Security Influence & Trust: How Business, Government & the community can collaborate to raise cyber security awareness
The following Q&A features an important discussion on how organisations, government and the community can come together to build a network and raise cyber security awareness. The Information Security Experts in the below discussion are part of a Security Influence and Trust (SIT) community to tackle just this. Featured in the below discussion: Lee Beyer, Senior Manager, Cyber Safety, NAB, Kate Monckton from the NBN, Simone Bachmann from Australia Post, Mannie Wijesekera from the Melbourne Cricket Club and Craig Templeton and Erica Hardinge from the Security Enablement team at ANZ.
We began by asking why it’s important to act as one voice when promoting cyber safety.
Hardinge: Why are organisations getting involved in the SIT Community?
Bachmann: Because cyber safety is now a life skill! We believe we can make a bigger difference if we take a coordinated approach as an industry and not waste resources duplicating efforts when there is so much to be done.
Raising cybersecurity awareness and skill in all Australians will lead to a stronger and more-trusted online experience as well as more-resilient businesses. This is vital for a more globally competitive Australia.)
Monckton: Our community has a shared passion of equipping people with the tools and understanding they need to make good online security decisions – inside their organisations and external to it.
The diverse nature of SIT (both in individuals and organisations) is part of what makes it so valuable.
Templeton: So how have approaches to security awareness changed throughout your career, particularly with the evolution of digital technologies?
Beyer: I think awareness campaigns are appealing more to self-interest these days because technology is so personal. We carry our lives around with us on our devices, especially on our smart phones.
Awareness campaigns historically highlighted ‘what could go wrong’, which could often appear to be far-fetched. Now the level of cyber security exposure in the media has resulted in people realising security isn’t just something for IT people to worry about any more.
Hardinge: Ten years ago, security awareness was largely about compliance activities. Compliance is now accepted as a ticket to do business with growing acceptance of the significant role people play in making organisations and the public secure.
Similarly, increasing executive-level support and involvement in programs helps to drive change. And of course, we now have tools which enable real-time learning in an experiential way.
Monckton: The level of investment we’re seeing in dedicated security awareness professionals and teams. If we had tried to start the SIT group seven years ago, I don’t think we’d be anywhere near the size we are now.
Hardinge: Cyberattacks continue to make the headlines – what impact is this having on the security awareness function and your industry?
Wijesekera: The biggest impact is a shift necessitating educating employees whereas previously it was ok to heavily rely on technology to fix all the problems.
One of the biggest cyber security issues facing any company and especially smaller organisations today is ransomware. In these cases, typically, someone has either clicked/opened a malicious link or file from the inside the organisation.
Given how popular ransomware is in the news, even smaller organisations are noticing this sort of issue cannot be fixed by technology alone but requires people being cyber smart.
Bachmann: There is commitment from board-level down that awareness is a fundamental cyber security discipline – more so than ever before.
There is also a growing understanding when threats hijack household brands (like those of many of the SIT community) it can undermine the trust between our customers and us.
It’s important we help customers stay vigilant of such scams so they can feel confident when interacting with digital services and products. This is a cross-functional business problem and requires efforts across every part of the business.
Templeton: How does the SIT Community help organisations to collaborate on common goals?
Wijesekera : As a small- to medium-sized business who has limited security resources, we found the best way to work with peers was to be part of the security, influence and trust community.
Regardless of organisational size, when it comes to security we all face the same issues. What sets this group apart is they have not only managed to bring together seasoned and passionate awareness experts, but individuals who are more than happy to share their knowledge and expertise with small organisations.
Workshops, and webinars organised by SIT have proven to be extremely valuable learning opportunities for small businesses such as ours.
My recommendation for small businesses is if you care about information security awareness and want to educate your customers, staff and/or contractors get involved with the SIT community via LinkedIn.
It has never been a better time to work together with your peers to enable a cyber-smart nation.
Beyer: Cyber safety messaging is agnostic – it doesn’t matter who you bank with, have an electricity account with or which phone company you use… It doesn’t matter who you hear the message from, we just want you to hear it!
Closer to home
SIT members share examples of how they’re promoting cyber safety in their businesses.
Beyer: At NAB, we have a network of ‘Cybersecurity Awareness Champions’. These Champions are volunteers from all over the NAB Group, including our international offices, who have a passion for cyber security.
Whether it’s people from our risk area who want to learn more about data security or bankers wanting to help customers recognise the latest suspicious messages these people are advocates for cyber security in their business unit and provide valuable feedback to our central team.
Bachmann: At Australia Post we have an incredible safety culture, and all meetings start with a ‘safety moment’. Teams are now starting to include cyber safety as a part of this, including senior leaders.
Templeton: A key element of our ANZ program is Phishing Fire Drills – the next evolution of emergency preparedness. Phishing simulations are just one way of enabling our staff to experience and learn about phishing in a safe environment.
Wijesekera: As a relatively small business, we link MCC staff in to Stay Smart Online which provides free and valuable security alerts and updates.
Staff have been known to share these around the business as well as with their friends and family.
Hardinge: What are the challenges facing organisations who want to improve their cyber safety culture?
Templeton: A lot of cybersecurity information out there is based on fear. Fear can be a strong motivator, but only when people really understand how it impacts them personally and what they can easily do about it. There’s work to do to in getting to this level of understanding.
We know from various industry reports such as 2016 Verizon Data Breach Investigation Report that “almost all the breaches (from 2015) are human related”. In short, this means security is more than technology solutions and it really is time to focus on the human. It’s easy to tell if a piece of technology is working – it’s much harder to demonstrate the success of behaviour change programs.
Bachmann: The best motivators to change behaviour are those which are positive, immediate and predictable.
Our focus is to figure out which model works best – fear or reward – so people become safer online.
Templeton: We find the challenge is locating enough of the right people to execute on security awareness, being a relatively new profession is both a challenge and an opportunity.
It creates a great avenue for improving diversity of thought by introducing a range of disciplines not traditionally thought of when it comes to cyber security, such as behavioural psychology, marketing and communications management.
Seven cyber safety tips for SMEs
Our panel agreed on seven tips for smaller organisations or those not quite yet ready for a dedicated security awareness function.
- Don’t reinvent the wheel – maximise the great resources that already exist such as reading the Small Business Guide from Stay Smart Online it provides valuable tips to protect your business.
- Subscribe to the free alert service of Stay Smart Online and share relevant updates (not all of them!) with your staff.
- Prioritise your activities – focus on what will make the biggest impact.
- Make sure all messages have a clear and achievable action for employees and customers to follow. If they can do something, make it count.
- Make messages personal – protecting our personal lives online has knock on benefits to protecting organisations.
- Sign up to free security websites like www.cso.com.au for the latest news or blogs such as Rebecca Moonen.
- Make use of the intelligence your employees and customers give you every day – like reporting suspicious emails. Provide positive reinforcement to ensure they become regular reporters.