Cyberattacks are an ever-present danger for organisations across Australia. Take just a quick glance at recent news stories and you’ll see that attacks are happening all the time. So it’s not merely likely that an organisation will be targeted. It’s inevitable. And government and public sector agencies are very attractive targets for cyber criminals. They hold large amounts of potentially lucrative citizen data. Some control key infrastructure and systems. And some, for example in the research and defence sectors, hold information that state-sponsored intruders would love to get their hands on. And thanks to the digitisation of so many government services, where Australia is among the world’s leaders, the threats—and the attack surface—are expanding all the time.
So how should organisations protect themselves? That’s a complex question to which, you won’t be surprised to hear, there are no straightforward answers. Effective responses will involve the right combination of technology, people and processes. But it’s often the people element that can be overlooked. Because we wanted to find out more about the role that people play and why their engagement with security is so important, we carried out some research to investigate the attitudes of public sector employees in Australia. What we found presents an interesting picture. The good news? Nearly all (95%) of public sector employees are confident that their agency’s cybersecurity measures are effective. But there’s some less welcome news: a far lower number said that they felt very involved in keeping citizen data safe.1
Does that relative lack of engagement mean that public sector workers are unconcerned about keeping citizen data secure? Not at all. The overwhelming majority say that it matters to them. But their lack of involvement speaks to a broader need to create the culture and behaviour that embeds security in the fabric of the workforce. We found a fairly low number of employees claimed to have a very good understanding of the explanations that their agency provided about the security and privacy of citizen data. Raising that level of understanding requires education. Employees at agencies that do not provide training are less likely to feel involved in keeping citizen data safe. To change that means not only instructing people about policies and procedures, but also enabling them to understand the vital role that they play in achieving a robust security posture.
Of course, not everyone is likely to be exposed to security issues to the same extent, so a tailored curriculum is important. And how training is delivered is also key. It’s not a ‘one and done’ exercise; it has to be ingrained in day-to-day operations. Security drills and simulated attacks such as phishing should all be part of the mix to help employees understand the vulnerabilities that they can create and, crucially, take action to mitigate. Awareness of potential threats also needs to be reviewed and continuously revised. That has to take into account not just what the agency values and deems worthy of protection, but also what may be attractive to cybercriminals—they’re not always the same thing.
People are a vital part of the security apparatus that an organisation builds. Technology is too. But it’s bringing them together that can power a big leap forward. AI’s capabilities to spot some potential threats are far superior to a human’s. But other threats require human insight and experience. In combination, as a "human+" workforce, organisations can create layers of resilience that can minimise the chances of an intruder getting too far into a system.
Organisations can do a lot to improve their security posture and resilience to cyberattacks. But breaches will still sometimes occur. So, bottom line, what to do in the event that the worst happens? Making sure that employees have an action plan in the event of a breach is fundamental and something that only 69 percent of Australian public sector employees say they have today.2 Education, again, is key.
Managing the public communication of a breach well is also essential to preserve trust. When the Australian Red Cross discovered a data breach towards the end of 2016, they acted quickly. As an organisation that depends heavily on public trust (they literally need people to give them their blood), the Red Cross chose to be as transparent and clear as possible. While there may have been some public disappointment at the breach, the organisation’s approach was generally well-received and their trust preserved. It’s just one example of how people are at the centre of cybersecurity best practice. And that’s a principle that every organisation needs to take to heart.
Copyright © 2019 Accenture. All rights reserved