As we approach the middle of 2019, education institutions the world over are no doubt bracing for a busy year of learning against an ever-increasing number of cyber-attacks. For many, their natural defence mechanism is to deploy new technology and create better processes. Unfortunately, what most fail to recognise is that it’s actually their people who are often the weakest link in the cybersecurity chain.
Let’s face it, most people only really care about cybersecurity when they are a victim of an attack. And by then it can be too little, too late. The good news is there are fresh options to increase cyber awareness and improve the culture of the organisation.
Australian schools, colleges and universities have become a target for cybercriminals. Everything from student account fraud to siphoning R&D project information holds value to interested parties.
With cyber-attacks growing in terms of both frequency and complexity, it’s becoming increasingly important that the education sector takes a more proactive approach to ensuring the data they hold doesn’t fall into the wrong hands.
The cultural change opportunity
There is a great opportunity for education industry leaders to rethink their approach to cyber education and build that into the culture of the institution. Cyber education is not something people should do every 12 months with a few questions, it needs to be continuously reinforced.
There are three pieces to cybersecurity resilience: people, process and technology. For the past 12 to 24 months there has been a big focus on processes and technology, but unfortunately people still click on things they shouldn’t.
With people being the weakest link in the cyber chain, the conversation needs to be non-technical and presented to the business across all stakeholders. It also needs to be a key topic of discussion at the board level, particularly as it’s the board who can fall foul of the law when it comes to Europe’s General Data Protection Regulation (GDPR) and our Notifiable Data Breaches (NDB) scheme regulations.
No matter what the size of the operation, there is also a risk of personal information exposure, and the punishment resides at the business owner level. However, as we have seen, contractors can also slip up causing brand damage. In the SME market, businesses are often targeted by cybercriminals looking to use ransomware to extort money.
With many people still not believing cybersecurity to be a concern, there needs to be an all-in approach which can only be achieved by changing the organisation’s culture.
Raising the profile of cyber awareness
If security isn’t top of mind for most people, let’s look at a few ways to improve awareness and hence bolster resilience.
- Start by giving people an education tool, which covers good practices for passwords and phishing, and allows them to consume it at any time. And make sure they do refresher sessions on a regular basis, not just once a year. Aura has its own training tool called CyberWise, an online training module that covers the basics of cybersecurity as well as practical real-world examples of what common attack techniques look like.
- Complement that with visual signs such as posters around the offices to get people talking about the importance of cybersecurity.
- An underutilised resource for cyber education is gamification. An online gamification approach to security makes cyber more social and adds to the visual reinforcement around the office to constantly remind staff that this thing is real.
- The tried and tested workshop can also be good for communicating to senior management. But make sure you put war stories in front of them. General staff need some gamification and app-driven approach to make the experience fun, as opposed to going into a room, listening to presentations and then working out where to from there.
- This may be simple, but put cybersecurity on the agenda. Every senior management or board meeting should at the very least address the topic of security and what is being done to ensure the organisation, and its people, are aware of the risk.
Keeping up with the dos and don’ts
With the right tools and awareness the culture of an organisation will change, but to maintain a good standing – and keep up with evolving threats – it’s important to develop a process for monitoring and managing your cyber health.
As the old saying goes, if you can’t measure it, you can’t manage it, so do some testing such as simulating a cyber-attack, and review how it was handled and make appropriate changes.
For example, by simulating a phishing attack to users before and after the deployment of a cyber education platform you can measure a drop in the success of the fake scam. In my experience larger organisations understand this, but SMEs are still struggling due to lack of budgets or general security discussions.
Getting stakeholders from the organisation to review what’s happening in cyber and coming up with ideas to improve education and culture takes time, but making the environment 'fun' does have a direct effect on people’s willingness to learn.
In another good example, a large enterprise highlighted to staff who has done well in cyber in an email newsletter. Proactive rewards and recognition are good and your fresh approach should be rewarding and more 'carrot than stick'.
You can measure staff participation for a learning management system and this should be done as part of an ongoing program. Also, make sure this information gets pushed out to the wider business.
It is possible to get good culture into other areas of the organisation, however the owners must share success stories. Making sure the benefits are seen all across the business is imperative – there is no point having two organisational units with lax security as the bad guys can get in there too.
With new tools and a fresh approach, cybersecurity awareness should be easy to use, customised and deliver the ability to move education to the front-and-centre of people’s working life.
As more education bodies transact online they continue to passively widen the threat landscape. Better cyber awareness will make a welcome complement to more training and coursework.
Michael Warnock is Australia country manager at Aura Information Security.Do you have an idea for a story?
Email [email protected]