Stronger cyber security defence starts with people and culture
- Posted on October 25, 2021
- Estimated reading time 3 minutes
This article was first published in Cyber Today.
Cybercrime has become a chronical pain for Australian businesses and the pain is very costly. The Australian Cyber Security Centre (ACSC) refers to an annual cost as high as $29 billion in Australia in their latest annual cyber threat report. The ACSC also reported receiving an average of one cybercrime report every 10 minutes between July 2019 to June 2020.
To add insult to injury, cybercriminals exploit all possible avenues such as taking advantage of the COVID-19 pandemic with themed scams, online fraud and phishing campaigns. Managing the pain of cyber threats can be a very challenging endeavour, especially during times of operational disruption.
To boost an organisation’s cybersecurity posture, one of the most fundamental and effective layers of defence is to empower and equip every employee to become a security advocate. Cyber security is everybody’s business. In fact, an Avanade research reports that executive are evenly divided on whether the bigger threats are coming from inside (51%) or outside (49%) of their organisations. Those inside threats include unintentional actions, lack of operational processes, lack of knowledge or training, and malicious activities.
Avanade advocates three basic steps to start building the foundational layer of an organisation’s cybersecurity defence:
- Fostering a culture of empowerment
Australia is a thriving economy and Australian businesses present an enticing target for scammers and cybercriminals who aim to exploit staff, partners, consumers and citizens’ personal information for financial gains. Phishing continues to be the most prevalent online threat — people getting messages via email or on their phones with offers that are too good to be true. As the saying goes, if it’s too good to be true, then it probably is. To address this, make sure employees have the knowledge and are adequately trained to identify potential threats and empowered to speak up when they recognise a suspicious situation.
- Engaging employees through training and refreshers
It is pivotal to keep employees engaged. Regularly scheduled cybersecurity training for new-joiners and existing employees keeps information and awareness top of mind. In ongoing security conversations with employees, describe something that has happened recently within the cybersecurity space. Real-life examples make impact more tangible so employees can understand the seriousness of what cyberattacks can entail.
- Seeking professional advice and support
Many organisations today have experienced a rapid change to their digital landscape and architecture with the deployment of new collaboration and workforce tools. Now is an opportune time for organisations to conduct a risk assessment of their entire digital environment, including their legacy infrastructure and investments. This can be done by partnering with a trusted external service provider to offer an objective view of your security posture and bring in different methodologies as well as deep expertise to augment in-house capabilities.
To complement the above, technology tools can help your employees become more security aware. Some methods we have seen work for organisations include anti-phishing buttons embedded in email applications, anti-phishing tests conducted internally, tagging messages that come from people outside of your organisation, and multi-factor authentication.
In the next 12-18 months, we expect organisations to increasingly shift their attention to how they can renew and position themselves for the future. They will be looking to reinvent their business model to address existing and new opportunities with a stronger, more resilient version of the enterprise. From a cybersecurity perspective, organisations will look to adapt to changing business landscapes and remain compliant – ensuring any changes in models, technology and processes adhere to regulatory and emerging compliance requirements.
This would be an ideal time to implement a new security design, supported by a strong culture of security and shared responsibility where employees are committed to protecting the company, clients, work, data and assets.