Cyber security: Are you talking to the right employees?

By Ben Watson, Co-owner and Director at internal communications agency Blue Goose

Typically we focus on senior staff, new joiners, HR, finance and customer-facing roles. But perhaps we should shift our attention to a new employee profile

Businesses are constantly at risk, and traditionally certain employees have been earmarked as having the potential for greater exposure to cybersecurity threats than others. But the lines are blurring. Today, thanks to fast-paced changes in business practices, those people brought in as application owners are often the unwitting conduits of cyber breaches.

As a company that specialises in talking to businesses about how to reduce information security gaps, as well as supporting their efforts towards ISO accreditation and GDPR compliance, we recently started to wonder whether we were targeting everyone we should, or whether there were new weak spots emerging. It’s a question that needs to be asked continually as cyber threats evolve.

Moving goalposts and asking new questions

When establishing the key cyber risks that any given organisation faces, the same issues usually float to the surface. Malware infections, phishing and broader social attacks, an inadequate bring-your-own-device policy, website weaknesses, insider threats, denial-of-service attacks, or a general lack of cybersecurity knowledge among staff. All important issues to address.

Then the security expert will move onto people profiles – those that typically present the most risk to a business. Graduate starters, for instance, who’ve never had to think about how their actions can impact a whole company. Those in client-facing roles, human resources and finance, all of whom have access to sensitive information. The C-suite. Again, all important stuff.

But what we’re finding now is that, as well as all of the above, the focus of attention should be on those people who are directly responsible for owning and controlling the software applications that gather, manage and disperse information throughout the company and beyond.

Application ownership is a relatively new role in the business world. It’s the person (or team) with responsibility to ensure that a program accomplishes a set objective or series of user requirements for that software application. For a small company, that might be the CEO. For a Fortune 500 company, there could be dozens of applications, each with a different owner.

Often app owners are relatively junior or mid-ranking, however, and don’t fall into any of the traditional people profiles outlined above. As the software they control gathers momentum and importance, so does the level of seniority they hold. The problem is the training doesn’t always keep up as they ascend the ranks.

The need for communication and constant upskilling

Without the right upskilling and management, left unattended our rising staff member may be left to create a domino effect throughout the entire organisation. But we shouldn’t come down too heavily on them – being really highly skilled in cybersecurity has never been part of the remit for an application owner. But perhaps it should be now.

It’s important to create a communication strategy that everyone at every level can see – and then you can add and tailor for specific profiles on top of the one-size-fits-all version.

And it’s also important to keep it fluid. You can’t sit still with cybersecurity training because the criminals aren’t sitting still. And that means increased personal profiling and understanding how things are evolving in the work environment.

For most employees, though, information security is typically a dry and relatively uninspiring topic. That means our communications need to work hard to stand out and engage employees against the background noise of the other communications and the day-to-day activity they are exposed to.

To address these issues requires the development of a simple and flexible creative platform to provide the visual and intellectual glue that helps position security appropriately in employees’ minds. And it needs to be flexible enough to allow a wide range of messages to be delivered across the security programme to different employee audiences.

By creating what we call a ‘burning platform’, and being vigilant about changing working practices and roles, we develop a ‘live’ body of knowledge that reinforces the essential security mindset – for everyone.

Large organisations are now managed by applications, so it makes sense that we focus on the people who are assigned them. You could say, if you don’t get cybersecurity training right for these app owners, you’re not simply letting down an area of the business, you’re failing the whole organisation.