Cybersecurity needs a fire-safety mindset

Stop, drop and respond

Cyber response needs to be as ingrained and universal as fire safety.

Cybersecurity has transformed in the last 10 years, from attack vectors to targets to sheer complexity.

In the face of this transformation, the traditional tech-based response is no longer enough, said Ben Rowe of BD Rowe Consulting at today’s Cybersecurity Festival; the focus must be user-centric. Unfortunately, that opinion is far from mainstream.

“I work with one client that only does 40 minutes of cyber training [for their staff] annually, but that’s still way ahead of the average. Only 18% of UK businesses provide any training.”

Perhaps that’s not a surprise, as there is still a lot of scepticism around security training; it’s seen as boring, or irrelevant, or worst of all, an IT issue.

"We need to start changing that mindset. [Cyber] is not an IT issue, it’s an everybody issue. If something happens, as we’ve seen at Marks & Spencer this week, it affects everybody.”

Modern cyber training has come a long way from Powerpoint slides, but still tends to be generic. To really make an impact, said Ben, you need to identify the key at-risk people in your organisation - “The ones with the data, money and access an attacker would want to target” - and provide specialised training. That will help them understand what an attacker might want from them, and how they might try to get it.

Once you have identified those people, start thinking about their specific risk factors and how they should respond when – not if – they have an incident.

“We need to start looking at personal response plans. If a person in finance discovers an incident, do they know what to do? Most people in a business will just report it to IT and then forget about it. They don’t know what to do with their laptop; they might try to finish work or send an email [while waiting for IT] and spread the attack further.”

Ben told delegates that cybersecurity needs to be treated in the same way as physical security, or health and safety. If someone discovers a fire they don’t walk away; they know to isolate it, raise the alarm and get out of the building. Cyber needs the same level of ingrained training.

The beauty of this analogy is it works no matter where you are. The way you treat a fire should be the same, no matter where you are. Similarly, “It doesn’t matter if a cyberattack strikes in your business, at home or in a coffee shop, you should treat it the same way.”

And, in the same way a business has fire marshals, consider a cyber marshal: someone senior who knows what to do, how to calm the situation down and is included in the incident response plan.

Finally, while you might be ahead of 82% of your peers if you do any training (congratulations), Ben stressed the need to make sure it sticks by following up with staff after the fact.

“We sometimes see phishing test emails; what about other types? What about a phone call asking to transfer money to an Apple gift card? What about the person that finds a customer data has been breached? They need to understand a business can be attacked in different ways, and we need to build on today’s very generic, email-centric training.”