18 Dec 2023
by Rhianne Short

Cyber security was ignored. Scrooge didn’t care for password managers or anti-virus software. He wanted optimal productivity, and he was growing his business, not spending on it.

His trusty chief information security officer (CISO) Bob Cratchit, cautiously broached the topic of cyber security: “As we are shutting over Christmas, we should implement security measures to protect our funds, and clients’ and colleagues’ data.”

“Humbug!” exclaimed Scrooge grumpily. “A poor excuse for picking a man’s pocket.”

After spending the evening at the pub with free Wi-Fi to check company systems, and USB charging points at the tables for his work phone; client data cleansed and finances corrected, Scrooge headed home and fell into peaceful slumber.

It was strange when Bob Cratchit’s face came to him in a dream. Bob told him he needed to learn essential cyber security lessons.

The mistakes of cyber security past

With a blast of cold air, Scrooge awoke with a start. In front of him was a young man who talked at length about data protection and creating a cyber security culture from the start, whatever that means.

He learned that it is a collective mindset and behaviour within an organisation that prioritises protecting sensitive information and technology from cyber threats. It involves being aware of potential risks, following security practices, reporting potential incidents, and fostering a shared responsibility to ensure a secure cyber landscape.

This man admitted to Scrooge that measuring something as subjective as the strength of a security culture can be difficult. However, measuring is important to create a security baseline, manage any associated gaps and risks, track its progress and improve it over time.

Scrooge was told that one way of measuring an organisation’s security culture is through employee surveys and feedback. This gives direct insights into the understanding and perceptions of cyber across the business.

Benchmarking is also crucial in measuring security culture. Scrooge tried to understand when he said you had to compare against industry standards and best practices to help identify improvements and continuously enhance an organisation’s security posture.

Benchmarking can be done by using data collected from training providers or security organisations, or by using the DSIT Cyber Security Breaches Survey, and speaking to other organisations via networks and forums about cyber security and their successes and challenges.

“You must learn from others,” the phantom warned, fading into the darkness. “You cannot do this alone.”

The mistakes of cyber security present

Scrooge woke for the second time to find a man he’d seen in the pub earlier, standing in his chambers.

“I’m the ghost of your present cyber security mistakes,” he answered, “and there are many.”

With the click of a finger, Scrooge and the stranger were transported into the pub from that very evening. Sitting at a table was Scrooge, tucking into his meal and periodically leaving his laptop to return to the bar, or visit the loo.

Around him were people engaging in festive cheer. To Scrooge’s mind, the worst type of frivolity.

“What is wrong with this scene?” asked the stranger. Many things, thought Scrooge, but nothing he was involved in.

Working remotely can be unavoidable, but it means there are more threats and security issues to be aware of.

Leaving a laptop unlocked and unattended like Scrooge did, could allow unauthorised access to sensitive information. Scrooge was told it is a significant security risk, potentially leading to data breaches or social engineering attacks. Devices should be secured and kept in possession to safeguard all data.

“Beware shoulder surfers!” warned the second phantom. “Limit access to confidential information and avoid observation of the tasks being worked on publicly. Don’t risk confidential information exposure”.

Scrooge was surprised to hear that public USB charging points can pose a security risk as malicious actors exploit these connections to transfer malware or gain unauthorised access to a device. This haunting was becoming really frightening, thought Scrooge.

But it didn’t stop there. Using free public Wi-Fi networks is another risk. They are often unsecured, making it easier for cyber criminals to intercept sensitive data such as login credentials. Scrooge was told to always use a virtual private network (VPN) or avoid accessing sensitive accounts and data while connected to public networks.

The phantom disappeared in a flash, leaving Scrooge to wonder on what he had heard.

The mistakes of cyber security future

Scrooge woke again and sat bolt upright in bed. His third visitor was a tall, smartly-dressed man, who beckoned him to follow.

Where they went was worse than anywhere he had been previously.  This was Scrooge’s office. But it wasn’t his name above the door, or his team with their outdated laptops. This was modern, the staff looked happy, and he noticed many locked screens – surely that drove down efficiency through wasted time entering passwords?

“What has become of my business?” implored Scrooge.

“This is not your business,” replied the man. “Your data was compromised as your team were not trained to look for security threats. You were hacked, all your assets were lost, and all data was leaked.

“You were found wholly negligent, and this firm moved in, took all your clients and built an empire on your rubble, doing everything you didn’t.”

“What became of me?” pleaded Scrooge.

“You were banned from owning or running a business again. You became destitute.”

Scrooge shuddered and found himself back in bed. He had to change his attitude towards technology and protect his team and his business.

He knew what to do. Scrooge bounded into the office. He was going to create and continually improve a cyber security culture through:

  • Employee education and training – be clear about how the training will help the organisation as a whole.
  • Awareness campaigns – start regular cyber security articles, blog posts, a senior manager sending out an email with cyber security tips, advice and reminders, hosting events or webinars about cyber, physical reminders, and talking about cyber in meetings.
  • Drills and simulations - include phishing simulations and monitor the reporting rates of simulations, incident response rehearsals, and physical security social engineering testing.
  • Incentives and recognition - reward positive cyber behaviour. Include competitions to see which team gets the highest compliance rate on training, start a cyber champions scheme, and recognise staff who demonstrate good cyber behaviours.
  • Open dialogue and continual feedback – be transparent and learn from mistakes. If staff have a fear of getting into trouble, they won’t report mistakes. Foster a no blame culture with trust and transparency. Incidents will be reported more quickly, potentially lessening impact and improving security.

By the following Christmas, Scrooge had run regular training activities, included cyber security in on-boarding activity, and started the process to become Cyber Essentials accredited.


Related topics