A few weeks ago, we saw the Wannacry ransomware attack on the NHS provide the perfect environment for cyber-attacks to spread not only malware, but also confusion, concern and capability failures. The containment of the NHS attack, and the subsequent restoration of the majority of its affected trusts within 24 hours, was a lucky escape. It’s now time for complex organisations to act and bolster their defences before the next wave of attacks come this way.
What’s the Risk for Universities?
Pin-pointing the specific risk is always key to determining the preventative measures that organisations need to take. Why? Because risk defines both the most valuable assets an organisation holds, and the vulnerabilities in their defences. Universities hold valuable data on each individual student, which if accessed could damage their financial and reputational status. It takes only a moment to imagine the headlines from a ransomware attack in which thousands of students’ medical, educational and personal details were at stake, to understand the importance of ensuring defences are sound when it comes to protecting your ‘crown jewels’.
Arming Your Frontline Protectors
Most ransomware attacks begin with an employee clicking on a link in an email. Employees need to have a clear and informed understanding that a critical aspect of their job role is now guarding data and defending their business assets from criminals. Regular security awareness training certainly helps here, but a simple one-off training session would be a lack-lustre response to a threat as big as the one we saw decimate the NHS services.
In order for cybersecurity to gain the teeth it needs, there is only one way to instil its presence across a work culture, and that is through conversation and one-to-one interaction. Conversation is how we learn, that face-to-face interaction is how we distil practical knowledge. Cybersecurity needs to permeate every meeting, every appraisal, every planning session; it needs to be on every agenda. We need to stop thinking of cybersecurity as a block of stuff that gets wheeled out on special occasions, and start thinking about it as a fluid, life-giving sustenance that flows through the organisation, permeating every department, office, lecture room and meeting.
Is Security Culture the ‘Soft’ Option?
Security culture often gets a bad press; it’s considered a soft and subjective alternative to the steely determination of the tech that does the real work when it comes to securing an organisation. Not so! Having the tech in place is – of course – crucial, but as any military strategist will tell you, the best defences in the world mean nothing if the army doesn’t really understand what they’ve turned up to do. Investing in the development of a security culture across the university environment isn’t the ‘soft’ option by any means. We know that people are the preferred point of entry for hackers, so it makes sense that those people – now cast as front-line defenders – need preparation for the role they’ve been co-opted into.
Getting the Cybersecurity Conversation Started
Developing a security culture requires potent conversations that get people talking. Conversations don’t start of their own accord; they require thought, imagination, creativity and strategy to make them effective carriers of key information – they also require commitment, energy and enthusiasm. At Layer 8 Ltd, we specialise in creating networks within organisations, specifically designed to spread conversations, engage new participants, and raise the status of cybersecurity as a topic of discussion. We start with a core of volunteers, sometimes they’re called security advocates, or champions, or zealots, who already have an interest and great communication skills. Finding the right people takes campaigning, planning and initial investment. Once the group is found they are given time and resources to create their own campaign, set their goals and establish their organisational framework alongside existing security professionals.
Talking About Cybersecurity Makes Organisations Safer
Given the opportunity to talk, share anecdotes, learn from each other and be given the resources to find out more, people fuel the conversation and facilitate its spread across the organisation. This model is particularly suited to the university environment where effective communication is the daily currency of the organisation. We’ve seen this strategy work in a range of UK organisations, from national infrastructure, to construction, to telecommunications and education. Layer 8 Ltd are currently co-designing a strategic plan for the development of a robust, proactive security culture with our first academic client organisation. Looking at the best implementation suited to a complex organisation is vital for the success of cyber security.
It’s the person that’s never really had the opportunity to give any serious thought to cybersecurity that’s your biggest vulnerability – because they’re the one most likely to click that link. The NHS WannaCry experience has certainly started a conversation – the challenge is to learn from it and keep those conversations flowing.