View a video summary of this FT | IE Corporate Learning Alliance Foresight Series event here.
When news of data security breaches hit the headlines the stories are usually about determined individuals or groups hacking high-profile organisations for notoriety or financial gain — inflicting physical damage, stealing intellectual property and lodging political protests.
No industry or business is truly immune to sophisticated external attackers. Yet, in its 2016 Cyber Security Intelligence Index, IBM found that almost two-thirds of attacks were carried out by insiders. Billions of dollars are spent on cyber security technology while human error is ignored.
Cybersecurity is not about making machines work better. It is about preventing people falling victim to ‘social engineering’ — i.e. doing mindless things with computers, wittingly or otherwise. Some 90 per cent of cyber-attacks occur because computer users are busy and naive, a deadly combination. They open files they shouldn’t. They click on dodgy links. They put their details on social media. They use personal devices to access work files.
An expert panel of cybersecurity specialists met in Madrid on 17 March 2017 to debate the issues, assess the risks and consider how organisations can protect sensitive data not only from external attacks but from the dangers of employee carelessness.
Moderated by Financial Times contributing editor and columnist, Michael Skapinker, the panellists were Casimiro Juanes, head of IT RMED at Ericsson and Adjunct Professor at IE Business School, and David Pérez Lázaro, Managing Director of Accenture Security Financial Services EALA.
Companies must change from a model where employees are weakest link to a model of first line of defence
Head of IT RMED at Ericsson and Adjunct Professor at IE Business School
Many vulnerabilities come with the huge advantages that technology brings to the workplace, whether anticipated or not. With greater interconnectivity comes greater scope for interference in systems, which means everyone should accept a role in defence. The greatest need is for education on cybersecurity. As a result three key observations emerged in the debate:
- People need to be conscious of the risks and ‘reboot’ their minds to change their established behaviours that have inadvertently opened up businesses to cyber-attacks
- Companies must change from a cybersecurity operating model where employees are regarded as the weakest link to where they become the first line of defence
- Cybersecurity should be embedded in a company’s values and the issue should be what sets an organisation apart
Cyber-crime is different to physical offences because the targets are remote and there is no direct observation of the effects on people – and of course the pickings are potentially richer with prizes such as valuable company data.