Blog post

People: the unsung heroes of cyber security

Created:  15 Mar 2017
Updated:  15 Mar 2017
Author:  Jon L
People are the strongest link

On Wednesday morning at CyberUK In Practice we started a conversation that we've been pondering for some time. It's very easy in cyber security to fall into the trap of describing people as the weakest link; "they should't have clicked on the link" goes the cry; "why did they open that attachment?". Bemoaning the "wetware problem" has become a standard fare at times. 

We respectfully disagree!

We think people are the unsung heroes of cyber security. We want to put people-centric thinking at the heart of cyber security. We'll be doing lots more about this in the weeks and months ahead. But to whet your appetite, here's the video which Emma W showed this morning at CyberUK, which outlines our thinking.



Mike Gillespie - 16 Mar 2017
As a career security professional I thoroughly welcome this discussion, and could not agree more.
One of the continual challenges in security is getting security managers to see security as a business enabling process that embraces and empowers users, that allows business managers to risk assess the use of their information assets and that empowers organisations to fully exploit their information in a safe and secure manner.
Thank you for saying something we have said for a long time
David Booth - 18 Mar 2017
Agree with Mike, but there is a limit to the role of the user, which depends on the quality of the awareness training, the climate within the business to encourage a defensive attitude and an acceptance that some user reports may be false positives.
Russ Smith - 21 Mar 2017
Good article and comments. Agree very much with the need for awareness training including easily seen visual aids, posters, information on Intranet, etc. Gently and continually reinforcing the training seems the only way to get it into a User's psyche by making it an unobtrusive and familiar as possible.
It is after all, possible that no matter how good your security measures may be, that it all comes down to an individual making the right decision at the right time. Scary but true!
Gary Askew - 24 Mar 2017
It was a common phrase for a long time in Security that "there is no patch for stupid people". People aren't stupid! Naive maybe, uninformed possibly but not stupid! Campaigns such as clunk-click, think before you drink before you drive, smoking kills etc. have proven behaviour can change if the message is right. The basic now wash your hands message in toilets as a basic hygiene process has prevented the spread of many infections. We just need to get the simple measures communicated in a way people can use to reduce Cyber risk to themselves and others and build from there.
Marc A. HENRY - 05 Apr 2017
Excellent, security offices tend not to listen and deliver rigid solution, not end user tested always, requires end user validation, helpful security solutions are faster adopted chocolate...
Richard todd - 25 Apr 2017
I've seen some very restrictive practices where a little education on principals, good practice and conduct around risks, trusted sites content, malware and professional scepticism around social engineering might be as effective. If a picture speaks a thousand words, awareness and principals could portray a vision.
NCSC Communications Team - 21 Aug 2018
This blog is now closed to comments.

Was this blog post helpful?

We need your feedback to improve this content.

Yes No