Guest Blog Post by Bob Mann, Information Risk & Security Manager at Ofgem
Cyber security is a challenge that is constantly evolving. As security professionals, we take pleasure in following the trends and tackling the latest threat or challenge to the network over which we preside. What we sometimes forget is that the best cyber security policy on the planet is of limited value if the users don’t understand how to protect themselves, or how new threats may impact them. Microsoft (and others) release a series of patches regularly each month for our computer networks, but how often do we update the network of humans that rely on these machines?
Which is why, on 2nd May this year, OFGEM held its first Cyber Security Awareness Day. The aim was not to drill certain messages, routines or practices into the workforce but rather to educate and enlighten our staff on how and why the basics of securing a computer should be observed, not just from a business perspective but also from a personal one. Our aim was to focus on both the office and home environments.
We started therefore, in partnership with our cloud security provider Qualys, with a drop-in cyber security clinic. Staff who had a laptop/tablet issue, or just wanted to see how theirs measured up on the security scale, brought their device to the Qualys booth, received a demonstration of Qualys’ free computer scanning tool BrowserCheck and a quick education on how being up to date automatically enhances the security of their device (and often, the usability too). Security professionals from Dell, AVR International, CESG and OFGEM’s internal Information Security team also joined in, giving lectures and interactive seminars on the threats an organisation like ours faces on a daily basis, as well as the threats they themselves might encounter as they browse from home.
|We focused somewhat heavily on training our staff on how to keep their own personal computers safe – security awareness should be a very personal thing. Teaching users the connection between having an out of date browser or old version of Adobe Acrobat and the ability of hackers to exploit these applications is essential in order to raise security standards across the board.|
Dedicating a day towards educating non-technical staff, and keeping the day entertaining and engaging was of course a challenge and incurred some outlay. But it’s a cost that will have a huge impact on the overall security posture of OFGEM, as hundreds of employees become more aware of what puts a computer at risk, and why this is a big issue – both for themselves on a personal level, and for us as the organisation they work for.
The Key Is Accessibility
Cyber security is never going to be an easily accessible field, there is simply too much jargon and technical knowledge required to make it a mainstream interest, which makes it all the more important for there to be simple ways to cover the bases. Initiatives like Qualys’ BrowserCheck are a fantastic example of this thinking in action – a free to use, resource minimal dashboard that gives an overview of which software needs to be updated, and how to do so.
The feedback I’ve received, from participants and from the security professionals who helped make the day happen, has been fantastic. When you deconstruct any organisation, you end up with a network of humans – we spend so much time maintaining our computer networks, we forget that the humans too, occasionally need updating. That’s what our Cyber Security Day was – a security patch for the human network of OFGEM.