Change urgently needed in defence against cybercrime
Cultural change urgently needed in defence against cybercrime attacks
Spending millions of dollars and IT specialists working around the clock to defend against the wave of cyber-attacks currently engulfing New Zealand will only be a losing battle until organisations invest in changing staff culture.
Author of the book 'She'll Be Right (Not!) – a cybersecurity guide for Kiwi business owners – SMB cybersecurity expert Daniel Watson, said that the recent spate of cyber-attacks on New Zealand organisations emphasises the urgency of addressing cultural change.
"Staff are the last line of defence. They click on what they click on, and as a result, they can quickly fall prey to tactics like password harvesting – for example, fake Dropbox accounts designed to collect your login details.
"People also tend to use the same or similar passwords. This allows hackers who have 'harvested' just one password to breach the defences of an organisation."
Watson said that it isn't unusual for staff members who have inadvertently clicked on a malicious link to say nothing for fear of getting into trouble.
"That's a cultural issue. Staff afraid of getting into trouble put the business at risk because they don't report mistakes, and it can take days or weeks before the breach is discovered – this is a cultural issue. You want to encourage staff to step up rather than be afraid of admitting mistakes."
Watson said sextortion, phishing and credential harvesting are scams that staff typically get tripped up by, and one of the biggest obstacles to reporting an issue is shame or embarrassment.
"Once somebody has login details, they can re-direct invoices and change supply arrangements. It just takes one small slip up that somebody is too afraid to admit to, and the cybercriminals are in."
There are three important aspects to changing the culture of a business to one that is cyber vigilant:
1. Top-down change
Watson said culture change starts at the top. Senior management needs to lead by example and make clear that cybersecurity is an organisation-wide issue – not just something for IT to worry about.
"Implement a set of security policies from the top down. For example, any financial transactions or marketing invoices must be approved by management or change of account details to require two-factor authentication."
2. Make cybersecurity an operational issue
Watson said embedding cybersecurity into a company's operations is crucial and should include awareness training and how to recognise a scam.
"Put in place an incident response plan – much like a health and safety plan, where if you see a hazard, you report it. If management responds negatively by ignoring the report, browbeating or ridiculing staff, they will likely hide things under the carpet and hope the boss won't notice."
3. Rapid response
"Create a culture of rapid response. The sooner staff notify IT, the quicker the experts can get in there and mitigate the damage," Watson said.
For more information visit: https://www.linkedin.com/in/daniel-watson-cybersecurity/