When organizations consider cyber security, they usually focus most of their attention on technology, partly because that is what the market pushes them towards. In my view, however, 50% of cyber security is cultural, 30% process and just 20% technology.
Cyber security is an arms race and the boards of all organizations need to take it seriously. Frankly, if it isn't one of the key items on a board's risk register, that board is asleep at the wheel. But many of the right responses on culture and process are neither new, nor are they particular to cyber security.
On culture, the insider threat has long been a problem for organizational security. British government posters during the Second World War reminded citizens that 'Careless talk costs lives', with one 1940 Ministry of Information poster also having someone telling a friend 'Don't forget that walls have ears!' in front of wallpaper patterned with Adolf Hitler's face.
But 'careless talk' is now something that millions of people indulge in, assuming that they can share everything through social media. While some may be put off by recent coverage of how their data is used, many people are in the habit of sharing their personal and professional lives online by default.
To help tackle this, organizations need education - not just about cyber threats such as phishing, but more broadly about how you treat any form of information sharing or access. It might not matter if an employee posts a picture of themselves online, but it might matter very much if it includes a screen showing sensitive information or a sticky note with a password. Educating people on this is not just about cyber security but how you treat any form of information sharing or access.