As Web4.0 – the symbiotic web – continues to usher in increasingly sophisticated cyber threats, including supply chain attacks, UGC-enabled fraud and AI-generated BEC attacks, the UK Cyber Security Council explores the importance of a conceptual shift in what cyber security means for non-expert users.
Cyber security is of increasing relevance to individuals but remains underutilised and misunderstood. For many, cyber security appears cumbersome or repetitive: installing firewall software, being slowed down by Two-Factor Authentication, or undergoing compulsory training on why you should never use public networks.
It is an issue with security in general: the feeling of always being told “No”.
As threats grow in severity and complexity, it is time we see cyber security as an ally rather than a blocker. IBM estimates that human error accounts for 95% of all data breaches, which cost UK companies an average of £3.4 million in losses.
In other words, security concerns are not just for the IT Department. It pays for the whole team to see cyber security as essential to good business practice. With 46% of all cyber breaches impacting businesses with fewer than 1,000 employees, even smaller businesses are a target for malign actors.
In the 1970s, James Anderson, a pioneer in information security, invented the ‘reference monitor’ concept, whereby the reference monitor is a box. On one side, you have active entities such as hackers and users, and on the other side resources, or things we want to access. The idea is that as actors try to reach passive repositories, cyber sits in the middle deciding whether to allow or disallow access.
The model is not comprehensive and does not consider that two subjects can communicate, but it demonstrates an early-stage conceptualisation of what cyber security is and what it represents. That is, something restrictive and defensive.
As the cyber security profession has developed, the effort to protect our systems is increasingly seen through a more multifaceted and collaborative lens. Cyber security is gaining appreciation as an enabling force, as small pieces of security and relevant protocols can allow subjects and objects to communicate safely. A key example is Secure Socket Layer (SSL) or Transport Layer Security (TLS) protocols which encrypt data between your browser and a site's server, ensuring that sensitive information such as credit card details remain secure during online transactions.
Across organisations, there are several ways cyber security acts as an enabler, facilitates best practice and helps deliver value at a strategic level, going way beyond ticking compliance boxes.
Security as an Enabler of Early-stage Adoption
Despite the potential benefits of 4.0 technologies, adoption has not kept pace with expectations. Security concerns have a large role to play in this disparity.
A key example is in manufacturing, the second-most attacked industry, which has OT assets – the software and hardware used to control industrial equipment. Whereas previously these devices were controlled by on-site personnel, OT devices are now connected to IT networks, making them an ever more attractive target for attackers. These malign actors can now move across networks and IT and OT systems. The IBM Security X-Force Threat Intelligence Index estimates that malicious actors using OT increased by 2200% in 2021 alone.
When cyber security keeps pace with innovation, it enables the rapid adoption of new technologies without the unmanaged risk of intellectual property theft and production sabotage. A security-first approach to the introduction of new interconnected systems not only helps block threats but also enables firms to stay competitive, relevant and ahead of the curve in key technological advances.
These concerns also have a direct impact on the development of cutting-edge solutions in the first place, as manufacturers might be reluctant to invest in new technologies and R&D efforts if they perceive a high level of security risk.
A Culture of Security Promotes Confidence and Loyalty
For organisations, data breaches or cyber-attacks can also cause significant reputational damage, impacting customer trust, revenue and brand value.
The Ponemon Institute and IBM’s "Cost of a Data Breach" study revealed that 65% of consumers have lost trust in a company after a data breach.
Companies who treat cyber security measures as purely procedural miss opportunities to make security intrinsic to their brand and reputation. In choosing security by design, businesses can demonstrate to customers that they have a strong track record of protecting their personal data.
When customers start from a position of increased confidence and trust in services, in the unfortunate event that something does go wrong, they are more likely to overlook a breach without being wary of continuing business.
Research by PwC’s Tech Effect series demonstrates that customers understand that sometimes even the best security systems fail – what they care about is company attitudes towards data. When surveyed about their reaction to a company suffering an incident that affected their data or privacy, only 27% claimed that they would withdraw their business.
Where customers are less forgiving is when they feel companies do not place enough importance on data protection. 62% of the same consumers said they would wait to see how the company responded before seeking an alterative provider.
When you prove to customers, investors, regulators and employees that you respect their data, your company is much more likely to maintain long-term relationships.
Cyber Security Knowledge Strengthens Professional Responsibility
Cyber security awareness and best practices are, ultimately, an attribute of quality work, in the same way presentation, thoroughness and attention to detail may be. Staff are often the first-line defence in the event of an attack, and the more equipped they are, the more efficient and secure an organisation becomes.
Employees who have strong cyber security skills are generally more reliable, trustworthy and better at handling heterogeneous data. Cyber security training also often stresses the importance of ethical behaviour, which can keep teams vigilant and conscious of their digital conduct. More information on ethics in cyber can be found in the UK Cyber Security Council’s Ethical Declaration.
Promoting increased cyber awareness involves implementing a strategy across the entire organisation, mapping clear security goals, starting with C-level executives through to more junior roles. This not only benefits the professional development of individuals but makes the entire organisation more agile.
Increased professionalism can be achieved by ensuring the basics are covered. Well-known security protocols such as TFA and HTTPS may be repetitive and feel like blockers, but they are the most consistently reliable tools for ensuring cyber security is maintained. Communicating to employees how this ensures competitive advantage and upskilling can prevent them from seeing it as a chore.
Security Helps Ensure your Business is Resilient to Staff Turnover
The upskilling of staff not only makes teams more versatile but can also make businesses more resilient to change.
Cyber security knowledge requires an understanding of multiple technologies, platforms, and software. This versatility means that individuals with cyber security expertise can adapt to different environments, industries and projects.
More importantly, the strength of security processes within a company and the level of cyber security knowledge across teams helps ensure business continuity and security in the face of change.
Today, most employees, even at the entry-level, need access to a company’s secure network for communication and filing. Companies with high employee turnover rates can face greater threat risk, which has only further increased with the rising adoption of cloud applications and infrastructure.
Implementing a comprehensive security training system for all new hires, not just those in tech roles, enables the easy onboarding and off-boarding of employees so that a clear plan is ready well in advance.
We often think about the value of having clear systems in place to our external business reputation, but less consideration is given to the company’s reputation among employees themselves – who might see an organisation without robust security procedures as dysfunctional. A recent study from Aviva reveals more than half of UK employees are worried about the level of their employer’s cyber security, with younger staff being particularly concerned.
With 64% of employees likely to leave a new job within their first year after having a negative onboarding experience, cyber security could even enable better staff retention in the first place.
Overall, cyber security does not just block and prevent the worst – it enables companies to perform at their best.
The enabler versus blocker binary is just two sides of the same coin, but it’s a more helpful way to think about cyber security, especially as more of us work from home, manage online teams and recruit globally, making cyber hygiene essential to professionalisation and brand management – for consultants, SMEs and large corporates alike.