{"id":84,"date":"2020-01-06T19:14:00","date_gmt":"2020-01-06T19:14:00","guid":{"rendered":"http:\/\/closehelmsecurity.co.uk\/?p=84"},"modified":"2024-03-17T16:26:52","modified_gmt":"2024-03-17T16:26:52","slug":"security-think-tank-lets-call-time-on-inciting-fear-among-users","status":"publish","type":"post","link":"http:\/\/closehelmsecurity.co.uk\/?p=84","title":{"rendered":"Security Think Tank: Let\u2019s call time on inciting fear among users"},"content":{"rendered":"\n

Originally Published Online: Security Think Tank: Let\u2019s call time on inciting fear among users | Computer Weekly<\/a><\/p>\n\n\n\n

Traditionally, business users are not directly engaged with day-to-day IT security activities and are therefore not briefed on why security is important both to them and the enterprise overall. As a result, IT security is often widely regarded as an \u201cIT problem\u201d.<\/p>\n\n\n\n

The security industry has tried to address this in different ways, including blaming end-users for incidents (which results in people not reporting anything to avoid getting into trouble), and forcing security on employees with complicated solutions (which leads to users finding innovative workarounds in order to carry out the activities required to do their job).<\/p>\n\n\n\n

The \u201choodie hacker\u201d was born from the idea of adopting imagery that would resonate with people and dissuade them from carrying out activities that put the organisation at risk.<\/p>\n\n\n\n

However, as with the tactic of blaming end-users, this approach can also incite fear. Any errors, however small, are believed to result in an event occurring that is disproportionately \u201cbad\u201d. This is potentially counterproductive \u2013 in making IT security frightening, confusing and obscure, the temptation is to ignore it. Someone in finance, for example, might feel they have no power to stop a hacker.<\/p>\n\n\n\n

When searching for a solution to this conundrum, it is important to remember that crime in general is not new. The vast majority of cyber crime is rooted in traditional illegal activities that have been occurring since the beginning of the human race.  Even \u201cmodern\u201d cyber attacks, such as the oft-quoted Nigerian prince scam, can be traced back to the 1700s and the last Anglo-Spanish war.<\/p>\n\n\n\n

In general, people understand crime. Leaving a car unlocked means it is more likely to get stolen. Letting random people into the house can increase the chance of being robbed. Locking the doors of the house but leaving windows open gives burglars an easy route in. But there is a disconnect when it comes to translating these events into their cyber equivalents \u2013 failure to use passwords and responding to phishing attacks, for example.<\/p>\n\n\n\n

Tailored tools and communication<\/h3>\n\n\n\n

IT professionals therefore need to understand the audience and their different motivations, and adopt ways to communicate messages and information to which these \u201cnon-IT\u201d teams can relate, such as talking in terms of business risk and using scenarios that are already familiar. The executive is unlikely to be interested in arguments framed around too many users having privileged access within an application \u2013 but they will care that that entire business could be disrupted if definitive action is not taken.<\/p>\n\n\n\n

If bringing organisational threat to life via the script kiddie image works, then it\u2019s an effective tool in the fight against cyber crime. But it\u2019s not the only one. Other people may relate better if different types of cyber attack are likened to the more traditional forms of crime that are familiar to them.<\/p>\n\n\n\n

Equally, a carrot approach can be highly motivational, such as showing users that they are already being secure by using strong passwords and highlighting that being cyber safe is easier than they think.<\/p>\n\n\n\n

Substantiating the threat to the business is also a useful way to help end-users understand why security is important. Appreciation of the problem will help to increase cyber awareness and trigger a more diligent response from the wider teams.<\/p>\n\n\n\n

Where knowledge is missing, tailored training that addresses specific weaknesses should be undertaken.<\/p>\n\n\n\n

Employees are as important as the IT security team in preventing and spotting actual and potential breaches. They need to know this and be reminded regularly. Constantly vigilant personnel equates to a human firewall<\/a>. This needs to be reinforced with a process for reporting issues that is simple and, ideally, anonymous.<\/p>\n\n\n\n

At the same time, rather than putting textbook controls in place that stop users working effectively, IT professionals should coordinate with business departments to understand how they need to work, and then ensure that is both secure and practical.<\/p>\n\n\n\n

Tackling the omnipresent cyber security challenge is as much a cultural issue as a technical one. Forging stronger links between the business and IT can only happen with senior sponsorship and \u201ctop down\u201d example-setting.<\/p>\n\n\n\n

The script kiddie image can be useful in the right circumstances. But, as we move into a world where everyone within the enterprise is responsible for security, the barriers that have crept up over the past decade need to be dismantled. In their place, ways of working that foster knowledge, understanding and collaboration \u2013 rather than fear \u2013 need to be adopted.<\/p>\n","protected":false},"excerpt":{"rendered":"

The traditional picture of a hacker is of a script kiddie in a hoodie hunched over a computer keyboard, but this stereotype is stale and outdated. Is it time to move away from a fear-based approach to security?<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4,5,3],"tags":[13,12,14,7],"class_list":["post-84","post","type-post","status-publish","format-standard","hentry","category-article","category-computerweekly","category-published","tag-human-risk","tag-security-think-tank","tag-training-and-awareness","tag-turnkey"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/paGq19-1m","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"http:\/\/closehelmsecurity.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/84","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/closehelmsecurity.co.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/closehelmsecurity.co.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/closehelmsecurity.co.uk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/closehelmsecurity.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=84"}],"version-history":[{"count":3,"href":"http:\/\/closehelmsecurity.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/84\/revisions"}],"predecessor-version":[{"id":89,"href":"http:\/\/closehelmsecurity.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/84\/revisions\/89"}],"wp:attachment":[{"href":"http:\/\/closehelmsecurity.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=84"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/closehelmsecurity.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=84"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/closehelmsecurity.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=84"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}