Why Not Just Switch off every piece of electric device and live in a cave. 

I am on the record on several occasions for coming out in support of the UK government’s cyber initiatives including the Ten Steps to Cyber Security (Ten Steps) and their more recent Cyber Essentials.So, I was a bit surprised when a business owner asked if he should backtrack on his recent “smart phone for all” bonus for his employees. When I asked him why he mentioned an article he had just read in the Telegraph, titled “Spooks tell business: Consider stripping staff of smart phones to avoid cyber attacks”. 

Cliches, oh cliches.

The same article then adds the typical line about your staff are the ‘weakest link’ cliche. Oh let’s not forget the bit about being blackmailed by spies! What better way to draw attention to an article than to use an attention grabbing headline! Even when it’s not quite accurate and somewhat misleading. What’s even more displeasing is the way the article tries to impress the reader by implying that this information has been “seen” instead of mentioning that the Ten Steps is publicly available and accessible to every business. In fact what the article is referring to is but an updated and revised version of the UK Government’s advice that was first issued in 2012. So ditching the phone stop cyber attacks, right? Put simply: No.

Why? You may ask.

  • Most people are not going to ditch their smart phones. I know I will not.
  • In fact most now carry multiple smart devices including a tablet, a phone, and more recently smart wearables like watches.
  • Any organisation that have a forward thinking revenue generating strategy will already have adopted a mobile first strategy.
  • Just a few days ago the much loved and sometimes loathed Uber was named the most valuable transport company in the world even though it does not own any vehicles of its own. Could it be because it has a mobile first strategy?
  • Cyber attackers will simply find some other way to attack a business. They could even consider trying to revert back to the good old ways of targeting your laptops and desktop computers!

To be fair to the government they appear to have taken a sensible and I would argue risk based approach. Below is an excerpt of what they say Consider the balance between system usability and security. Yes there is the bit of external drives like USB sticks that have been the cause of many a hack and sleepless nights for security teams. I discuss the approach to this headache further down.

Next, Humans, you guessed it, will be Humans!

It’s getting very tiring, borderline exhausting having to hear that staff, who happen to be mostly humans for now, are to blame for all cyber security woes. This needs to stop. Stop declaring the human as the primary problem. Yes, you and I, us humans that is, are part of the problem but being flippant about is not the way to solve this problem.

Again, the government have taken a balanced approach and do not bang on the “it’s your staff’s fault” pronouncements. At least that’s how I have read it. Here is what one para from the Top Ten document set says: Without exception, all users should be trained on the secure use of their mobile device for the locations they will be working in. To me that sounds more like - “You businesses out there - spend some money and educate and train all your users” I concur.

Yes, Mobile is Insecure, but…

Mobile working is insecure. But any device, including your new TV and old laptop are insecure as long as they are switched on! Mobile working has several benefits that both employees and organisations recognise. So accept the facts and have a plan to prevent, detect and respond.

The Top Ten document contains some good advice that I would encourage all to read and understand. In the meantime I strongly recommend every business owner to:

  • Stop blaming the employee for all your cyber security problems
  • Support the employee with the necessary technology to ensure that ‘mistakes’ cannot happen easily.
  • Yes there is sufficient technology available today that can help prevent and detect cyber attacks.
  • Some technologies to consider are automatic VPN connectors, micro virtualisation technologies, encryption technologies. Please engage KC for more information on how we can help you..
  • What the government is actually saying is be pragmatic, understand the risks, and educate the users.
  • Last, but not least, accept the facts, review the threats specific to your company and understand the risk and have a plan to prevent, detect and respond.

Finally! Cut the Government a Break! Seriously.

To be fair to the government it is quite hard producing a document that fits every organisation’s risk profile. The analogy of one size fits all come to mind.In my own customer dealings I have had more senior board members and business owners ask me about cyber security as a result of the UK government’s efforts to make cyber security a board issue. Finally, Please take a risk based approach and spend some time understanding the threats and those attackers that would want to target your company. Cyber or not, this is common sense threat and risk management. It’s no point spending on technology and preparing for spies monitoring your employees if you, for example, are producing regular cleaning products. In such a company it would make more sense if effort and time was spent on preventing insiders leaking financial or human resource data. That’s what I recommend and that’s actually what the government is trying to say.

You can read about the UK Government’s Top Ten Steps to Cyber Security here.