Activating our human firewall during Covid and beyond

29 Jul 2021 12:24 PM

Blog posted by: , 27 July 2021 – Categories: security culture.

My name is Dawn Carrington, and I am Security Culture Change Lead in the Digital and Technology team.

For as long as I can remember I’ve wanted to do work that makes a positive impact in people’s lives. At the MoJ my role is essentially to activate our human firewall, by reinforcing positive security behaviours in our workforce. This helps to ensure the sensitive data we manage on behalf of the vulnerable people we serve doesn’t get into the wrong hands, and to keep ourselves and our colleagues safe.

Soon after I joined, the entire organisation was thrust into Covid lockdown, meaning online remote working quickly became the ‘new norm’. Like most organisations, this new way of working meant a change in our threat landscape, and security culture.

A security culture can be defined as "shared values and beliefs that interact with an organisation's structures and control systems to produce behavioural norms". It requires regular care from the top down, as it is not something that grows in a positive way by itself. An organisation’s leaders need to invest in it.

During the lockdown we’ve made the most of existing technologies and controls, using them in new ways, to enable those working from home to do so securely. We’ve produced a range of new good practise guidance on remote working. However, it's people who can make or break security.

What have we been doing

The changes brought about by Covid are profound, and the impact is similar for any organisation.

At the MoJ we’re implementing CPNI’s 5 E’s model to reinforce strong security behaviours in our people. To date we’ve delivered a wide range of interventions to increase positive behaviours, including:

Equally as important, we’ve launched a one-stop email address for security-related enquiries and incident reporting, which encourages more conversations earlier on about security.

What’s next?

It is vital that every organisation instils the concept that security belongs to everyone and reinforces positive security behaviours. At the MoJ, next, we’ll be:

As we continue to deliver the Security Culture Programme we’ll be looking for opportunities to celebrate our successes and to reward and recognise those who do the right thing.

Alongside this, we are working hard to enable good behaviours and avoid a ‘blame’ culture, recognising our users are the strongest link in our security story. It's important to create an environment where people feel safe to report incidents; the sooner we know, the sooner we can help.

Eighteen months of remote working has fundamentally changed the way that government, its employees, and crucially the flow of information around and between systems takes place.

The technology hasn't changed however the way people use it has and might now be working in a hybrid way. Every organisation on the planet must now address the cultural implications of this 'new norm’.