May 21, 2021
Dr. Jessica Barker has undoubtedly become the face of the human side of cybersecurity, so it goes without saying that she was a very welcome addition to the 2021 Atlantec Festival line-up. Paving the way for prioritising the human layer and showing that there is no one career path or background in cybersecurity, Jessica represents a whole new perspective in the industry.
Speaking at the 2021 Atlantec Festival, she explains the indispensable role of people in cybersecurity. When asked about the concept of humans being the ‘weakest link’, Jessica refutes this discourse explaining that this label is not only inaccurate but also potentially harmful to those who the blame is placed on. She believes that labelling humans as the weakest link in cybersecurity is a superficial fix to a deeper problem. It also disregards the important role that people play at all stages of cybersecurity. She raises the issue that too often people are referred to as the weakest link, but in events where they are in fact the strongest link and prevent attacks, we rarely hear about it in the news.
Without people, there would be no cybersecurity.
There would be no one to design infrastructure, test systems, report issues, or respond to incidents. To dismiss this fact and thus neglect the role of humans in the cybersecurity process could be harmful to businesses who overly rely on technical security and gloss over security awareness training by treating it as a tick box exercise. Jessica describes how people often focus too much on awareness raising, when in reality preparing people for cyber attacks is much broader than this. She speaks about how we can influence employee behaviour and foster a culture of security that considers beliefs, values, and norms. In addition to official policies, procedures, and training, the culture of an organisation is just as important in creating informal practices and assumptions when it comes to cybersecurity. It is not enough to just focus on metrics and quantitative data that arises from phishing simulations and similar tests. These metrics are not an accurate test of humans who cannot only be tested and represented using empirical data. Understanding the security culture of your organisation is therefore a vital tool in your ongoing security strategy.
She also explains how humans are instrumental in other aspects of cybersecurity, by clarifying that cybercriminals are also human and capitalising on error both technical and human. Cyber attacks also have real-life human consequences, as illustrated by the recent HSE ransomware attack where patients' data was compromised and healthcare disrupted. Further proving her point that humans are an essential part of cybersecurity at all stages.
Building on the culture of security, Jessica emphasises the importance of positive reinforcement in giving employees the confidence and tools to deal with cyber attacks. She stresses that scaring people into complying is not effective and that scaremongering is not useful. Creating such negativity around cybersecurity may actually have the undesired consequence of alienating people and discouraging them from reporting security events. Instead, people should be encouraged and shown that they are in fact the solution and not the problem. If this is the culture that you promote, people will live up to this expectation.
It is also important not to overwhelm people with every do and don’t of cybersecurity. Cybersecurity should be practical and accessible and communicated in bitsize messages. Jessica explains how this is a much more effective model of security training than just bombarding people with information. By providing people with real world examples of how things can go wrong but also how they can be prevented, people are able to see how vital they are in accomplishing cybersecurity.
This is a formula that we at CyberPie are big fans of, proving that even the smallest effort to improve your cybersecurity can be critical further down the line and that manageable portions of information will be much more beneficial than intensive, fear-based cybersecurity.