Over the past year, nearly a third of UK organisations have suffered from a cyber security breach. Of these incidents, 80 per cent involved phishing, according to a recent poll by DCMS, Ipsos Mori and the University of Portsmouth, with emails often impersonating a senior colleague asking an employee to carry out a special task.
The human side of cyber security, says Dr Jessica Barker, co-founder of digital consultancy firm Cygenta, “stretches far beyond hackers”. The way that people interact with technology is a “legitimate social science”. And organisations would do well to understand that computers and the tools we install on them for protection are only as effective as people know how to use them.
With an academic background in the humanities and civic design – not a typical mix for a cyber security professional – Barker is perhaps better attuned to these nuances. A self-confessed “people watcher”, she is “fascinated” by human behaviour and psychology. “Why do people click on the things that they click on?”
Barker studied politics and sociology at the University of Sheffield, graduating in 2001, before working as a researcher at the Northwest Development Agency. Between 2005 and 2010, she completed a master’s programme and PhD in civic design at the University of Liverpool, specialising in place-making and social inclusion. Her research, she explains, explored the impact of technology on people’s daily lives. “I was looking at how the internet affected places and organisations… digitisation of services, things like that.”
After finishing her PhD, Barker was headhunted by a cyber security startup operating in the defence industry. “At the time, the cyber security conversation was all about firewalls and hackers… there weren’t many people looking into the human side of things, to do with people’s habits, moods and so on. So they were interested in how they could manage their human resources alongside their technical capabilities.”
The move into cyber security has proved enduring and Barker co-founded Cygenta, which “carries out penetration testing and cultural assessments and offers cyber security training for different-sized organisations”, with her husband in 2014. Three years later she was named one of the top 20 most influential women in UK cyber security by SC Magazine. Since April, she has been chair of ClubCISO, a technology trade body.
Cygenta has worked with clients such as Bupa and several global banks, and, as Barker puts it, aims to “help organisations improve their physical, digital and human security.” Physical security, Barker explains, could refer to something “as basic as who has the keys to what…things like fences, cameras and access to control systems.” Digital security is “the obvious stuff, like whether an organisation is keeping up to date with its hardware and software.” Cygenta’s human security brief, meanwhile, focuses on improving “organisational culture”.
People can be susceptible to social engineering and spear phishing and fraudulent emails, Barker points out, are becoming more convincing. “There’s information out there about us that’s publicly available [online] and criminals might track their targets so they can be strategic about what they send over.”
Modern phishing emails, she continues, can be designed to “intimidate or even flatter” members of staff. Cyber criminals might impersonate people’s bosses in a bid “to have more authority over them.” They could use complimentary tactics to cajole them into doing something, such as “telling an employee that they are being hand-picked” for a particular opportunity because they are the most trusted person in the organisation.
Helping employees to become more “vigilant and alert to their inbox” is Cygenta’s bread and butter. “We try to show people the triggers they should be looking out for,” Barker says, adding that speed is not always the answer. “If people are slower to read through their emails, they can concentrate on what’s been said and how it’s been said. Maybe they’d see that an email wasn’t signed off in the way it was supposed to be.”
But to think of cyber security purely in terms of absent-minded employees not reading their emails carefully enough would miss the point. “From an organisational point of view, the more emails people get, you have to accept, the more likely it is that they are going to be a victim [of a spear phishing attack]. The busier you are, the more stressed you are likely to be. So the first step is to think about how you can manage that workflow and reduce stress for people.”
Choice of language, Barker highlights, also plays an important role in determining how engaged or aware staff may be when it comes to cyber security. “If you want your employees to be engaged, if you want them to perform well, then you have to think carefully about how you communicate with them. If you focus on the bad things that will happen if they make a mistake, that’s less likely to engage them than if you tell them what they can do to protect the organisation, and how important they are in doing that.”
What, then, does constitute a good cyber security culture? “Organisations need to have a culture in which people feel comfortable to admit their concerns,” Barker says. “The worst kind of security culture is one in which people feel afraid to admit they’ve clicked on a link. The longer that an incident is left, the more damage it’s likely to do.”
When it comes to actual cyber security training, Barker recommends that organisations move away from the traditional, laboured “click and read” approach, with yearly sessions at best. “If you really want to shift behaviour, then there are more interactive solutions. At Cygenta, we organise live hacks. We can come into organisations and show them what happens in the event of a cyber breach. Cyber security can be extremely technical, so we do our very best to demystify it.”
For Barker a good cyber security strategy hinges on striking the right “balance” between humans and technology. “You need to make sure that humans are aware of cyber security risks in general,” she says, “because that at least gives them a chance of dealing with some of them. But that’s not an excuse to not update your software or hardware regularly.”
Technology, Barker says, can help make cyber security less of a burden. She recommends password managers [desktop or cloud-based apps that store complex login credentials for multiple accounts], that require people to remember one air-tight password in order to access several, rather than keeping up with the long list that most of us have. What if a password vault gets hacked? “A password manager is [still] less risky than a human trying to remember lots of different 15-character passwords.”
Ultimately, Barker says, cyber security is no longer an issue “exclusive to IT departments.” As the world becomes more digital, individuals and organisations have a responsibility to adapt to it. The former civic designer quips: “Nowadays, all issues are tech issues, to some degree, aren’t they?”