Skip to main content
Civil Service

Cyber security is everyone’s responsibility

Posted by: and , Posted on: - Categories: More digital

10 steps to cyber security

It’s no surprise to say that we have become a technology-reliant culture. Every organisation – whether operating in the public or the private sector – relies on technology in some way or another as part of its processes. As a result, keeping this information secure has become a focal point for organisations.

It’s important to understand cyber security is not like “normal” security. There is no single gatekeeper whose role is to keep our cyber systems safe. The responsibility belongs to everyone in an organisation – but it is down to those in leadership positions to stress the importance of cyber security to other employees and develop a strategy that is tailored to the risks of each organisation.

How much information do you share?

A large part of avoiding cyber attacks comes down to awareness.  Are you aware of how much information you’re already sharing publicly and how this information can make you vulnerable? Are you aware of how your behaviour can impact the larger organisation?

Many of us already share information on social media, whether through public Facebook pages, Twitter profiles and tweets, LinkedIn accounts, or any number of other websites. While at first this may not seem like much of a problem, it can make you more vulnerable to cyber attacks.

Take the (fictional) example of Jane Smith, who spoke at a conference recently and announced her company’s partnership with the NHS to provide a new service to clinicians. Jane tweeted about the conference and about her announcement. She also tweeted about some other news announcements made that day.

Jane received an email the next day from a journalist who was at the conference but unable to speak to her because, he says, he was busy with another announcement that Jane had also tweeted about and he would like her to email him a few responses to some questions he attached. The journalist claims to be from a well-known national publication, and Jane has no reason to believe it to be anything other than a legitimate request, so she opens the attachment, reads the questions, types up a response, and sends it on.

This seemingly innocent situation may be just that – a great opportunity to publicise the department’s work. Alternatively it may have been one of an increasing number of cyber attacks made upon people, in this case a “spear-phishing” attack. These are carefully crafted emails that make use of a person’s personal information, often harvested from social media and websites. The purpose is to make the email entirely believable and for the target to click on links or attachments in the email.

These typically download malware, malign software that might be designed to grant control of your computer to the attacker, allowing them to gain access to your organisation’s wider computing infrastructure or to access sensitive information held on your computer. It might also be ransomware, encrypting your computer’s data files so that they become unusable – unless you hand over payment in return for unlocking your data. These are just two types of attacks that are seen every day by security specialists.

Of course, the answer here isn’t to prevent employees from using the internet and emails. It is not a suggestion to use less technology, but the example  illustrates what can happen when Jane doesn’t appreciate the risks or give some thought to the kind of precautions she should take.

Vigilance and awareness

Senior managers also need to prioritise cyber security – one of the fundamental measures to ensure good cyber security is leadership. People at the top of an organisation need to communicate the importance of keeping the organisation secure and creating a culture of security awareness. They must draw attention to the need for vigilance and awareness, asking people to think about the personal information they share – the “digital footprint” that everyone now has.

Leaders must also drive culture change, encouraging the organisation to think about security and risk, discouraging complacency and belief in security absolutes. They need to acknowledge that cyber security attacks will happen frequently and that the attackers will occasionally be successful, so leadership is needed to prepare and respond to such events, including support for investment in measures necessary to reduce the chance of succumbing to an attack and its impact. When you consider that over 80% of large corporations and 60% of small businesses reported suffering a cyber breach in 2014 (according to last year’s information security breaches survey from the Department for Business, Innovation & Skills), and that the average cost of each incident is over a million pounds, such investment seems a small price to pay.

Sharing and comments

Share this page


  1. Comment by Jo posted on

    Agree with Dave on this one... we are encouraged to read these articles but feel I have wasted my time. All too often we are given bad examples not to follow but very rarely good examples to foillow.

  2. Comment by Anthony posted on

    Jane should have used good old fashioned pen & paper & written to the jounralist.

  3. Comment by Dave posted on

    I do not feel I have learned anything useful from this article. To present an example of a threat without giving any advice about how to spot it and what to do about it seems like a wasted opportunity.

  4. Comment by Nasir posted on

    Jane should have also checked with her Policy and/or Communication department!

  5. Comment by Richard posted on

    "the email header would have told her that..."
    No. Please don't rely on email headers!
    Most email software allows the user to choose what displays on the recipient's screen.
    Just like the old game of changing the sender message on a fax machine.....
    The only way to see where an email actually originates is in the 'internet header' or 'long header detail' - these do not usually display as most of hte time a user is not interested in that level of detail.

  6. Comment by Edward Nowden posted on

    Jane should have spotted the suspicious email and not opened the attachment. If it was really from someone from a national newspaper, the email header would have told her that. Good practice is always to check out a journalist before you write back to them (have they been critical of your organisation in the past, for example?) - this simple check would have revealed whether the journo was genuine or not.

  7. Comment by Neil Robertson posted on

    Like Carla - I would like to see what the "correct" procedure is.
    It seems many experts are good at dreaming up hypothetical bad scenarios but are all to frequently unable to provide good advice. This needs to change for staff and colleagues to take pieces like this seriously or it becomes "oh here we go again, another scare story"

  8. Comment by Martyn Timmis posted on

    I signed up to an OU course (FutureLearn) 6 weeks ago called 'An Introduction to Cyber Security'. I have 2 weeks left. It is very easy to get complacent about cyber security - "it won't happen to me" - what I have learned so far on the course, almost makes you want to stop all computer use. But, I shall continue because computers won't go away. Just be super vigilant, always report anything unusual to your departments' IT security officer. strenghten your passwords (this applies as much at home too) and if it looks too good to be true, it is!

  9. Comment by Carla posted on

    so what should Jane have done?

  10. Comment by Mike Smith posted on

    Nobody could argue with the need for security, and people often don't take it seriously enough at home either, but the reaction to recent incidents means I can no longer access some excellent websites recommended by Civil Service Learning. A bit of overkill perhaps?!
    In HMCTS we are lumbered with McAfee which takes up far too much memory (3 times as much for instance as MS Excel) which means I regualrly cannot do my job (crunching lots of data using Excel as it happens) or it takes days to do what should take hours because I have run out of memory. This is partly due to our hopelessly inadequate hardware but surely we could stay secure without using bloatware like McAfee?