" The level of cybersecurity exposure in the media has resulted in people realising security isn’t just something for IT people to worry about any more"
Lee Beyer, NAB Senior Manager, Cyber Safety
So how can organisations, government and the community come together to create a common understanding and clear individual actions? Enter the Security Influence & Trust (SIT) Community, an industry network for cyber security awareness and change professionals.
The SIT Community are experts with the specialist skill set required to execute effective cyber safety programs. In our latest BlueNotes roundtable we sat down with founding members of the SIT Community, including Kate Monckton, Head of Privacy & Security Knowledge Management/Privacy Officer, nbn, Simone Bachmann, Head of Information Security Innovation and Culture, Australia Post, Lee Beyer, Senior Manager, Cyber Safety, NAB and Manuja Wijesekera, Security & Network Lead, Melbourne Cricket Club.
We began by asking why it’s important to act as one voice when promoting cyber safety.
Hardinge: Why are organisations getting involved in the SIT Community?
Bachmann: Because cyber safety is now a life skill! We believe we can make a bigger difference if we take a coordinated approach as an industry and not waste resources duplicating efforts when there is so much to be done.
Raising cybersecurity awareness and skill in all Australians will lead to a stronger and more-trusted online experiences as well as more-resilient businesses. This is vital for a more globally competitive Australia.)
Monckton: Our community has a shared passion of equipping people with the tools and understanding they need to make good online security decisions – inside their organisations and external to it.
The diverse nature of SIT (both in individuals and organisations) is part of what makes it so valuable.
Templeton: So how have approaches to security awareness changed throughout your career, particularly with the evolution of digital technologies?
The SIT Community’s first Australasian conference dedicated to strengthening the security awareness profession was held in Melbourne on November 10 2016 with over 100 attendees and representation from over 50 organisations including universities and government departments, support and recognition of the importance of security culture has never been stronger.
You can join the conversation about security influence & trust now on LinkedIn, Facebook and Twitter.
Beyer: I think awareness campaigns are appealing more to self-interest these days because technology is so personal. We carry our lives around with us on our devices, especially on our smart phones.
Awareness campaigns historically highlighted ‘what could go wrong’, which could often appear to be far-fetched. Now the level of cybersecurity hype in the media has resulted in people realising security isn’t just something for IT people to worry about any more.
Hardinge: Ten years ago, security awareness was largely about compliance activities. Compliance is now accepted as a ticket to do business with growing acceptance of the significant role people play in making organisations and the public secure.
Similarly, increasing executive-level support and involvement in programs helps to drive change. And of course, we now have tools which enable real-time learning in an experiential way.
Monckton: The level of investment we’re seeing in dedicated security awareness professionals and teams. If we had tried to start the SIT group seven years ago, I don’t think we’d be anywhere near the size we are now.
Hardinge: Cyberattacks continue to make the headlines – what impact is this having on the security awareness function and your industry?
Wijesekera: The biggest impact is a shift necessitating educating employees whereas previously it was ok to heavily rely on technology to fix all the problems.
One of the biggest cyber security issues facing any company and especially smaller organisations today is ransomware. In these cases, typically, someone has either clicked/opened a malicious link or file from the inside the organisation.
Given how popular ransomware is in the news, even smaller organisations are noticing this sort of issue cannot be fixed by technology alone but requires people being cyber smart.
Bachmann: There is commitment from board-level down that awareness is a fundamental cybersecurity discipline – more so than ever before.
There is also a growing understanding when threats hijack household brands (like those of many of the SIT community) it can undermine the trust between our customers and us.
It’s important we help customers stay vigilant of such scams so they can feel confident when interacting with digital services and products. This is a cross-functional business problem and requires efforts across every part of the business.
Templeton: How does the SIT Community help organisations to collaborate on common goals?
Wijesekera : As a small- to medium-sized business who has limited security resources, we found the best way to work with peers was to be part of the security, influence and trust community.
Regardless of organisational size, when it comes to security we all face the same issues. What sets this group apart is they have not only managed to bring together seasoned and passionate awareness experts, but individuals who are more than happy to share their knowledge and expertise with small organisations.
Workshops, and webinars organised by SIT have proven to be extremely valuable learning opportunities for small businesses such as ours.
The summit in November 2016 was a unique occasion to learn from and contribute with well recognised industry peers. Resources such as blogs created and run by the members of this group are tools that can assist small businesses when they want to create awareness within their respective organisations.
My recommendation for small businesses is if you care about information security awareness and want to educate your customers, staff and/or contractors get involved with the SIT community via LinkedIn.
It has never been a better time to work together with your peers to enable a cyber-smart nation.
Beyer: Cyber safety messaging is agnostic – it doesn’t matter who you bank with, have an electricity account with or which phone company you use… It doesn’t matter who you hear the message from, we just want you to hear it!
SIT members share examples of how they’re promoting cybersafety in their businesses.
Beyer: At NAB, we have a network of ‘Cybersecurity Awareness Champions’. These Champions are volunteers from all over the NAB Group, including our international offices, who have a passion for cyber security.
Whether it’s people from our risk area who want to learn more about data security or bankers wanting to help customers recognise the latest suspicious messages these people are advocates for cybersecurity in their business unit and provide valuable feedback to our central team.
Bachmann: At Australia Post we have an incredible safety culture, and all meetings start with a ‘safety moment’. Teams are now starting to include cybersafety as a part of this, including senior leaders.
Templeton: A key element of our ANZ program is Phishing Fire Drills – the next evolution of emergency preparedness. Phishing simulations are just one way of enabling our staff to experience and learn about phishing in a safe environment.
Wijesekera: As a relatively small business, we use Stay Smart Online, which provides free and valuable security alerts and updates, in our education process with staff. Staff have found this valuable and have been known to share them with their friends and family. We have found it a good way to start a conversation with staff about their own experiences.
Hardinge: What are the challenges facing organisations who want to improve their cyber safety culture?
Templeton: A lot of cybersecurity information out there is based on fear. Fear can be a strong motivator, but only when people really understand how it impacts them personally and what they can easily do about it. There’s work to do to in getting to this level of understanding.
We know from various industry reports such as 2016 Verizon Data Breach Investigation Report that “almost all the breaches (from 2015) are human related”. In short, this means security is more than technology solutions and it really is time to focus on the human. It’s easy to tell if a piece of technology is working – it’s much harder to demonstrate the success of behaviour change programs.
Bachmann: The best motivators to change behaviour are those which are positive, immediate and predictable.
Our focus is to figure out which model works best – fear or reward – so people become safer online.
Templeton: We find the challenge is locating enough of the right people to execute on security awareness, being a relatively new profession is both a challenge and an opportunity.
It creates a great avenue for improving diversity of thought by introducing a range of disciplines not traditionally thought of when it comes to cyber security, such as behavioural psychology, marketing and communications management.
Our panel agreed on seven tips for smaller organisations or those not quite yet ready for a dedicated security awareness function.
• Don’t reinvent the wheel – maximise the great resources that already exist such as reading the Small Business Guide from Stay Smart Online which provides valuable tips to protect your business, signing up to free security websites like www.cso.com.au for the latest news or blogs such as Rebecca Moonen.
• Subscribe to the free alert service of Stay Smart Online and share relevant updates (not all of them!) with your staff.
• Prioritise your activities – focus on what will make the biggest impact.
• Be transparent and make sure all messages have a clear and achievable action for employees and customers to follow. If they can do something, make it count.
• Make messages personal – protecting our personal lives online has knock on benefits to protecting organisations.
• Make use of the intelligence your employees and customers give you every day – like reporting suspicious emails. Provide positive reinforcement to ensure they become regular reporters.
• Save the date – 7 February 2017 to join the SIT Community for Safer Internet Day #onemessagemanyvoices
Erica Hardinge is Security Culture and Capability Manager and Craig Templeton is Head of Security Enablement at ANZ
The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.
02 Nov 2016
26 Oct 2016
14 Oct 2016