Five ways to defend against cyber attacks with your people
When talking about cyber security, we often focus on the technical. However, the people aspect of security is just as important. Organisations need to make a cultural shift and position security as an integral part of the overall business so that every employee recognises it as a risk they need to manage.
Here are five ways organisations can instil a stronger awareness of security among their employees.
1. Have frequent conversations on cyber risks with different parts of the business
Executives should have regular conversations with board members around security of information, what they know about their data and how they’re managing it. Every part of the business should be asking: “What’s our security risk? What are we doing with all this data? Who’s looking after the data?”
When products and solutions are presented to the executive team or when business units come up with risk profiles that omit security, both the business teams and the executives should ask why.
2. Embed an information security team into the product development and digital teams
At Australia Post, we embed a security team within a product development team to set guiding principles with the business upfront. The whole team agrees on how they will manage data, the value proposition and what customers will be happy with.
Undertaking that exercise even before the product build will garner buy-in from the whole team and will lead to design decisions that prioritise the customer experience and security. This approach can also help ensure that every decision adheres to security guidelines.
The broader team should include people from human resources, marketing, legal and procurement, who equally need to have high awareness of security. For instance, human resources needs to recruit security-conscious people and procurement needs to ensure that third-party suppliers are aware of their security obligations.
3. Continually evolve cyber security training for all employees
Phishing emails, which are responsible for a majority of security breaches in organisations, rely on people’s fight-or-flight response by telling them that they’re behind on their tax or someone has hacked into their account. To counter this, organisations need to train employees to resist the instinct to respond immediately and ‘fix the problem’.
4. Position trust and security as a value proposition
Security shouldn’t be viewed as just part of a compliance checklist. It’s a key factor in establishing trust with customers and employees, and should be treated as an organisation’s value proposition.
5. Make security a life skill
Security doesn’t just affect businesses. It also affects individuals and families. People need to be educated about the risks and how to protect their own information and their children’s information online. If they practise protecting their personal information while they’re at home, they’re likely to bring that mindset into the workplace too.