Can we ever achieve cyber security buy-in?

A woman using her phone as a device for 2FA

If you ask IT professionals what their top concerns are, security will certainly be among the top five. Whether it’s preventing ransomware attacks, regular patch management or trying to ensure users don’t click risky links, cyber threats are always lurking in the background ready to cause a crisis.

While the idea of hackers trying to brute force their way into systems may make for better TV, internal threats – be they actively malicious internal actors or employees falling for phishing attempts – are a far more common attack vector.

According to a report from Kroll published in November 2022, insider threats are actually increasing, making up close to 35% of unauthorised access incidents recorded in the third quarter of the year. The company also noted an uptick in credential theft, particularly via ‘smishing’.

One mitigation often put forward is increasing understanding and ‘buy-in’ from employees across the breadth of an organisation. What this actually means, however, can be hard to pin down, let alone implement.

Members of the IT Pro Network have come together to discuss exactly this problem and whether there really is a solution to effective security training for all.

Cyber security starts at home

“Something I have done in the past which has worked.... Don’t look for buy-in for cyber security at work,” says Mark Evans, interim information technology director at construction firm Tilia Homes. “Teach people how to protect their children, their bank accounts, their car insurance, their NHS information, their banking details – those learned behaviours will come back into the business.

“People need to be aware that they have a responsibility to themselves to protect their data and that gives them all of the context they need in order to develop good cyber hygiene.”

Paul Watts, distinguished analyst at the Information Security Forum feels the same, adding that making the conversation less ‘corporate’ can help people actually focus on what’s being said.

“When I was CISO at Network Rail, I borrowed a whole primary school year group. They came in and helped me get people talking about staying safe in cyber space. That was a great day and the business was much more receptive to a conversation with no corporate agenda (although the health and safety prep was hard work),” he says.

For some organisations, this marriage of cyber security at work and cyber security at home is easier to bring together. Peter Donlon, group CTO at online greeting cards business Moonpig, says: “One of the more successful approaches for me has been educating the company on what it is we need to protect and bring to life the consequences of not doing so. In our case holding millions of people's personal photos, messages to loved ones, addresses, etc.

“When you highlight what it is we're all trusted to look after and what the consequences of breaking that trust are, I've found it becomes easier to educate people on how they need to play their part.”

Speak softly and carry a big stick

While it’s good to be understanding and wish to educate, there’s only so far this attitude can go if someone is unwilling to cooperate or participate in an organisation’s cyber security strategy.

“You need to do everything you can to educate people of the importance, and constantly remind people,” says Gerard McGovern, director of digital strategy. “I like the idea of centring it on activities out of work that will then permeate into the workplace, but it must be backed up with consequences. If reception let someone into the office without checking ID, there would be consequences. The same must be true with cyber.”

Watts makes a similar observation, adding: “We've gone out of our way to demystify technology and make it more accessible without educating people on the risks.

“I do wonder sometimes whether that is on us as a community of practice; you don't give someone a car and expect them to know how to drive it without giving them some tuition first.”

A generational divide

IT leaders are often faced with the challenge of different age groups being more adept with technology, depending on when digitisation became part of their lives. For the baby boomer generation, computers arrived relatively late in their career. Many were in middle age by the time there was a computer on every desk, with the internet becoming ubiquitous even later.


The WFH cyber security checklist

Ten ways to win the remote access game with ZTNA


For the younger members of generation X and the older millennials – once shorthand for ‘young people’ – computers have been around in some form or another for most of their lives. They still remember a world before the internet, however, which crept into schools, universities and workplaces when they were in their teens and twenties.

Now, it’s generation Z, often given the moniker “digital natives”, who are entering the workplace and shaking things up, having never known a pre-internet, pre-PC world.

Yet while these younger generations may be more tech savvy, they’re not necessarily more knowledgeable when it comes to cyber security.

“Yes, younger people who have grown up with technology are generally more familiar with digital apps and devices and may be more comfortable using them,” says Craig York, CIO at Milton Keynes University Hospitals NHS Trust. “However, being tech-savvy doesn't necessarily equate to being more aware of cyber security concerns. The younger generation at my organisation are perhaps more lax about cyber security than their older counterparts.”

In Watts’ experience, not only are younger people no better at cyber security than their older counterparts, they bring a whole new wave of challenges.

“You've only got to look at the herd mentality when following a trend on social media, a new (unproven) app that an influencer shoves down their throats, they will literally do anything for 'likes' and, of course, FOMO [the fear of missing out],” he says.

“I always thought the young would … pay more attention to their digital persona and footprint. I'm being proven very wrong there.”

Jane McCallion
Managing Editor

Jane McCallion is ITPro's Managing Editor, specializing in data centers and enterprise IT infrastructure. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.