This article was produced in partnership with Altus
Mia Wallace of Insurance Business sat down with Aaron Cain, Cyber Security Consultant at Altus to discuss how to create a culture of ownership around cyber risk.
When discussing the shift in paradigm of cyber risk in modern businesses, in a recent feature with Insurance Business UK, Aaron Cain, cyber security consultant at Altus highlighted the challenge represented by employees who still think that cyber risk “has nothing to do with them”. It’s a misconception that is damaging to the very fabric of business continuity, which is why creating a culture of ownership around cyber risk is fundamental to good cyber hygiene.
Digging into the ‘how’ of how this ownership piece can be constructed, Cain noted that it all starts with empowering employees to not just recognise cyber threats but also feel confident when reporting them. Consider the simple but effective messaging of the London Underground, he said, that of ‘see it, say it, sorted’. It’s the same for cyber risk, when somebody sees something suspicious, that information needs to get to the right people as quickly as possible.
“Organisations need to empower their workforce,” he said. “This is the really essential piece, moving away from that [attitude of] ‘my company’s cyber security teams should deal with it… I’m just going to move around something when it doesn’t look right because it doesn’t impact my task’. When somebody makes a blunder or, more to the point, tries to be helpful only to find they’ve done something wrong, the immediate human reaction is to say ‘oh, it wasn’t me, I was over there getting coffee at the time.’”
People don’t want to admit when they’ve made a mistake because they believe that blame comes along with that, he said, and that notion has got to change. If organisations don’t focus on eliminating that blame culture and don’t work towards getting to a place where people feel emboldened to admit their mistakes because they know they will be backed to the hilt, then employees will continue to try and bury their mishaps.
“They'll hide it until it's too late and you’ll only find out about it when somebody's going back and doing the recovery,” he said. “[…] I’ve probably run across half a dozen, maybe a dozen companies over the course of my career who are very supportive and say that if you see a problem, just let us know you made a mistake and it’s not going to affect your career or anything else. This brings people into that accountability loop that makes people want to [be honest] because they know it’s going to be good for the company.”
That empowerment piece is part of the solution, Cain said, but a second part is making cyber risk understandable to employees across an entire business. Too often, the cyber security services engaged by a firm are simply not fit-for-purpose because they are generic, pre-packaged solutions that are not applicable to real-life scenarios or a modern hybrid work environment.
Read more: Staggering 90% of cyber risk uninsured
Taking phishing identification training, for example, he noted that click rates are still in the 40-50% range for most firms. When people get it wrong, the test comes back and they do it again, and they keep doing it until they tick the right boxes and get the right results – but without actually engaging with the education content at hand.
“A lot of it has to do with the attitude from the top going down,” he said. “Are you in business just to be in business? Or do you really understand that you need everybody to be secure so that you don't run the risk of the impact and reputational damage of a cyber incident? Unfortunately, in many cases, people are too busy being ‘in business’ with an attitude of ‘oh, this is an hour lost to what we should be doing’. And that has to change from the top-down.”
The third piece that the Altus team has identified as crucial to creating ownership around cyber risk is around finding a way to make cyber security conversations universal. Just talking to your IT security people doesn’t help, Cain said, and just talking to your board doesn’t help. This message needs to go further and it needs to translate all the way down to the average employee working at the coalface of cyber risk exposures.
“They need to understand – here is what we’re looking for, here’s what we’re expecting, here’s what’s happening in the industry around us,” he said. “Threat intelligence is all around us with people talking about the most recent thing to pop up, so have your people take a look.”
“All it’s got to be is that first couple of times, somebody comes up and says ‘by the way, I saw this’. That’s great because it shows this is applicable to what they’re doing… It’s much more powerful when it comes from somebody who’s actually in the seat, who happens to see this on a scan and knows to ask whether to be concerned about it.”
Cain and his team actively work with organisations to empower their people to understand, notice and report cyber exposures – and he highlighted that at the core of Altus’ delivery model is a focus on collaborative discussions and genuine partnerships. Because too often, cyber security consultants come in and ‘talk at’ a company, focusing on just the IT team or the board, without taking into account the shared nature of cyber risk.
Mentorship is the key to doing this differently, Cain said. He emphasised the power of a ‘three-by-three’ approach to mentorship, where you always have three people that you lean on for insight and guidance, and three people that you’re providing that support to – as this allows the development of a holistic overview of cyber risk and a continuous flow of insight and information.
“Pushing out into a diverse pool gets the perspective of people other than me,” he said. “And when I go to a customer site, I do the same thing. Yes, I talk to the people that need to implement and operate the controls and the board who need to understand what’s going on. But I also then go and talk to the people who are using these controls and say, ‘we’re doing this, do you understand why?’”
People like to know the reasons behind decision-making and to understand how it impacts them, which is why it’s so critical to bring together that mentor-mentee relationship so that everybody across an organisation is in the loop and able to pass relevant information on. When you put those two things together, he said, you come out of a scenario with a stronger cyber culture, a stronger employee base and a stronger corporate structure.
Having supported organisations with these processes for several decades now, Cain has seen how engagement with cyber security resources has shifted. It’s been a continuous evolution, he said, but the dial is moving towards the point where companies recognise that they do what they do best, but they need support in managing their cyber risk exposures in order to be able to continue operating without interruption.
“Part of what I like from Altus’ perspective is that we are working collaboratively not just with our clients but also outside resources,” he said. “We're working and partnering together [with third parties such as industry experts and the cyber resilience centres] to support companies that might not have the money to sit down and implement a full-blown programme. Because we recognise that the market is better if they’re doing something.”
Altus has created an initiative called ‘Cyber Conversations’ where the team will go out and talk to companies about what’s happening in the cyber security environment and what they need to be doing to protect themselves. This includes providing bespoke templates that suit their operational environment. It’s a genuine collaboration that benefits both parties, he said, and the most telling thing is that it seems to be already working within the wider market.
Recent research has revealed that the percentage of small businesses hit by cyber attacks in the UK is significantly lower than their US counterparts, he said. This is likely because small businesses in the UK are starting to collaborate, sharing tips on best practice and working together to eliminate their exposures as recommended by industry experts and regulators. This has pushed hackers towards multi-national companies and national infrastructure where the reward for a successful breach is higher.
“People are starting to realise that we have conferences, and seminars and online thought leadership articles, and great information coming from the industry that helps them understand what they need to do a bit better,” he said. “I have been pushing this collaboration piece from basically day one with all the things I’ve been doing.
“This was first a goal, then it had deliverables and now it’s down to getting the right frameworks in place so we can all talk together and make sure that we’re bringing the right resources in. No one of us has everything the customer is going to need. All of us together can make sure that the customer has the right things in place at the right time and is getting value for money. And that’s what we’re really focusing on.”
With over four decades of experience in multiple market verticals, Aaron Cain has worked to integrate and secure business critical information flows across technology stacks ranging from legacy systems to cloud computing.
During years of independent consulting assignments based in the UK and EU, Aaron has developed the ability to frame complex technical and security concepts in concise and clear business terminology. Leveraging his experience with banking, hedge fund and insurance clients, Aaron will be working within Altus to develop specialised cyber security solutions and programmes for the financial services marketplace.