Cyber security training must be led from the top to have any impact

IHS Markit CISO says executives must be made to realise extent of threat

Cyber security awareness must be led from the top to ensure that it filters down to all staff, according to the Darren Argyle, CISO of market research firm IHS Markit.

Speaking at the Investment Week Cyber Security Strategy Briefing 2016 event, in partnership with Computing, Argyle said without buy-in from the board, efforts to increase cyber awareness will not have an impact.

"You have to have support from the top, security will not work in any company if you don't have that," he said.

He said those responsible for security in their company should do this by making it clear just how big an impact a cyber attack could have.

He said one way to do this was to make executives aware of the extent to which their social profiles may be studied and used against them as part of a hack on the business, to help bring some reality to threats they, and their firm, faces.

"[Hackers] will often spend months trying to understand the hobbies and lifestyles of executives and then tailor an email to get them to open an attachment or click on a link," he said.

"You can spend millions on security but it's wasted if you can be hacked by an email. You need to build a risk-aware culture and if you make executives realise the risks they face you're more likely to get them engaged in a cyber security programme."

Argyle added, however, that there were also positive ways to hammer home the cyber security message, rather than just focusing on the dangers.

"If you're submitting a sustainability report and you want a high score you need a cyber security awareness programme. Similarly, if you have cyber insurance, then insurers want to know people are trained, and if they're not your premiums will go up," he noted.

"Customers too are increasingly putting questions to firms about their cyber security and it's much easier to deal with that if you have a clear, well-defined strategy in place and staff training in place."

Once top-level executives get on board with the need for cyber security training it is then vital they remain involved, ideally with the CEO taking a lead, which is what Markit did with a video sent to all staff that featured their CEO explaining why cyber security was so important to the business as a whole.

"You need to get the top people involved to make the message stick. Staff are more likely to listen to this than anyone else, such as the CISO."

Once an awareness programme is up and running Argyle said that it is a good idea to recruit ‘cyber security ambassadors' to monitor progress.

"It's all about building a human firewall as much as technology one."