End-User Cyber Security responsibility in the workplace


When discussion about cybersecurity in the workplace is talked about they are a tendency to focus on what the business as a whole should be doing to protect their assets and either forget to mention or only partly acknowledges the role of the end-user responsibility and actions in protecting data. If they do it discuss the end-user it is usually about the importance of regular training. Though in some organisations there is a slow move to a culture of awareness and vigilance being instilled into the end-user. This means instead of single individual or part of an organisation being solely responsible for cybersecurity every user regardless of rank or role is responsible for ensuring best cybersecurity practice. This viewpoint is gathering importance as we move to living and working in an always-connected environment of devices and software with the growth of the Internet of Things (IoT), Smart Cities and the continuing growth of Bring Your Own Device (BYOD), flexible working locations and home offices. The question is then how a culture of cybersecurity can be achieved with the end-user owning the responsibility for their actions and awareness when it comes to cybersecurity.

Possible Solutions

The discussion around cybersecurity and the means of data protection have come into the spotlight again due to the arrival of the General Data Protection Regulation (GDPR) and what companies are doing or need to do to guarantee that data is kept safe and has clearly defined rules as to who can access and use that data. Apart from workers in a company can be considered assets to be protected very few solutions regarding GDPR examine the role of the end-user within a workplace. In the UK the government through NCSC have published Cyber Essentials programme as the bare minimum for companies and individuals should follow as best-practise when it comes to cybersecurity. The original 10 Steps covered: network protection; user education and awareness; malware protection; removable media controls; secure configuration; managing user privileges; incident management; monitoring and home/mobile working. These ten steps while ensuring good practice have problems that do not scale well with very small business or very large business and to follow them fully as a single user could lead to an over complication for personal security needs. NCSC has simplified and updated Cyber Essential which better reflects real-world usage and can scale better from a single individual to an organisation with many workers.  These are, Secure your Internet connection; Secure your devices and software; Control access to your data and services; Protect from viruses and other malware; Keep your devices and software up to date. But on the other hand, this simplifaction means unless there is a need to fully understand each point in order to prevent any gaps in the five areas. So cyber essentials are a good place to start but they are not a perfect solution. 

The move to greater Secure by default within software and hardware means it should be harder for malicious actors to gain access to a device or data also often secure by default serves as a good foundation to strengthen cybersecurity. But there is a problem with platforms that are secure by default is that the end-users are able to weaken the security through there actions. For example, the latest version of Apple's Mac OS X is a good example of secure by default (not perfect but adequate for the average user) since the design of its software and how applications are run means it is difficult for malware to successfully take over or infect OS X devices. But it is possible for a user to disable or weaken the security by ignoring the measures built into OS X either to install 3rd party software or download/torrent from unsafe websites. Secure by default is a good place to start but does rely on end-user following the rules to stay effective which can never be guaranteed.

Another option when it comes to cybersecurity is to use software or rules to control or conditioning behaviour of the end-user. For example at its most basic time-limit on social media sites or blocking access to certain type of websites. While this does limit the possibility of the end-user to make bad decisions or weaken security the problem is that this type of method if volunteer would only be used by the people who do need it since they are the type who follow the rules and generally would have good security behaviour anyway so the people who bad security behaviour and do not enjoy following the rules and measures in place will avoid using this method. So this method would have to be made compulsory to be effective. Any implementation of this method would have to be monitored closely because end-user will find gaps in it.


When it comes to end-user cybersecurity responsibility in the workplace there is no silver bullet solution regardless of what some vendors will try and sell. The move towards secure by default from technology companies in general makes things easier but relied on good user behaviour to stay effective. Guidelines like NCSC Cyber Essential encourage good security best practise and in the majority of cases, they are good enough for day to day use. Using tools to control or condition a users behaviour when it comes to cybersecurity while could be considered extreme is probably the only way to protect a bad user from themselves. Overall for cybersecurity measures to stay effective in the workplace the end-user taking responsibility by following NCSC cyber essentials or using tools to control their behaviour has the potential to lead to a better cybersecurity environment within the workplace. Finally, these measures only protect against known attacks they would be ineffective against the unknown unknowns or a very good social engineer.  


Popular posts

Balancing functionality, usability and security in design

Personal Interest - Unbuilt fleets of the Royal Navy

Personal Interest - RAF Unbuilt Projects