Sharper cyber security? It’s cultural

by Michael Warnock, Australia Country Manager, Aura Information Security

Worried your firm’s cyber-security defences aren’t up to scratch and bracing yourself to spend big bucks sharpening them up?

It’s reasonable to be concerned – hacking activity is on the increase and those responsible continue to up the ante with ever-more-clever attempts to infiltrate corporate networks and steal sensitive company and personal data.

Cyber-security investment is set to reach $3.8 billion in Australian in 2018, up 6.5 per cent on the previous year, according to Gartner. Meanwhile, the Australian Cyber Security Centre says the risk to local organisations has never been greater. Its 2017 Threat Report advises that attacks are increasing in frequency, scale, sophistication and severity.

While cyber-protection software has a key role to play in preventing attacks, there’s a lower-tech way in which organisations can improve their defences and show would-be infiltrators the door.

It’s by strengthening what’s often the weakest link in the chain – people. Human error, carelessness and gullibility allow many a hacker to slip through the cordon.

Fostering an awareness culture

Encouraging staff to develop a collective cyber-security mindset can result in a significant proportion of phishing and malware attacks being headed off at the pass. But what does this mindset ‘look like’? It’s when information security is viewed as not just the remit of the boffins in IT but an integral component of every employee’s role.

When this occurs, staff aren’t blasé about the dangers to corporate information assets posed by hackers and phishers. They’re vigilant, involved and aware of the risks and can readily identify hacks or malware before they become problems.

So how can organisations foster a culture whereby the weakest link becomes the strongest?

Here are some ways to do so.

Start at the top

Change starts at the top. It’s an old corporate truism which applies in spades when it comes to information security. Staff won’t begin to take it seriously until senior management show that they intend to – in thought, word and deed. Making cyber-security a boardroom issue is the surest way to ensure it becomes embedded in the culture further down the line.

Incorporating cyber-security into every aspect of operations, from the company vision and mission statements down to HR processes and procedures manuals, is the key to making this happen. Over time the entire team, from high ranking employees down to frontline workers, will come to feel they have a role to play.

Educate and train

People don’t know what they don’t know. Cyber-security training – for everyone from the CEO to the office junior – is the best way to get the whole organisation up to speed. There are good reasons to ensure it’s not a one-off event. The threat landscape changes frequently and conducting sessions regularly keeps staff aware of new developments.

Frequent reinforcement helps raise collective consciousness and running test attacks using a tool such as CyberWise is an innovative way to do so in situ. The program can be used to send phishing emails to staff, to gauge their ability to recognise and respond to them appropriately. Once the results are assessed and the security team has ascertained the number of individuals who ‘took the bait’, an email can be sent to all staff, detailing what occurred and noting the features of the phishing email which should have raised alarm bells. No one is named and shamed and everyone has the opportunity to learn from the experience.

Recognise the warriors

Identifying and rewarding employees with sharp eyes and sound instincts for a scam can be a great way to encourage others to become more vigilant. Those who intercept a phishing or whaling attempt, or alert colleagues to dodgy text messages, could be given a commendation or small token of appreciation and held up as an example for others to emulate.

Raising the profile of your chief cyber-warrior – the information security officer or the individual responsible for the function in your organisation – is also a good move. If security is the business of every employee, then every employee should know who the in-house expert is.

Foster community spirit

Establishing a hub on the company’s intranet or another shared space can help keep cyber-security top of mind. The hub should be a place where security news and updates are posted and insights and observations shared freely among employees. Making the content interesting, fun and accessible will ensure more visits.

The security hub is also a natural home for the company’s privacy and cyber protection policies. Ensuring they’re written in clear and simple terms and include a rationale along with the restrictions will help people appreciate their necessity.

Protection payback

Prevention is better than cure. Putting time and effort into developing a cyber-security culture can augment your investment in tools and technology and see your organisation better placed to withstand attacks when hackers come knocking.

Tags GartnerACSC(Australian Cyber Security Centre)

Show Comments