As cyber criminals become more sophisticated and strategic in their activities, many businesses are setting cyber safety as a top priority across the organisation.
Cyber safety and cyber security do not mean the same thing. Cyber security – which is more to do with having the right hardware and software to help prevent an attack – is only a part of cyber safety which also includes ensuring everyone in the business displays the right behaviours to help stop a cyber-attack.
IBM Security's Ponemon Institute 2017 Cost of Data Breach Study found the average total cost of a data breach is US$3.62 million, making its impact on a business potentially catastrophic.
The Australian Cyber Security Centre's (ACSC's) 2017 Threat Report found, “Cybercrime remains a pervasive threat to Australia's national and economic prosperity, with cybercrime expertise improving and tradecraft being adapted to target specific businesses.”
The report noted that ransomware is, “the most prevalent financially motivated cybercrime threat worldwide and is likely to remain so due to its continuing success.”
Ensuring that everyone in the firm has a good understanding of the importance of the issue and the right approach to cyber safety could help businesses prepare for a cyber-attack.
Cyber safe strategies take a top-down approach
Destiny Bertucci, 'Head Geek' at IT network management firm SolarWinds, says cyber safety has several components.
“Cyber safety is about having awareness when dealing with personal information. It's about thinking how you connect to the internet,” she says.
“Cyber security is about addressing threats with software and hardware to protect personal information and technology. These are fluid because technology is dynamic, and we have to be able to adjust.”
Bertucci says building a cyber safe culture across a business starts with education from the top down and requires ongoing training.
“Cyber safety is a culture, not just a once-a-year check,” she says.
“We need to communicate the importance of cyber awareness not only at work but also at home and in people's personal lives. We need more widespread recognition of online risks and how to make informed decisions about the best way to behave online. So, ongoing training must be provided to everyone in the business that is accessing the internet or connected environments.”
For instance, building a cyber safe culture means taking care when logging onto public Wi-Fi networks – or not logging into them at all, unless absolutely essential. For some businesses, it may not always be possible to prevent people from logging onto public Wi-Fi. For example, use of unsecured open networks may be necessary when people travel; but the business might have a policy for staff to only use a public Wi-Fi when no other option is available.
That way, people can still get their work done, but the business is mitigating its risks as much as possible. Ensuring staff understand and follow these protocols is key to building a sound cyber safe corporate culture.
Thomas Jreige, Managing Director of Focus Cyber Group, says establishing a strong information security and online communication policy is essential in establishing a cyber safe culture.
“This provides the means for an organisation to outline to employees their obligations with respect to using and managing information in the organisation and the associated infrastructure and software,” he says.
Jreige agrees awareness and training is essential. “Ensuring all employees in the organisation are adequately trained and understand the policies being imposed on them is very important. Cyber safety policies should also be included in human resource processes.”
Cyber security – addressing the threat landscape as a daily habit
Jreige says it's simple to understand the difference between cyber safety and cyber security.
“Cyber safety is about the safe and responsible use of information and the associated infrastructure and technology that comes with it. It is also about the cultural and emotional intelligence applied when working with information online and working with others online, such as using social media and online platforms in business. You could call this an element of etiquette.”
In contrast, he says cyber security is the means of identifying and mitigating risks in the organisation through a balanced implementation of people, process, and technology.
“To identify risks in the organisation associated with cyber security, understand the current threat landscape and how those threats will affect the organisation's digital environment.”
Bertucci agrees that cyber security is about recognising the threat environment. Her advice for CFOs is to bring cyber security into their businesses fabric daily – to create a cyber safe culture.
“This will allow everyone to play a part in helping to secure the business' IT network. It also helps to reduce the risk of internal breaches by raising awareness of the importance of cyber security across the business.”
Jreige's tips for CFOs to establish a cyber safe culture include:
- Ensuring the information security policy, data governance and online communication policies clearly outline how information is to be handled in the organisation.
- Ensuring that security awareness and training is provided to all employees so that they understand their obligations around using and managing information.
- Ensuring that regular auditing on information is performed to understand where it is moving in and out of the organisation. This can be undertaken through a privacy impact assessment.
- Ensuring that HR develops strategies and processes that provide insights for both new and existing employees as to their obligations from a contractual perspective around meeting cyber safety obligations.
Following these steps alone might not safeguard the business against a potential cyber threat, but they could help reduce the risk of a cyber-attack and possibly place the business in a safer position to firms that are yet to embrace a culture of cyber safety across their operations.
- The average total cost of a data breach is US$3.62 million and ransomware attacks are growing in sophistication.
- Cyber safety is about developing the right behaviours within the business and requires a top-down approach.
- Cyber security is more about having up-to-date hardware and software to prevent and detect attacks.