Cyber-security fines - too much stick and not enough carrot?
Cyber-security fines - too much stick and not enough carrot?
Over the past couple of years, there has been a concerted effort made by the government and regulatory bodies to increase the penalties for organisations that fail to properly safeguard their most valuable data. In the latest move to show they mean businesses, this month the UK Government announced that firms in critical industries - such as energy, transport, water and health - could face fines of up to £17 million if they fail to protect themselves effectively from cyber-attacks. Monetary penalties have become the default method for incentivising companies to take the issue of cyber-security seriously. 
There is no arguing that penalties are effective, especially when tied to comprehensive regulation. The GDPR, for example, has undoubtedly forced thousands of companies to look at their practices and develop a better security posture. Considering the devastating effect that a lapse within one of the critical industries could have, there are few that would argue against harsh fines for companies that are not taking every possible precaution.

However, there is a risk that this can create a culture where organisations purely react to punitive measures by government, rather than taking positive steps to improving their own cyber-security for the benefit of their customers and staff - which many organisations should naturally want to do. There is an argument to be made that penalties have to go hand in hand with guidance and help, but often the second half of the equation isn't as well detailed.

For example, while the £17 milion figure dominated reports, within the cyber-security industry there was a greater recognition of the detailed guidance the NCSC provided on the same day to help organisations comply. I wonder, however, how many of the companies saw beyond the fine in the headline?

The prevalence of stick over carrot might go some way to explain why, despite the well-known four percent fine figure of the GDPR having been banded around for a couple of years now, recent reports have shown that 60 percent of European companies are still unprepared for GDPR, largely due to lack of awareness.

Changing the language of security

If we ask ourselves why companies aren't naturally taking positive steps to improve their security, in truth, the fault probably lies with security vendors. If the role of government is to penalise bad behaviour, it is the role of the security industry to engage with organisations and educate them on the benefits of having good security, but clearly in this, we are failing. 

Too often vendors focus on the looming, overbearing, external threat, and do not talk to the user within the organisation - be it CEO or intern - to help, explain and incentivise good behaviour within. As everyone who works in the industry knows, the language of security is resoundingly negative. The message security vendors, or security teams within an organisation, are sending to workers is “no” – you cannot do what you'd like to do, whether it be downloading software, sending an email, or clicking a link – many of which are often vital business functions. All security solutions “block” and “stop”; they very rarely “help”.

As a result, a combative relationship is created between the security solution / vendor and the end-user. Unfortunately, without the user's buy in, these solutions do not have the desired effect. If they are told “no” to sharing files over Google Drive, or visiting the website they need, they will likely find a work around, which can often be more dangerous. Perhaps this is why, despite increased investment in security technologies, data breaches continue to go up. After all, employee error accounts for nearly 60 percent of privacy failures, according to Gartner.

In order to address this issue, the security industry needs to focus on positively engaging the user. It needs to make a case for security and productivity being two sides of the same coin – not to the IT department, or the board that probably does care about the fine – but to the average employee, whose hand is behind the mouse. 

Ultimately, most people want to do the right thing, no one wants to be responsible for the fine that gets their company splashed across the front page. The government has a responsibility to enforce security on a national level, and fines are its leverage to do so – although more guidance and support for companies would be admirable. The cyber-security industry, on the other hand, as the provider of solutions that claim to help organisations has a responsibility to engage with them to make it simpler and easier for people to do the right thing.

Tony Pepper is co-founder and CEO of Egress Software Technologies

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.