UK Government-backed whitepaper outlines need for employee buy-in against cyber threats

Hewlett Packard Enterprise have announced the release of a new whitepaper outlining the framework and steps that organisations need to take to engage employees in effective internal cybersecurity practices.

The “Awareness Is Only The First Step” business whitepaper outlines the framework and steps  and is published in collaboration with the Research Institute in Science of Cyber Security at University College London and the UK government’s National Technical Authority for Information Assurance (CESG).

While security communication, education, and training is meant to align employee behavior with the security goals of the organisation, it is not always designed in a way that can achieve this. As a result, senior management does not know if recommended security behavior is actually followed in practice by all staff. The root cause of this disconnect is that businesses do not know how to engage their employees for the long term; they end up using tick-box exercises, which result in employees retaining little knowledge rather than the desired goal of achieving improved security.

“Building a cyber resilient workforce is the cornerstone to a comprehensive and future-proof cybersecurity organisation,” said Andrzej Kawalec, Security Services CTO, Hewlett Packard Enterprise. “Digital adoption impacts businesses and individuals in varied ways, and users remain the first line of defense when faced with a dynamic and relentless threat environment.”

robot background

“Many companies think that setting up web-based training packages are a cost-effective way of influencing staff behavior and achieving compliance, but research has provided clear evidence that this is not effective – rather, many staff resent it and suffer from ‘compliance fatigue’” said Professor M. Angela Sasse, FREng, Director, UK Research Institute in Science of Cyber Security, UCL. “In this whitepaper, we outline a human-centric approach to genuinely engaging your staff in cybersecurity and building their competence.”

HPE together with UCL and CESG, developed this whitepaper to help organisations establish a framework for security awareness that will empower employees to become the strongest link—rather than a vulnerability—in defending the organisation. Key findings for developing a strong employee program include:

●  A combination of communication, education and training activities can build greater security awareness and lasting behavior change. However, each organization must identify areas of improvement and take baseline measurements before implementing any CET measures to better understand the current security company culture.

●  Remove impossible security tasks as part of an essential security hygiene process. CET cannot compensate for security policies and implementations that are impossible to comply with.

●  Security awareness campaigns must be tailored, ongoing, and involved. Ideally employees will receive a skill set that helps them professionally and privately.

●  Balance prescriptiveness of policies and the practicality of enacting them. Too many policies can make the cost of compliance too high and limit productivity and adaptability. Consider where policies should be rules and where they should be guidelines.

●  Communicate the value. There is a personal cost to changing routine behaviors, so it is important to treat it as a value proposition, not a mandate.

“At CESG, we advise both organisations and Government on the challenges that their security practitioners face when it comes to security awareness. With this whitepaper we hope to give them a refreshing new way to approach the challenge of involving employees in order to create a more secure organisation, instead of simply implementing a one-size-fits-all approach”, said Chris Ensor, Deputy Director at the National Technical Authority for Information Assurance.

Hewlett Packard Enterprise Cyber Reference Architecture

HPE operates its Cyber Reference Architecture to assist customers in logically assessing their security requirements in terms of the various components required and their external and inter-dependencies to create an effective and coherent security organisation.

In order to assist organisations in achieving lasting behavioral change, HPE provides consulting services in the areas of awareness and communication as part of its Cyber Reference Architecture.