Security blogs

Cyber security a shared responsibility

The ‘‘year of the hack’’ — it’s a phrase we’ve heard constantly in the media and IT industry for the past few years. Each year outweighs the previous in the number of attacks and cybersecurity incidents, with our research estimating that more than 1 percent of Australia’s GDP, or approximately $17 billion, is lost from our economy each year due to cybercrime.

The alarming reality is that this is going to be the status quo from here on in, as we connect more devices than ever before (Cisco has predicted over 500 billion by 2020), more cloud services, cryptocurrency becomes more popular and greater amounts of personal identification information and financial details are entered into applications on our devices.

This new frontier in how we secure ourselves, personally and professionally, means it is crucial we all develop greater basic cybersecurity skills and build a fundamental awareness of cybersecurity trends.

For many organisations, cybersecurity accountability is entirely on the shoulders of the IT department, which no longer cuts it.

Similar to a water network, where the focus is on the entire system, not just the water being secured in a dam, we all need to take responsibility when it comes to maintaining cybersecurity in our place of work.

Now that cybersecurity has board-level focus (if it’s not already for your business it fast needs to be), frontline employees play a significant role in protecting the organisation that employs them. This means whether you are a doctor, lawyer, teacher, researcher or salesperson, it’s now your responsibility to be secure in the way you carry out your job and not rely on the ‘‘IT geeks’’ in the backroom to keep you safe.

Last Thursday, Australia’s mandatory breach notification laws, under the Australian Privacy Amendment (Notifiable Data Breaches) Act 2017, came into effect and as a result, security requires greater attention from the broader employee base.

Each of us holds a certain amount of ‘‘customer data’’, which is extremely valuable to those we gather it from. Whether your job function resides in frontline services, such as a teacher or doctor, in a marketing department, sales team or in administration — all of us possess data that is an attractive asset for cybercriminals.

In the IT and cybersecurity industry, we often talk about a company’s security ‘‘posture’’, which is essentially the proficiency and provisions in place that protects that organisation from cyber threats.

This extends beyond the technology and IT solutions that protect your organisation — such as firewalls, VPNs, threat detection, spam filters and virus scans.

Posture extends to each employee, as we all connect to our organisation’s network, open emails on a work device, at both the office and at home, and share data within or outside our organisation. Which is why organisations, including Cisco, test employees by sending ‘‘dummy’’ phishing-style emails to help teach them to discern what is legitimate and what may be malicious.

Business has been increasingly forced to understand and respond to cybersecurity threats over the past few years, with ever-increasing investment, now in the billions of dollars to improve cybersecurity protection. This includes a war for talent for skilled cybersecurity experts and risk professionals who can interpret business impact for cyber issues.

Against that backdrop, the risk of the weakest link across the user base must be addressed — that is the ‘‘leaky tap’’ or ‘‘water main’’ ready to burst.

Strategies to reduce this risk include updating data privacy policies (including encrypting data), increasing compliance measures and educating employees to always utilise company-approved technology.

This also means avoiding using ‘‘shadow IT’’ or engaging in shadow IT behaviours — for example, downloading work files on to a personal computer via a cloud application that is not encrypted or sending work projects to personal email accounts.

Every employee must treat cybersecurity like physical security, just as when you leave each day for work you probably do not leave your street-facing doors or windows unlocked.

The same expectations apply when it comes to complying with your organisation’s security policies, regardless of your technological proficiency, because insecure actions or ‘‘unlocked windows’’ become the access point for those wanting to steal what you value.

Just as individuals need to consider their contribution to an organisation’s security posture, the business from the board down, inside and outside IT departments, line managers must consider the security culture and adoption for their specific function.

Rather than decrying about “another thing to worry about”, position cybersecurity as a potential differentiator in customer service and digital capability.

At the firm level, robust and secure cybersecurity policy is a competitive advantage for your business.

Confidence in your cyber policies and practices enables acceleration of your digital transformation efforts and possible differentiation against the laggards, who might just be your direct competitors, in your industry.

My advice for business people is to listen to your cyber experts, prioritise this as an important focus area for all employees, and treat your customer data like your own.

 

from the Australian Business Review

You may also like
Psychological and Security issues when working from home
Can you Hack IT?
Why Security Awareness Does Not Work and What to Do Instead 
Security Awareness Training is ineffective!