Across all different industries, there is a significant portion of professionals that, despite assurances otherwise, look at both cyber security and information security as something of a business black box. Sky-rocketing costs, an endless need for highly sought-after technical skills and worst of all – uncertain ROI.

Following the introduction of the GDPR last year (first and only mention, we promise), there are plenty of businesses left similarly uncertain of how to genuinely improve their systems, or what is and isn’t best practice; even after investing huge amounts into consultancies, legal teams and compliance officers. Even compliance doesn’t come cheap.

Obviously, compliance is a must for any self-respecting enterprise, though the danger of this oversimplification or box-ticking approach, comes when executives and staff begin to confuse compliance with the distinctly different need for substantive information security.

Compliance vs Risk

It’s now understood that most attacks are not simply the actions of malicious outsiders, but are typically a mix of external threat and internal negligence. It’s estimated that 64% of all insider threats alone are as a result of careless or negligent behaviours, and though stringent adherence to ISO 27000 and investing huge sums in security products and services etc., will help to mitigate some of this risk, it’s no longer reasonable for organisations to treat information security as a simple matter of compliance.

As budgets and spending increase, so too does the overall impact of information security attacks and breaches. In the US alone the annual losses are expected to rise to $6 trillion within the next two years; likely over a quarter of the country’s GDP.

Train and Monitor

The latest survey results suggest that despite the exorbitant spending, approximately 77% of UK workers have never received any form of cyber training from their employer. Maybe in times gone-by, the number of workers that handled or had access to sensitive data would be of some comfort, but in 2019 our passwords, email accounts and network logins can all be massively exploited.

It is increasingly clear to specialists that as the industry of information security progresses, industries and organisations must begin taking a much broader look as to how to effectively protect themselves against cyber and information security threats. As well as ensuring cost effective methods are utilised to mitigate the risks always inherent in an untrained, under-prepared and potentially negligent team of employees.

Moving Beyond Mere Compliance

It is not all that long ago that businesses looked at ‘health and safety’ with similar scepticism as they do now with information security; ‘We’ll sign the forms and get on as normal…’. But as with the adoption of general safety rules, we need to accept that to truly increase the efficacy of an increasingly necessary practice, we must seek to integrate this mindset into the culture of organisations.

Chances are you either love or hate the concept of ‘organisational culture’, but despite your feelings towards the phrase, any right-minded security professional realistically has to concede that: if it’s a choice between mere compliance, or even ‘awareness’, and a genuinely internalised understanding of threat and security, there is only one real option for your workforce; and all the better if it doesn’t break the bank.

Meaningful Behavioural Change

There is no easy, quick fix to all your information security problems. Achieving a positive, sustained and measurable change in the behaviour of staff is about implementing and pushing towards a ‘secure culture mindset’. Coming from the managerial and executive level, an integrated approach is required.

For those looking to reliably reduce the human risk related to cyber security and insider threat, an increased focus on some of these foundational elements are likely to see real tangible results without the burdensome cost or technical issues. A relatively simple training program that establishes a policy framework, educates and demonstrates user engagement and understanding is the first natural step towards an information secure culture, and beyond mere compliance.