A people-focused approach to cyber resilience
Over the past few years, we’ve put a great deal of effort into building resilience, using a multi-faceted approach and taking steps to ensure that all staff are on board. One of our main areas of focus has been around culture. In essence, this means that rather than seeing cyber security threats as being an issue for ‘the IT department’, we see them as an organisational business risk.
While technical, procedural and physical control measures are all important in building a defence-in-depth approach to resiliency, for us resiliency is something that starts with every member of staff. This often goes counter to the common perception that people can be the weakest link when it comes to cyber security.
“We see our staff as being one of our key cyber strengths, and this starts at the very beginning of the employment journey with our induction cyber awareness training.”
To make sure that the training staff receive is as effective as possible, we are careful about the language we use, adjusting how we speak about the issues so that they resonate with everyone in the office. We also vary our approaches, using different methods to keep staff engaged. Cyber fatigue can so easily set in if we just send warning emails about potential threats! Our approaches include, for example, sending regular fake phishing emails to staff then talking to them about how easy or not it was to recognise them. Or we might provide short training videos that staff can access on their mobiles, desktops or tablet. We also spend time holding small group awareness sessions with key targets in the organisation such as our Finance and HR teams, as they usually have access to sensitive, valuable data.
We make the best of external resources to help us increase staff cyber awareness – many of which are low-cost or free. We have also found it beneficial to bring in external support to provide bespoke training, and have made use of our membership of the Scottish Business Resilience Centre (SBRC). We have participated in mock simulated security incidents with the SBRC to test our preparedness and measure our cyber safety levels. Their training and education services also help ensure that our senior executive team and board members are equipped to engage well with the technical team.
Our strategic approach
Our work to strengthen our defences against those seeking to cause on-line harm was informed by the Scottish Government’s response to the WannaCry ransomware event in 2017. That event led to a wider push from the Scottish Government to develop a strategy that would strengthen the cyber resilience of all public sector organisations in Scotland. We have been fully supportive of that push.
Some of the key steps we have taken include:
- Achieving Cyber Essential Plus certification, which is now an annual assessment to ensure we remain compliant.
- Implementing and making use of tools provided by the NCSC, including Active Cyber Defence measures to protect our critical infrastructure.
- Protecting our systems and data by following the ten steps to cyber security guidance that the NCSC provides.
- Undertaking other activities such as putting into operation a mobile device management system, multi-factor authentication, automated patch management, enhanced anti-phishing protection, and data leak prevention technology.
- Regularly testing our Disaster Recovery Plan and checking our response to mock cyber-attacks. We have found the NCSC’s ‘Exercise in a box’ service has helped make us think about how prepared we are and what more we could do – in keeping with our ‘not if, but when’ approach.
We of course recognise that the threat landscape is constantly evolving and becoming increasingly more sophisticated, so there’s a lot more we need to do. While it would be unrealistic to think we can beat cyber-crime, we can at least make things as difficult as possible for attackers.
“In keeping with the organisation’s culture, we are keen to learn from others and to share our experience. As well as being members of the SBRC as active members of the Cyber Information Sharing Partnership we can share and access cyber threat information in real-time.”
Cyber security is not something that has just appeared in recent years; it’s been an issue that professionals working in IT and Information Security have dealt with for decades. However, there’s no doubt that technological developments such as cloud services and the shift away from on-premise networks have proved lucrative for cybercriminals. The environmental, financial and security benefits of such developments often outweigh the disadvantages, as was recently demonstrated in the most difficult of circumstances with the advent of the coronavirus pandemic.
As a result of WICS migrating services to the cloud wherever possible our staff were able to move across to home working in a relatively easy way when the Covid-19 pandemic struck, with very little impact on their capacity to work. This was in part because of the incident management and business continuity planning and testing we have undertaken over recent years. We may not have been quite as well prepared had the pandemic struck five years ago, and it is an absolute certainty that had this happened 15 years ago – before the advent of high-speed broadband, video conferencing and collaboration applications – we would have been in a very different position.
Looking ahead, it is reasonable to expect that there will be even more demand for technologies to enable increasing remote working, home working and collaboration. We’ll therefore continue to focus on flexible solutions and to think in innovative ways about how we approach this and our wider business resiliency.
Our culture and people-focussed approach will continue to be key for us as we navigate the challenges and organisational business risks ahead, including those that are outside of our control.