Capgemini on cybersecurity: why entire organisations must be educated
Company and customer data is more important than ever before. According to IDC, 85 percent of consumers in Western European will defect from a business within the next 18 months because their personally identifiable information is impacted in a security breach. Additionally, the General Data Protection Regulation (GDPR) will come into effect in 2018, mandating that all organizations holding data on European citizens, regardless of where the company is based, must keep their systems secure or risk incurring an extensive fine of up to four percent of global turnover – a huge penalty for a business of any size.
For businesses, the incentive to stay secure is vast. So too are the sums poured into technology that is designed to keep data safe and secure. Yet the regularity with which we read of successful cyber-attacks reveals the scale of the challenge. Hackers are changing their tactics faster than most businesses can update their defenses. Connected infrastructure in industries as diverse as automotive, financial services and retail means an unprecedented number of potentially vulnerable points of attack. Cyber defense skills are in acutely short supply. Money is often invested in line with strategies that are misguided.
And yet, the greatest threat to an organisation is its own people. Even if a company has appropriate technology and a robust strategy, employees represent the most significant security vulnerability at any business.
A good analogy is the way you protect your home from a fire. An alarm protects you by alerting you to a blaze. However, the presence of the alarm doesn’t mean you should leave the oven on all night, or leave your hob unattended for hours. The alarm gives you a good layer of protection, but ultimately it’s your responsibility to take the appropriate steps to avoid burning down the house. The example mirrors a common approach to cybersecurity. You shouldn’t solely rely on a final warning system or layer of technological protection to keep your business safe.
But educating an entire organisation on the need to be vigilant, and how to be, is complex. Employees are already overwhelmed securing their personal online identities. Individuals in the UK need to remember an average of 22 separate passwords to secure their identity online, a constant juggling act that has resulted in a serious case of cybersecurity fatigue.
So what can organisations do to breathe new life into this exhausted issue?
As a starting point, businesses should look for inspiration at how they address security and authentication with their customers. There’s a growing understanding that success hinges on balancing security and user experience, and organisations are taking steps to simplify authentication processes for users. If your customers need a solution that simplifies security, why shouldn’t the same level of attention be paid to your employee experience?
Security leaders should strive to instill the same values that define the customer experience at an organisational level. By untangling the authentication process and making it more straightforward, business leaders can boost employee engagement with cybersecurity processes and begin to combat cybersecurity fatigue.
The principles of this employee experience can be found in a study from the US National Institute of Standards Technology (NIST), which uncovered an overwhelming amount of cybersecurity fatigue among North American workers. The report suggested businesses split their approach into three steps: limit the number of security decisions users need to make; make it simple for users to choose the right security action; and design for consistent decision making whenever possible.
One authentication method companies can roll-out that addresses all three of these points is a tool that provides each employee with a single digital user identity – one connected username and login method for every platform. For example, the business could introduce a single sign-on system that works in conjunction with a second factor authentication method unique to them – such as their work or personal mobile – that generates a unique sign-on key each time they need to log on.
By investing in methods that make it simpler for employees to prevent potential threats from the outset, alongside in a strong layer of digital defense, security leaders will build a more complete level of protection - something that will be required if the arrival of GDPR is not going to lead to an emergency fire drill for them.
By Mike Turner, Global Cybersecurity Business Leader at Capgemini