Humans the 'weakest link' in cyber security

As technology enhancements increase the complexity of cyber security, founder of The Cyber Collective Fraser Jack has argued that human beings are the “weakest link” when it comes to businesses’ cyber security.

“Whether it's being tricked or whether it's being lazy or whether it's being rushed or whether it's being under stress; there's lots of different ways and reasons why people would make mistakes or do the wrong thing,” Jack said on The ifa Show.

“With 95 per cent or 19 out of 20 issues stemming from a human being, it always surprises me that we aren't investing a bit more money in our teams to make sure that they're across and trained in this scenario.”

Jack also stressed the importance of creating a workplace culture that fosters consistent positive behaviours when it comes to cyber security, embedding the need for these processes in every staff member.

“The safety culture around cyber really needs to become part of a culture, which means you don't just think about it once a fortnight or once a month or once a year when you're doing your audit. You've got to be thinking about it every day and for the right reasons,” he said.

“Like, why are we doing this? It's for our clients or it's for our team.”

While no business can be perfectly secure against any cyber incident, according to Jack, fostering a workplace environment where each team member can play a role in the protection of the business, making them all feel like they are in some way responsible for protecting the business.

“Everybody in every single firm is vulnerable in some way,” he said.

“The idea is that you can have proactive conversations in a safe environment at your team meetings around what some of those issues could be and how to solve them and then just making it part of the product of conversation, I think, because there's always something that can be done.”

Jack noted that this culture needs to go beyond just training employees on what they should be doing, but also creating an environment where safe cybersecurity practices become second nature to all employees.

“When we talk about training teams, it's not just about teaching them that that's the way they're supposed to do it. It's about that constant cultural behavioural thing, and culture is a really hard thing to lock down in a business,” he said.

“You can't just say, ‘This is what our culture is going to be’. You actually have to live that culture every day and it has to become part of the psyche.”

Jack added: “It's about doing it every day and leaning into that, and being passionate about the fact that you enjoy doing multi factor authentication because it helps your client, right? It's not about wasting your time, it's about putting, thinking about the client at that time, or however it might be.”

Furthermore, Jack argued that business owners have an obligation to have a moderate level of cyber-literacy in order to understand the firm’s cyber security capabilities and needs.

“You can't just outsource it to the IT department and expect it's been done,” he said.

“It's probably a bit like having an approved product list in a business. It's great to have an approved product list, but you're still responsible for the advice you give. It's the same.

“You can have an outsourced IT person, but you're still, as the director of the firm, responsible to make sure and know what all those products are you've got in place and what they do and have some level of understanding of them.”

To hear more from Jack, tune in here.