Cyber Security Frontline
Walls have ears: Why culture and process matter in improving cyber security By Mike Stone Global Head of Technology Transformation for Infrastructure, Government and Healthcare, KPMG International
32 | Asia Pacific Security Magazine
W
hen organizations consider cyber security, they usually focus most of their attention on technology, partly because that is what the market pushes them towards. In my view, however, 50% of cyber security is cultural, 30% process and just 20% technology. Cyber security is an arms race and the boards of all organizations need to take it seriously. Frankly, if it isn’t one of the key items on a board’s risk register, that board is asleep at the wheel. But many of the right responses on culture and process are neither new, nor are they particular to cyber security. On culture, the insider threat has long been a problem for organizational security. British government posters during the Second World War reminded citizens that ‘Careless talk costs lives’, with one 1940 Ministry of Information poster also having someone telling a friend ‘Don’t forget that walls have ears!’ in front of wallpaper patterned with Adolf Hitler’s face. But ‘careless talk’ is now something that millions of people indulge in, assuming that they can share everything through social media. While some may be put off by recent coverage of how their data is used, many people are in the habit of sharing their personal and professional lives online by default. To help tackle this, organizations need education – not just about cyber threats such as phishing, but more broadly about how you treat any form of information sharing or access. It might not matter if an employee posts a picture of themselves online, but it might matter very much if it
includes a screen showing sensitive information or a sticky note with a password. Educating people on this is not just about cyber security but how you treat any form of information sharing or access. Security professionals should consider culture too The onus is also on security professionals to consider how employees actually behave rather than how they believe they should. According to the UK’s National Cyber Security Centre (NCSC) British citizens have an average of 22 online passwords, far more than most people can realistically remember. So they reuse them, using the same password for an average of four websites. Many of these passwords will be weak ones, with research based on five million leaked in 2017 suggesting that the favorite choices remain ‘123456’ followed by ‘password’. Security professionals can help with more user-friendly authentication processes. NCSC backs the use of password management software for individuals, which can generate strong passwords for each service – it is more likely that users can remember a single strong master password than two dozen. For organizations, a single sign-on service provides a similar option. NCSC also discourages organizations from forcing users to change passwords regularly, on the grounds that many people will use a similar weak one as the replacement. There are also technology-focused approaches for