Tackle cyber risks by addressing employees’ IT habits, says APMG

Businesses who want to assess their cyber risk posture, first need to bring cyber security habits into the office. Investments in high-quality, expensive cyber security suites will go to waste if organisations fail to address employee naivety of basic cyber security essentials, according to APMG International and Templar Executives.
Speaking at the APMG International Showcase, Andy Taylor, CLAS Consultant and Lead Assessor at APMG, and Andrew Fitzmaurice, CEO of Templar Executives, discussed why cyber security begins in the office and can only mature when organisations begin the process of assessing themselves for weaknesses within their own networks.

Delivering the masterclass speech ‘Cyber Security: Best practice strategies to identity and combat the threats of cybercrime’, Andy Taylor explained the difficulty organisations face in overcoming the complexities of cyber risk.

“Cyber security is a challenge for most businesses primarily because of the layers that accumulate. Organic growth often goes against the grain of logical planning, but unfortunately that’s the reality that most businesses face. Overlapping systems build up over time and the coming and going of employees each with different IT habits creates complex and multi-faceted cyber environments for companies to manage and navigate. With employees coming from different backgrounds and industries joining an organisation at various points in its development, each with their own ideas on how to approach cyber security, you end up with a disjointed approach. It’s not about age; it’s entirely about behaviour and some employees are more naïve regarding basic cyber security habits than others.

“The urge to solve these problems by sinking funds into insurance, security suites or firewalls needs to give way to a broader more in-depth and organisational perspective,” Andy added. “The method for managing the risk to your organisation begins with analysing and assessing these layers, so in terms of repositioning an organisation to face risk in the best possible way, business leaders will need to bring about significant structural and organisational changes. With tools such as CDCAT, which help to translate the complexity of cyber security into more manageable actions, we can begin to demystify cyber security and channel the discussion toward what it’s ultimately about; management techniques and business practice.”

Echoing these sentiments, Andrew Fitzmaurice, CEO of Templar Executives added that offices need to construct ‘key enablers’ in order to achieve organisational best cyber security practice.

“Your organisation’s online capacities do not simply turn off when you leave the office. It is always online and always open to intrusion. Facing this reality, offices can begin to construct better company security cultures as a first step,” Andrew said. “Considering that 100% of all cybercrime victims had installed anti-virus or cyber security suites, the problem is one of user-habit. Furthermore, 100% of known breaches involve stolen credentials. For the most part, these credentials are offered up by the victim, either by persuasion or ignorance,” Andrew explained.

“It is a matter of IT maturity, in terms of employee awareness and the tools they are using. Security programmes, cyber insurance and high control safety systems are useless when someone wants to disobey the rules. In the face of human nature, it is best to nurture positive security habits in the office, than simply enforce cyber security procedure,” Andrew explained.