The People Principle in Security
Security systems are only as successful as the people who sit behind them
In May 2020, the personal records of more than 24 million South Africans (https://bit.ly/32YWiNA) and nearly 794,000 companies were handed over to someone impersonating a client. The personal records, identity numbers and addresses of millions of people and thousands of businesses were given to this person because they had fooled the system. It’s a hard lesson in how important it is to embed security not just into the technology and the devices of a company, but into its people. According to Anna Collard, SVP of Content Strategy and Evangelist, KnowBe4 Africa (https://www.KnowBe4.com/), security is not just the responsibility of IT, it is the responsibility of every single person in an organisation.
“It is critical that organisations create a culture of security in order to combat this increasingly hostile security environment,” she adds. “A successful security culture is driven by leadership, the human resources (HR) department, internal marketing & communication and ongoing security training. Truly agile and capable security is a people project, not a technology one.”
Successful security balances on three pillars: technology, policy and people. The technology is the firewalls, the anti-virus, the ongoing alerts and the endlessly evolving bouquets of solutions that are designed to give the business an edge in the war against cybercrime. Policy is what outlines the processes that people across all levels of the organisation have to follow in order to ensure that the technology can do its job, that checks and balances are in place as well as to guide people on what they can and cannot do in the digital realm . People are the key to ensuring that both technology and policy actually work.
“This is why HR has to be involved with security,” says Collard. “It is fundamental to changing behaviour within the organisation and helping to build a culture that recognises the importance and value of security. It is, of course, also the disciplinary arm that enforces policy and that ensures there are consequences when people continue to break the rules or fall for phishing scams or perpetually do the wrong things.”
Whether the organisation incentivises or punishes – security has to have consequences. Employees must see that the executive is as tightly bound by the regulations as everyone else. And they need to understand exactly what these regulations are, why they are important and the implications that failure can have on their jobs and the future of the organisation. With data protection regulations such as South Africa’s Protection of Personal Information Act (POPIA) in full effect, the cost of an avoidable mistake can result in hefty fines or even imprisonment for the directors of the company. A mistake that can be as simple as someone clicking on a phishing email, falling for a social engineering call or unleashing a ransomware virus because they didn’t recognise the risk.
This is where good communication becomes as essential as good technology.
“The way we communicate, the content we use, and the way that it’s distributed can make such a difference in how an organisation creates a strong security culture,” adds Collard. “It’s a blend of HR people practice, security good practice and marketing best practice. These three elements need to be pulled together to create a cohesive security ecosystem that ensures people truly understand that their actions can have serious consequences.”
This level of engagement can be achieved in multiple ways. Empower a person who interacts with the different stakeholders across the business and who has the right support from the executive and HR. This role will then be committed to ensuring that security culture is carried throughout the company by implementing the right training platforms, incentivisation/punishment systems and driving participation.
“Success will depend entirely on the level of stakeholder buy-in, the depth of the training and a commitment to ensuring that the training is ongoing and measurable,” concludes Collard. “Security training has to be iterated and repeated constantly to ensure that people are always kept aware of its importance and any changes in attack vector or threat. Only by keeping security top of mind, all the time, can an organisation truly embed a culture that’s capable of staying secure and alert.”