In today’s heightened threat landscape users need to be on their guard, but the odd training session won’t ensure cyber safety remains top of mind all of the time.
Feeling increasingly nervous about the risk of cyber compromise and attack? Join the club. Among the many unwelcome events and occurrences of the year just passed was a sharp surge in illicit cyber activity, designed to disrupt and damage.
So much so that, in June 2020, Prime Minister Scott Morrison took the extraordinary step of warning Australian organisations to be on their guard. The government subsequently stepped up its efforts to help the business community strengthen its defences via a $1.67 billion Australian Cyber Security Strategy.
For some large organisations, the warnings came too late, and the assaults too cleverly planned. The past year has seen a roll call of household name organisations fall victim to cyber attack and data theft. They include the likes of dairy and beverages giant Lion, Spotless Group, BlueScope Steel and the Department of Foreign Affairs and Trade.
Striking the correct balance between restriction and access is no easy thing in the ‘log on from anywhere’ digital era. The optimal security posture provides maximum protection without impinging unduly on operational efficiency. That’s why more isn’t necessarily better when it comes to your cyber security stack – and why human activity can be ‘make or break’ when it comes to keeping your enterprise safe.
Raising employee awareness
It’s well known that employees can be the weakest link in the cyber security chain – and the strongest. Most enterprises already stage regular or ad hoc cyber security education sessions for their workforces. But will this measure be sufficient to protect against the real and rising threats that will continue to come their way in 2021?
Possibly, maybe. And possibly maybe not. One of the greatest limitations of cyber security training is the fact that it’s viewed by both companies and participants as a discrete activity. Employees typically down tools for an hour or two, attend a workshop, take a few notes and return to their posts alarmed and alert, at least in the short term.
Six or 12 months later, it’s time to rinse and repeat. In some instances, literally. It’s not uncommon to see businesses reusing the same training materials over and over again; their impact on longstanding employees diminishing at each subsequent airing.
Other organisations provide programs that are too narrowly focused, teaching employees all there is to know about phishing campaigns and how to avoid them, for example, but failing to mention that dropping their passwords into an email is just as risky as clicking on unverified links.
The power of regular reinforcement
When it comes to cyber security awareness, what we know works best over the long term is frequent and consistent reinforcement, across a variety of settings. It’s the reason people no longer leave their log-in details on a sticky note, taped to their computer monitor. And why they don’t blithely plug a stray flash drive into the corporate network, or race to respond when a Nigerian prince emails them with an offer that’s too good to be true.
Delivering micro-lessons in the moment, and providing employees with the opportunity to learn from their mistakes in a safe setting, ensures cyber security knowledge is absorbed and retained, in a way ‘classroom’ teachings just can’t.
It can help to make cyber-safe behaviours as natural and automatic for employees as closing the windows and locking the car doors when they leave their vehicles.
In today’s increasingly fraught digital landscape, that’s the level of awareness and vigilance all Australian organisations should strive to instil, as they prepare to meet the many challenges 2021 has in store.
Joanne Wong is the vice president, international marketing (APAC & EMEA) at LogRhythm.