Campus Review Vol 29. Issue 6 June 2019 | Page 29

TECHNOLOGY
campusreview.com.au
Are you the
weakest link?
Strengthening your approach to cybersecurity.
By Michael Warnock
A
ustralian schools, colleges and universities are increasingly
targets for cybercriminals. Everything from student accounts
to R&D project information is of value to interested parties.
With these cyber attacks growing in complexity, the education
sector needs to take a more proactive approach to ensure the data
they hold doesn’t fall into the wrong hands. Unfortunately, what most
institutions fail to recognise is that it’s actually their own people who
are often the weakest link in the cybersecurity chain. The good news,
though, is that there are fresh options for increasing cyber awareness
and improving the culture of your organisation.
THE CULTURAL CHANGE OPPORTUNITY
There is a great opportunity for education leaders to rethink their
approach to cyber education and build that into the culture of their
institutions. Cyber education is not something to be done every 12
months with a few questions; it needs to be continuously reinforced.
There are three pieces to cybersecurity resilience: people, process
and technology.
For the past year or two, there has been a big focus on processes
and technology, but unfortunately people still click on things they
shouldn’t. With people being the weakest link, the conversation
needs to be non-technical and presented to the business across all
stakeholders. It also needs to be a key topic of discussion at the board
level, particularly as it’s the board who can fall foul of the law when it
comes to Europe’s General Data Protection Regulation (GDPR) and
our Notifiable Data Breaches (NDB) scheme regulations.
No matter the size of the operation, there is also a risk of personal
information exposure, and the punishment resides at the business-
owner level. However, as we have seen, contractors can also slip
up, causing brand damage. In the SME market, businesses are often
targeted by criminals looking to use ransomware to extort money.
With many people still not believing cybersecurity to be a concern,
there needs to be an all-in approach, which can only be achieved by
changing the organisation’s culture.
∞ Start by giving people an education tool, which covers good
practices for passwords and phishing, and allows them to consume
it at any time. And make sure they do refresher sessions on a
regular basis, not just once a year. Aura has its own training tool
called CyberWise, an online training module that covers the basics
of cybersecurity as well as practical real-world examples of what
common attack techniques look like.
∞ Complement that with visual signs such as posters around the
offices to get people talking about the importance of cybersecurity.
∞ An underutilised resource for cyber education is gamification. An
online gamification approach to security makes cyber more social
and adds to the visual reinforcement around the office to constantly
remind staff that this thing is real.
∞ The tried and tested workshop can also be good for
communicating to senior management. But make sure you put
war stories in front of them. General staff need some gamification
and an app-driven approach to make the experience fun.
∞ This may be simple, but put cybersecurity on the agenda. Every
senior management or board meeting should at the very least
address the topic of security and what is being done to ensure the
organisation, and its people, are aware of the risk.
KEEPING UP WITH EVOLVING THREATS
With the right tools and awareness, the culture of an organisation will
change, but to maintain a good standing – and keep up with evolving
threats – it’s important to develop a process for monitoring and
managing your cyber health.
As the old saying goes, if you can’t measure it, you can’t manage it,
so do some testing such as simulating a cyber attack, and review how
it was handled and make appropriate changes.
For example, by simulating a phishing attack to users before
and after the deployment of a cyber education platform, you can
measure a drop in the success of the fake scam. In my experience,
larger organisations understand this, but SMEs are still struggling due
to lack of budgets or general security discussions.
Getting stakeholders from the organisation to review what’s
happening in cyber and coming up with ideas to improve education
and culture takes time, but making the environment ‘fun’ does have a
direct effect on people’s willingness to learn.
In another good example, a large enterprise highlighted to staff
who had done well in cyber in an email newsletter. Proactive rewards
and recognition are good, and your fresh approach should be
rewarding and more ‘carrot than stick’.
You can measure staff participation for a learning management
system, and this should be done as part of an ongoing program. Also,
make sure this information gets pushed out to the wider business.
It is possible to get good culture into other areas of the
organisation, but the owners must share success stories. Ensuring the
benefits are seen all across the business is imperative – there is no
point having two organisational units with lax security as the bad guys
can get in there too.
With new tools and a fresh approach, cybersecurity awareness
should be easy to use, customised and deliver the ability to move
education to the front and centre of people’s working life.
As more education bodies transact online, they continue to
passively widen the threat landscape. Better cyber awareness will
make a welcome complement to more training and coursework.
BOOSTING CYBER AWARENESS
If security isn’t top of mind for most people, let’s look at a few ways to
improve awareness and hence bolster resilience.
Michael Warnock is Australia country manager at
Aura Information Security.
27