SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
LogRhythm: Foster a culture of cybersecurity awareness
Fri, 1st Feb 2019
FYI, this story is more than a year old

Cybersecurity is no longer a ‘nice to have'; it's essential.

In a world where threats are becoming ever more common, organisations across all industries must be proactive about preserving the integrity of their systems and data.

Most Australian companies of size have an in-house cybersecurity team and a range of vendors dedicated to the task.

According to Gartner, their collective protection bill was set to hit $3.8 billion in 2019; up 6.5% on the previous year's spend.

It's a significant investment and a prudent one but it's not the whole answer to the risks posed by hackers and cyber-criminals – which are real and rising.

While the latest cybersecurity technologies can help to detect nefarious activity and contain and neutralise threats promptly, they don't render organisations immune to compromise.

Those that don't embed cybersecurity awareness in their corporate culture are leaving themselves open to risks that technology alone may not necessarily be able to identify or contain.

This is particularly the case if workforces are remote or highly mobile, which is the case in a growing number of Australian organisations.

According to 2018 research by the International Workplace Group, almost 50% of Australian employees spend at least half the week working remotely.

More than two-thirds work at least one day a week outside the office.

It's challenging, if not well-nigh impossible, for security professionals to police the perimeter effectively when employees are toiling from hotels, public spaces and home, and using their own devices and external wifi networks to access internal documents and systems.

Culture counts

According to the Australian Cyber Security Centre, the danger to local organisations has never been greater.

Its 2017 Threat Report advises that attacks are increasing in frequency, scale, sophistication and severity.

Embedding security awareness in employees is a low-tech way to lower the everyday risk posed by the human element.

Social engineering attempts are less likely to be successful if staff are taught to consider the security implications of responding to unusual emails and to think twice before clicking on links without attempting to validate their authenticity.

Other lax practices which can endanger an organisation include the transfer of data to portable storage devices and the uploading of sensitive documents to private cloud storage.

A culture where careless acts like these are eschewed and caution and vigilance are encouraged and rewarded can reduce the risk significantly.

That doesn't mean fostering an atmosphere of suspicion in which staff feel obliged to police their colleagues and watch their own backs.

What's needed is a collective commitment to work together to keep company systems as safe as possible.

How to build a healthy culture

So how can organisations go about fostering this culture and commitment?

It begins with awareness – and that begins with training.

Not once or twice but continually, for all employees who have access to corporate and customer data and the internet.

Introducing cybersecurity training as part of the onboarding process for new hires and holding regular refreshers, for everyone from the CEO to frontline staff, creates the awareness that can foil opportunistic phishing attempts and social engineering attacks.

Making training sessions interesting and engaging will up the odds of the messages sticking.

An element of friendly competition – via gamification or an awards program for cybersecurity ‘champions' who flag and share security threats – can encourage staff to stay alert to scams and security slip-ups.

It can also be helpful to create an information hub where security protocols and tips can be posted and employees can share experiences and questions.

Keeping threats at bay

The threat posed by hackers and cyber criminals is real and rising and the fallout from a successful attack or a major data breach can be damaging and very expensive.

A 2018 Cyber Security Review led by the Department of the Prime Minister and Cabinet found cyber crime is costing the Australian economy up to $1 billion annually, in direct costs alone.

The resultant report noted the country's attractiveness as a target for serious and organised crime syndicates, courtesy of our nation's relative wealth and high use of technology.

Organisations which have their core systems infiltrated or their customer data compromised or stolen can face significant business disruption, along with economic and reputational loss.

Those that foster a culture where employees are alert to the dangers and mindful of the way they engage with systems and handle data stand a better chance of keeping threats at bay.