Raising security awareness in the SME workforce: Some suggestions from history
Author: Dr Christopher J. Murphy, Senior Lecturer in Intelligence Studies/Programme Leader, MA/PgDip Intelligence & Security Studies, Directorate of Journalism, Politics & Contemporary History, School of Arts and Media, University of Salford
How can an SME workforce be persuaded to take cyber security seriously? Remove ‘cyber’ from that question, and we have a challenge that was recognised 70 years ago.
In the late 1950s and into the 1960s, two series of breaches of national security made front page news in the UK. These were the case of the Portland Spy Ring [https://www.mi5.gov.uk/portland-spy-ring] and the Vassall Affair [https://media.nationalarchives.gov.uk/index.php/the-scandalous-case-of-john-vassall-sexuality-spying-and-the-civil-service/].
As a result of these scandals, in 1961 Lord Radcliffe was invited to lead a committee of enquiry into security procedures in the civil service. The committee was tasked with both reviewing existing security procedures and making recommendations for any changes that were felt necessary to improve security.
The committee’s final report was over 40 pages long, and contained numerous recommendations.
While the committee highlighted some practical steps that could be taken to improve security, it recognised that this wasn’t a problem that could simply be solved by employing more security officers.
Rather, the problem required a more holistic solution; the only way that security would really be improved in a meaningful sense would be by getting the whole of the civil service on board, to ‘buy in’ to the concept of security, and its importance. As the final report made clear:
‘In the following Chapters we examine the existing security organisation and procedures and make certain recommendations. None [of these recommendations] is in our view more important than those which are directed to the question of persuading Government employees that security is the concern of everyone in the Government Service.’ [The National Archives, INF 12/1324 https://discovery.nationalarchives.gov.uk/details/r/C10949749 ]
Compounding this, it was recognised that persuading the civil service en masse that security was everyone’s concern would be a tough ask; the key problem here was the fact that the ‘threat’ against which security measures needed to be taken was somewhat vague. The British government, Whitehall and the intelligence agencies were fighting the Cold War against the Soviet Union, but this ‘shadow war’ didn’t represent an obvious period of conflict for the general public. As the Report observed:
‘The biggest single risk to security at the present time is probably a general lack of conviction that any substantial threat exists.’ [The National Archives, INF 12/1324 https://discovery.nationalarchives.gov.uk/details/r/C10949749 ]
To address this lack of awareness of the threat, the committee proposed a programme of security education. Not security training; only people who worked directly ‘in’ security were felt to require detailed, in-depth technical security knowledge. What the broader civil service workforce needed was a more general understanding, and appreciation, of why security was important. This would, it was hoped, impact on their day-to-day working behaviour, making them more security aware.
To make this campaign work, it was felt that it would have to be firmly rooted in reality, explaining to the public the nature of the espionage threat posed by the Soviet Union and the consequences of poor security, based on information that would usually remain classified and not made widely available. If civil servants could be engaged and enthused, through interesting real-life stories of espionage, it was felt that this would help them to understand the important part they had to play in ensuring that security was maintained.
This necessarily brief summary of efforts to improve security in the civil service in the 1960s alone is enough to offer some observations that echo with the contemporary challenges of cyber security and warrant further discussion:
1. While today’s technology would have been unrecognisable some 60 years ago, the ‘human factor’ has remained constant. The issue of human behaviour as a contributory factor to problems in practicing good security, something that regularly appears in discussions of cyber security (see for example: https://www.bbc.co.uk/news/technology-47253869) is not new. The effectiveness of past efforts to address this problem, therefore, should be studied in order to assess their effectiveness.
2. The lack of conviction that a clear, tangible and substantial ‘threat’ existed during the Cold War is, arguably, similarly present today. The media’s presentation of cyber threats has not been helpful in this regard; stories of cybercrime, ransomware and so on have a tendency to be illustrated either with the image of a computer monitor, displaying glowing letters and numbers, or through the image of a hooded figure, hunched over a laptop, with a black background (see for example: https://www.bbc.co.uk/news/uk-scotland-59054590 ); a digital ‘bogeyman’ that does little to inform the reader about the reality of the threat emanating from the ‘troll factories’ of Russia or elsewhere.
3. In the absence of a clearly identifiable threat, how do we engage the contemporary workforce who fail to see their role in the maintenance of good cyber security? The need for issues to be illustrated using engaging, real-life stories to draw attention to the consequences of poor security for an audience not interested in security in general, or the mechanics of cyber security in particular, is surely a pressing one. Fortunately, it does not take a great deal of time to find the kind of stories that could engage employees, and give them pause for thought; indeed, some of the exploits of reality TV star Kim Kardashian could offer an unexpected ‘boost’ for cyber security along the same lines as the late Jade Goody did for raising awareness of cervical cancer. (see https://journals.sagepub.com/doi/full/10.1258/jms.2012.012095)
Stories about cyber breaches regularly hit the headlines, incidents that involve a wide variety of businesses and organisations, large and small, across a range of sectors, recent examples including web hosting companies [ https://www.itpro.co.uk/security/data-breaches/361624/godaddy-data-breach-exposes-over-12-million-customer-details ], property services [ https://www.express.co.uk/news/politics/1531403/simplify-group-cyber-attack-security-incident-purplebricks ] and supermarkets [ https://www.bbc.co.uk/news/technology-59683889 ], with consequences for staff and customers alike.
Further exploration of the above points could result in the development of a body of material suitable for dissemination in some form to employees; while not technologically sophisticated, this approach could help to address the human weakness in cyber security, to the benefit of the SME concerned.