The past month in cyber security has been dominated by one story: a huge cyber-espionage campaign against the US government
As usual, discussion of the attack has been focused mainly around the tactics used by the nation state operatives behind it. While these efforts were certainly notable in their sophistication, it misses the bigger picture: the people involved. It is people that were ultimately responsible for the attack, people who made the mistakes which let the bad guys in, and people who will be affected in the fall-out.
To use a football analogy, cyber security is a team game. We must therefore ensure we have the right blend of players on the team. We must train hard. And we must think more strategically to outplay our opponents.
A people thing
Although around since the 1960s, the idea of “people, process and technology” was popularised in cyber security circles around two decades ago. The challenge is that organisations often focus on updating their processes and investing in new technology without implementing people-focused aspects of cyber-risk management.
Yet people are behind both the problem and the solution. You can have the most advanced email security system in the world. But if a phishing message slips through the net, it takes just one untrained user to click through and the organisation could be exposed to crippling ransomware or large-scale data theft. The challenge extends to the IT department. Cloud misconfiguration has become one of the biggest sources of cyber risk today—providing an open goal for attackers to aim at. A configuration error was to blame for the massive breach at Capital One in 2019.
Especially during a time of mass remote working, people can be a weakness in the cyber security chain. Human error was involved in nearly a quarter (22%) of breaches analysed this year by Verizon. But people can also offer our best chance of success, if we play the right game.
Building your team
When it comes to the IT security department, there are a few things organisations need to ensure before kick-off. Just like a football team, there are many different roles. For example, Security Operations Centre (SOC) analysts may play a more defensive position, based around detecting and blocking attacks. On the other hand, penetration testers or red team members have a mandate to attack, in order to find weaknesses in the organisation’s cyber-defensive line.
Most important is that there is a manager in charge to bring all those disparate parts together and ensure they’re working in harmony. Ideally it would be a CISO, although only around half of organisations in the UK are thought to have one. It may be a risk officer, or even a CIO. The most important thing is that they are both engaged with the security team, and understand what is going on “pitch-side”, as well as have a voice at the board level to ensure security is given the attention it deserves. Just as a football manager must have a good relationship with the club chairman and CEO to secure funds for new players, CISOs or equivalent must be able to articulate security challenges in a way the board understands to win budget for staffing and technology investments.
Finally, the security team needs to train if it wants to be match fit. It should have an incident response plan that is regularly practised. And it should work through scenario planning in general to understand who does what when the whistle blows and they’re facing an attack.
The bigger picture
However, there’s also a much larger team here—every single employee in the organisation. If trained properly in best practice secure data handling and phishing awareness, they could provide a fantastic first line of defence which the opposing team may find tough to break down. We could extend this further—if governments can also raise overall cyber security awareness among the populace, then we start to make life much harder for the other side.
Like football, it all starts at the “grass roots” level. That means cyber security awareness training at school and courses and competitions like the NCSC’s CyberFirst to encourage more youngsters to pursue a career in the industry.
Don’t let the side down
While it’s relatively easy to check the progress of your team in football (goals scored and conceded, matches won, lost and drawn), things aren’t quite that straightforward when it comes to cyber security. It will require you to continuously track KPIs like mean-time-to-detect (MTTD), intrusion attempts, days-to-patch and phishing click-throughs. Exactly which ones will depend on your business and risk appetite, although doing so effectively requires excellent visibility into core IT systems.
What is unarguable is the cost of not doing so. According to IBM, the average cost associated with a UK data breach in 2020 was $3.9 million (£2.9m), although this can increase significantly depending on circumstances. Health and care organisations cost more than double that, for example. The bottom line is the longer attackers are allowed to dwell inside your network—finding and exfiltrating data and/or deploying ransomware—the more expensive the clean-up operation and the bigger the impact on corporate reputation. It’s the equivalent of letting the other side play in your penalty box for the entire match. Unfortunately, we need to get better at finding and kicking them out: currently the average time to identify and contain a breach is 280 days.
Cyber security teams face an agile, determined and increasingly well-resourced opponent today. They need to have a plan and execute it well. They need to practice and train hard. And they need to understand their opponents inside-out. The good news is there’s plenty of time left on the clock. And there are experts you can call upon to help build a match-winning strategy.
About the Author

Andrew Kays is Chief Operating Officer at Socura. We’re here to help make the digital world a safer place; changing the way organisations think about cyber securitythrough a dynamic, innovative and human approach. Our forward-thinking services help organisations to not onlydetect advanced threats and targeted attacks, but contain them too.
Featured image: ©Pressmaster
