We work in an always on, digital world where we are electronically connected every minute of every day.  Company reputation and fortune is based on all employees and suppliers maintaining effective security practices. To develop cyber-secure maturity, some simple questions are required to be asked, for example:

  1. Do employees adhere to policies and good governance?
  2. Are your online habits at home the same as in the office?
  3. Do we ‘bake-in’ good cybersecurity practices across our business functions?
  4. What cybersecurity culture are your executives demonstrating to employees?

As agreed by most security professionals, humans are the weakest link in the information security chain, hence cybersecurity really is everyone’s responsibility.  

Most organisations have multiple insider threats that occur each year, therefore the human element in cybersecurity must never be under-estimated, as good cyber-awareness is often the most effective way to reduce the number and ferocity of cyber-attacks. Having a sound cyber-awareness program in place, the integrity of sensitive corporate information can be better maintained.

Therefore, a holistic cybersecurity awareness program at every level of the organisation is required, to effectively mitigate risks relating to cyber-attacks.

The Executive:

At the executive level there should be regular standing security items that are actively discussed in meetings on a regular basis.  Security should be discussed frequently and their endorsement of cybersecurity initiatives is paramount to a successful cybersecurity program, in turn reducing the number of, as well as severity of cyber-risks.

Across the Business:

Various essential functions across the business have their own roles to play, like:

  • Human Resources: Are adequate background checks in place when employing new staff? Is cyber awareness training included as part of the induction process?
  • Technology: Do technology have security-based information at hand, in a timely manner? For example, awareness of current threats & vulnerabilities or have a SIEM solution (Security information and event management) for timely analytics.
  • Legal: Are they actively involved with security incidents when required?

Every Employee:

It is personal!  

Often employee online security behaviours at home can determine how we operate in the work environment. Hence considerable effort in the workplace is required to educate and raise awareness on cybersecurity, for example:

  • keep an eye out for suspicious behaviours of co-workers and have an anonymous reporting mechanism.
  • consider offering employees discounted anti-virus / firewall software for home use.
  • don’t share your passwords and enforce them to be changed every few months.
  • ensure personal passwords are not used in the workplace.
  • don’t use the same passwords for multiple applications or online accounts.
  • educate what websites are ok to visit and what is to be avoided.
  • use due diligence online when opening emails, clicking on links or downloading attachments.
  • run continual email phishing campaigns with employees who are obliged to report suspect messages to the technology team.
  • have an ‘it is personal’ cybersecurity awareness campaign so employees become aware of what they can do and what to avoid.

A conversation with your cybersecurity staff or consultant can enhance your cyber-awareness footprint, with the first step educating your executive to sponsor a cyber-awareness program, in order to protect your digital online assets.

Tim Rippon
Tim Rippon is the founder and director of elasticus, advising Australian-based executives on how to best manage cybersecurity, disaster recovery and business continuity before a major disaster or crisis occurs. He holds a certified Master of Information Security (ISO 27001), certified Master of Business Continuity (ISO 22301) and Lead Cyber Security Manager (ISO 27032) from PECB. Tim can be contacted via mobile 0417 036 026.