Stéphane Nappo, Global Head Information Security, Société Générale International Banking
“The thickness of a wall is less important than the will to defend it”
Thucydide, 5th century BC
Education has always been a prosperity enabler for both the individual and the corporate. This is also true for cybersecurity culture. The human factor is the easiest way to attack a system. According to some studies, “Almost 90% of Cyber Attacks are Caused by Human Error or Behavior”. Having said that, it is surprising to see enterprises attempting to mitigate this risk with almost exclusive investment in technology.
Misuse, Social engineering, Negligence, Malevolence… No technology is immune to bad human use. The human factor is too often neglected and we should not forget that people are at the center of digital transition. Whether they are Customer or User, investing in people cybersecurity awareness and training is a great investment and a fundamental need.
In our increasingly digital society, Cyber-Security Culture is a key element of the defense ecosystem. An accurate vision of digital AND behavioral gaps is crucial for consistent cyber-resilience. As examples, preferring comfort to security, connecting an infected usb key, stealing data when changing employer, underestimating spam/phishing/ransomware concern, hiding a security incident,depend largely on the human-factor’s cybersecurity culture. The following are five main areas for action:
A matter of trust, “user is not an enemy and security is not a pain”
It’s time for enterprises to help their employees deal with cybersecurity. It’s also time to rectify the security perception. Security is not an inconvenience. Its role must be explained and security teams must pay close attention to the user experience and clear user information. Cybersecurity must be viewed as a convenient and essential business service.
Education is prevention and a reaction improvement
Inform Users and C-levels about cyber-incidents schemes and their potential impact on your organization in a clear and understandable way. Share cybersecurity knowledge as much as possible beyond the security team. Make it interesting for people! Furthermore, maintain risk consciousness and highlight reality by regularly explaining notorious incidents occurring in the world and the lessons learned for your organization.
Train users and management to respond to attacks
Crisis exercise, serious game and social engineering tests allow employees to be able to detect and be ready to respond more effectively to an eventual attempt. Immersive simulation, based on “surprise” issue and involving real decision makers (Board members, Operational Risk Management, Communication dept, CIO, CTO, CISO…) prepare people to decide together and act collectively in the right way during a cyber-incident.
One size does not fit all
Transversal Enterprise Risk Management and collective awareness campaigns constitute a good first level, nevertheless it can’t be enough. A specific role-and-risk-driven approach must be implemented for each sensitive population. Cybersecurity culture must be aligned with attractiveness, specificity and threat exposure of each corporate key-role.
Cybersecurity culture, a matter of procedures
Pointing out risky points is not enough to manage human error risk. Cybersecurity culture must answer questions like: “what are the vulnerable steps in my day to day job?”, “what can I do when I’m targeted?”, and “What I will have to do if I already made the mistake?” This is where Cybersecurity Culture stands out most from the classic awareness identifying critical points in processes and providing safe procedure to secure each risky zone with appropriate practices.
“If you want to build security, avoid straining people, but rather teach them to be vigilant and to long for customer trust and satisfaction”.
In conclusion, cybersecurity culture can achieve more than prohibition posture, it’s an essential complement of security technologies and one of the main components of the cyber-defense ecosystem and cyber-resilience.
Stéphane Nappo has been Global Head Information Security for Société Générale International Banking since 2011. Present in 67 countries, this pole employs over 71, 000 people and has 30 million clients distributed within 40 autonomous banks and 90 entities all delivering financial services.
He was a senior consultant specializing in IT security as of 1995. His extensive training in telecom, business administration, and law, allows him to have a unique approach towards solving technological and business-related issues. He has worked for over 80 organizations in numerous sectors.
He implements conventional risk management methods with a systemic and pragmatic approach to complex problems. Based in Paris, he operates regularly in Russia, Central Europe, and Africa. His current mission targets digital services security, anti-fraud prevention, incident response and the digital transformation of information security.