All organisations have a duty to ensure that the information they hold is kept secure. This is true of private sector companies, where data loss can result in a loss of customer confidence and falls in revenue. It is also important in public sector organisations, which citizens trust to keep their personal data safe.
The National Archives undertakes a large amount of work across government to encourage the sharing of best practice between departments and to help build more secure workplaces. This includes a programme of briefings we provide to government boards.
The message we pass on to departments is that senior managers play a vital role in driving the development of a cyber-secure culture across the entire organisation. We break down the responsibilities into these three steps.
Understand the threats
The cyber threat to our information can come from a range of individuals and organisations, including:
- criminal gangs
- hacktivists such as Anonymous
- individuals looking to show off to their peers
- corporate espionage
- staff breaching data either by accident or for financial/emotional gain.
Security experts can also provide the board with an outline of common tactics used. These include:
- phishing emails: emails that try and manipulate the victim into handing over cash or information.
- botnets: a large number of computers controlled by a single hacker, often used to flood a system with access requests, causing it to shut down.
- vishing (phishing over the phone): Often an attacker will claim to be from a computer company or the IT team, and claim that there is a problem with the victim’s computer; they ask the victim to give them control over the computer to fix the problems.
- physical breach of security: poor physical security can allow an individual to walk into an office and either steal information or upload a virus onto an unlocked PC.
- supply chain attack: attackers may not be able to get into the system of the organisation they want to attack, so will instead target companies that provide services This can allow them to get into a system through the back door.
Decide what matters
All activities undertaken by an organisation will involve an element of risk. It is therefore important that information risks are recorded and managed.
Firstly board members need to be able to identify the information and data which would cause serious damage if it was lost – their crown jewel information assets.
They should then consider the threats to these assets and the most likely ways that data may be lost. The National Cyber Security Centre’s ten steps to cyber-security can help identify potential vulnerabilities in the organisation.
Finally the board should be involved in the development of a corporate level risk appetite – that is, the amount of risk that the organisation is willing to take on in order to get work done. Organisations that hold large amounts of sensitive data are likely to have a lower tolerance for risk than those with information that would be less damaging if it were released.
In response to the risk assessment the board must then develop a strategy to manage their information risks, assisted by a range of roles including security experts, Knowledge and Information Management (KIM) professionals and departmental heads of service.
It is important that the board set the tone from the top and that once policies have been devised they are seen to be following them. The biggest factor in whether an organisation tightens up its security culture is if the staff lower down the hierarchy can see the senior management team taking the issue seriously.
Another important part of developing a secure culture is listening to staff and their concerns. A policy that sounds sensible while it is being developed may turn out not to be very practical when applied by front-line staff. It is therefore important to monitor the effectiveness of strategies, and also to tell staff why they are expected to comply with secure practices. If people don’t know why they are being asked to do something they may develop their own insecure workarounds, introducing risks that the security professionals are not aware of. Awareness-raising materials produced by organisations including the Information Commissioners Office, National Cyber Security Centre and Centre for Protection of National Infrastructure can help with this.
By following these steps, senior managers can act as cultural champions and help staff develop more secure practices that will help protect the organisation from cyber threats.