Good cyber security culture should, literally, begin in employees' homes, says HSBC CISO Paula Kershaw

Top CISOs share their top employee engagement tips at InfoSec

Cyber security awareness, no matter who you speak to and what they're selling, is not a precise science. It's a war of several key battles, as delegates were reminded at Infosecurity 2019 in London today.

"I hate security awareness training," began Flavius Plesu, former head of IS at Bank of Ireland and now CEO of his own security training firm.

Quoting ICO data stating that more than 90 per cent of cyber attacks target human behaviour and less than 10 per cent have a technical basis, Pleus complained that "the traditional approach" of teaching employees about hacking and password or identity security is a "false assumption".

I hate security awareness training

"It's [the belief that] pushing more knowledge into the company will result in event mitigation," he said, before positing that in order to actively become security aware employees, people must "have the intention to comply". If there's any reason not to, they're simply not going to bother.

"If you're laying people off, do you think they'll care? If they're leaving, they may even take information with them to their new job," he said.

Computing and CRN have united to present the Women in Tech Festival UK 2019, on 17 September in London.

The event will celebrate successful women in the IT industry, enabling attendes to hear about, and to share, personal experiences of professional journeys and challenges.

Whether you're the ‘Next Generation', an ‘Inspirational Leader', or an ‘Innovator of Tech' this event will offer inspiration on not only how to improve yourself, but how to help others too. The event is FREE for qualifying IT pros, but places will go fast

"Another problem is unworkable policy - [security policy] says use strong passwords for every account. Who does that? The user will say, ‘I have 200 passwords for work and personal accounts. Am I able to change those regularly? Not really'."

One way to build this emotional connection, suggested Paula Kershaw, CISO for Europe and UK at HSBC, is to try and, quite literally, bring the message home.

"Colleagues develop the knowledge and skills on how to protect themselves, their families and the people they care about. If we teach them that [through corporate security training], they'll bring it back into the work place. And by that very nature we'll get engagement and willingness to learn."

The antivirus software we use at Anglian Water, our employees are free to use at home

Kershaw has solidified this scheme by - with the wider cooperation the business - introducing end user ‘cyber champions' drawn from HSBC's 235,000 employees across 66 countries, and involving these ‘champions' in regular webinars, calls and other collateral.

"We have Cyber Shield Awards - people are really touched when they win these," Kershaw added, as well as revealing that focusing security training on "things that matter", such as "romance fraud" cyber training around Valentines Day - as opposed to banking and financial services - is an important factor.

Linda McCormack, head of internal communications at Anglian Water Services, took a similar approach, but obviously with a more comms bent.

Deciding on the idea of cartoon monster mascots, dispersed as stickers, pens and Top Trumps cards, McCormack inserted the characters into calendar events such as Halloween and Christmas:

We packed up a Christmas campaign to remind people that when they take new tech out of boxes at Christmas they have to do updates

"The antivirus software we use at Anglian Water, our employees are free to use at home," she said.

"We packed up a Christmas campaign to remind people that when they take new tech out of boxes at Christmas they have to do updates. People who don't work in cyber security don't know that."

McCormack claimed that after six months, there was a decrease in the number of employees clicking suspicious links, down from 46 per cent to just 1.5 per cent, a 200 per cent increase in emails going to the corporate spam bin and, overall, a 79 per cent increase in Anglian Water employees saying they "better understand the risks to Anglian Water".

William Hill Group CISO Killian Faughan, who earlier had shared his views on how CISOs can successfully sell cyber security use cases to the board, summarised:

"I think security culture really starts with internal comms - I‘m with Linda. You should be driving existing ownership instead of spinning off your own individual culture.

"Oil and gas run security culture the same way they run security - they've really understood culture has to run through everything."

Delta is a new market intelligence service from Computing to help CIOs and other IT decision makers make smarter purchasing decisions - decisions informed by the knowledge and experience of other CIOs and IT decision makers.

Delta is free from vendor sponsorship or influence of any kind, and is guided by a steering committee of well-known CIOs, such as Charles Ewen, Christina Scott, Steve Capper and Laura Meyer.

Ten crucial technology areas are already covered at launch, with more data appearing and more areas being covered every week. Sign-up here for your free trial of the Computing Delta website.