’re about to go on holiday. The car is packed, wife and kids sit in the car and you are the last one in the home. What do you do before you leave”? Should you be interested to learn more, feel free to contact me. But there is more I want to share with you here.
Undermining cyber security
This is not about naming and shaming, which I will not do, but I just want to share these examples, as awareness concerning cyber security goes so much further then most people think and the implications of, unconscious, choices made can be huge for a company or institution. The actual everyday behaviour of employees, behaviour they may not even give a thought to or be aware of, can undermine the security of a company completely. It seems like there is a great lack in understanding cyber security, the risks of online behaviour and a great gap in cyber awareness. Let me give two examples.
Two examples from everyday life
Recently I attended a conference. One of the topics was cyber security. At the opening the chair had an iPad in his hands from which he read his notes. Between his main message he admonished that he more or less had had an argument with his young daughter that the iPad went along to work that day. So no gaming for the young lady.
Assuming this is the company iPad, the one that is plugged into the company’s network, let’s ponder the following and I’m purely hypothesizing here. The daughter does not only play games installed on the iPad, but surfs around a little to free game sites or downloads some illegal copies of games onto the iPad. Who knows what else is on the iPad since and plugged into the companies network?
This comment was made in all innocence, an example of everyday life, a comment we may all make regularly, but the chair also introduced a track on cyber security. It shows how far we still have to go to obtain cyber security, through awareness.
Another presentation had a security officer of a company admitting that he had Facebook on his company’s smart phone. The same sort of questions can be asked here, e.g. on online jokes sent around and opened.
How do these examples tie in to your behaviour and experience?
Cyber security and friends
In other words, the message here is, that cyber security does not only entail your workers, but perhaps or most certainly, even the online behaviour of family and their friends.
I fully realise that the trend of mobile devices that have become a part of the office and private realm is unstoppable in 2012, but goes to show the tremendous challenge cyber security personnel faces in making and keeping a company’s ICT safe and secure. It is not only awareness we are talking about, but also the changing of behaviour of people as a part of that awareness. The ease of use is turning against security. It looks like we humans are the weakest link in this chain. So what answers can industry come up with to make a safer ICT and online environment?
Changing behaviour starts with awareness. Contact me if you like to know more.
Wout de Natris, De Natris Consult
Leiderdorp, 20 November 2012