Derek Bishop


Security is a state of mind

Date added: 22nd Apr 2015
Category: Organisational Culture Change

Instilling a security-minded culture is not difficult but it could just make a lasting difference to organisations, their customers and the wider society.

It’s an innocuous diversion in a busy day; the e-mail which pops into your in-box and purports to confirm an online order or to chase an unpaid invoice.  Because it seems so quick to deal with you prioritise it, setting aside that long winded meeting memo which you are not really sure if you needed to read anyway, you click on the attachment in an attempt to identify which department the e-mail needs to be sent on to.  Quick, simple, and yet in that one click you have potentially introduced a virus into your organisation’s mainframe.

So what went wrong?  Why was it so easy for the fraudsters to gain a foothold?  True, the firewall and security protocols should have been strong enough to block the mail but also true, increasingly these messages so closely resemble valid inter-company messages that identification is not always possible.  In mitigation, you may argue that your in-box should not have been so crowded that if you saw the chance to shift one quick message on you would take it.

Looking deeper, we may blame the psychology of e-mails; the ingrained social response which such e-mails engender.  Research released in January 2015 from the University of Buffalo showed that the style of ‘information rich’ e-mails increasingly adopted by fraudsters “alter recipients’ cognitive processes in a way that facilitates their victimization.”  So words which emphasise urgency or invoke fear, such as a warning about an overdue invoice, are designed to trigger a subconscious response.

But at heart the real reason is that security was not embedded as a state of mind within the organisational culture.  Stop and think or check before you act, are simple messages but they are ones which if ignored can lead to unfortunate consequences.  And this check response is not confined to phishing e-mails either.  Witness the story in the news this week about the convicted fraudster who used his mobile whilst in prison to set up a fake website.  He then sent prison officials a message from the site to the effect that he was to be released on parole and thus escaped from prison.  A simple series of checks would have shown the site to be false, particularly as he misspelt the name of the court on his fake website.

It’s a simple example but it is one which shows the benefit of instilling a culture of security in any organisation.  Sadly in too many businesses, security and risk is seen either as someone else’s problem or as a tick box ‘read this and sign’ exercise.  But for those organisations which do successfully create a security-minded culture the rewards are obvious.  How do they manage it?  Well the ways are many and varied but the key is to repeat the message on a regular basis in a way in which it resonates with people’s attitudes.  So, having competitions to spot potential security breaches, rewarding foiled attempts and sharing tales of potential fraudulent activity can all help to reinforce the message.

Fraud, security breaches, risk failings; all not only have the potential to directly harm employees and the organisation but also to damage reputation and the customer relationship.  Depending on the nature of the breach, customer confidentiality or third party safety can also be on the line.  The only way to put an end to fraudulent e-mails is to create a cross-organisational culture which prevents the e-mails from being effective.  Every time someone clicks, criminals are rewarded; every time the e-mail is blocked or deleted the attempt is frustrated.  Instilling a security-minded culture is not difficult but it could just make a lasting difference to organisations, their customers and the wider society.

Leave a Reply

Your email address will not be published. Required fields are marked *