By Nick Wilding
Jim Baines, the CEO and founder of Baines Packaging, a respected midsize U.S. packaging firm, recently wrote an open letter to his peers in other organizations following a catastrophic cyber-attack. It’s an emotional plea:
”It never occurred to me that I, as the CEO, might be a target. We’re immune, aren’t we?
“That’s what I thought. Now my company, which I built from nothing over nearly 30 years, into which I poured everything I had to ensure its success, is losing clients, losing money and, most importantly, losing credibility.
“My reputation has been badly damaged, along with my relationships with my customers, my peers and my friends.
“So, if you’re a business leader, you need to know that you’re also a target. Everyone on your board is a target. No one is immune and everyone is vulnerable, no matter how powerful or successful they may be.”
Baines clicked on an innocent-looking email, and the disaster unfolded. It takes only one person who’s not security-aware or vigilant to enable a cyber-attack to succeed. Effective corporate resilience to the cyber-risks we all face is as much about our workers and their behaviors as it is about technology.
In 2015, Tom Farley, president of the New York Stock Exchange, said in his introduction to “Navigating the Digital Age: the definitive cyber-security guide for directors and officers”:
‘It is important companies remain vigilant, taking steps to proactively and intelligently address cyber-security risks within their organization. … We can accomplish even more through better training, awareness and insight on human behavior. Confidence, after all, is not a measure of technological systems, but of the people who are entrusted to manage them.”
Today’s reality is that all of us—from the boardroom to the engine room of any organization, as well as our wider supplier and partner ecosystems—have a specific role to play in protecting our most precious information and assets. An organization’s people can and should be its most important and cost-effective defense against attacks. As Verizon’s 2015 “Data Breach Investigations Report” highlighted, nearly 90 percent of all successful cyber-attacks succeed because of human error.
Reaching a Cyber-Security Crossroads
I would suggest that we’re at a crossroads in our collective corporate response to cyber-attacks. One group will continue to invest in more technology and expect that multiple layers of technical defense will suffice. Another group—the market leaders, pioneers, innovators and, increasingly, the “just plain sensible”—will change direction and embrace an enterprise-wide approach. These organizations will adopt effective awareness learning for all their staff members and will openly reward good cyber-behaviors as an integral and critical part of their corporate response.
The opportunity appears clear: Employees are not, as is so often reported, “our weakest link.” They are, in fact, our best defense against a damaging cyber-attack. But how can we ensure that we’re well-equipped, and that our cyber-security awareness training engages, is relevant and provides the simple, practical guidance we all need?
In this vital area of staff training and development, one size doesn’t fit all. The current “all staff, once a year” approach does not influence or sustain long-term behavioral change. At best, it reminds us of some security essentials; at worst, it’s treated as a necessary evil, a distraction and something to be completed as quickly as possible.