Aussie execs need to get better at cyber security

A quick glance over this report highlights just how bad Australian mid-sized businesses and government departments are at managing cyber security.

Moreover, the figures - obtained by Macquarie Telecom Group and Australia’s National Security College - indicate very little has changed since Prime Minister Malcolm Turnbull published Australia’s cyber security strategy back in April.

Two major themes come across in this report. Firstly, there is a distinct lack of awareness and ownership of cyber security at the strategic board level in both mid-sized companies and government departments. Just over half of the organisations surveyed have no cyber security representation to their board.

This demonstrates a massive gap in their approach to risk management, where information security risks undoubtedly get traded off against other strategic initiatives.

Secondly, mid-sized companies indicated an unwillingness to engage with government cybercrime services such as the Australian Cybercrime Online Reporting Network (ACORN), showing they either aren't aware of them or don't feel obliged to admit a breach or loss of service.

In response, cyber security minister Dan Tehan said he would "press heads of government departments to improve their security processes" given they appear to be a "weak link" in national defences against cyber attacks.

But what can actually be done to fix the problem before more missteps like we saw with the Red Cross Blood Service happen again?

Cyber security is now a core consideration of doing business in the 21^st century, irrespective of whether you manage a small bakery, a tractor maintenance business, or a medium-sized government department. If you use the internet to do business and have customers, then your data is worth something on the black market and it’s at risk.

It’s time for industry leaders, not just security professionals, to take this seriously and lead by example. Hiring a chief information security officer (CISO) will not make your organisation secure if that person doesn’t have the skills, knowledge, competency or communication skills to explain why you business is at risk and how it can fix the problem.

Furthermore, the executive team or board needs to empower that CISO to make changes that perforate throughout the entire organisation. Security awareness programs, for example, are often cited as essential in changing an organisation’s security culture, however, most fail because they are introduced as simple training courses taken once a year.

Organisational change won't be achieved by forcing staff to take 45 minutes of mandatory training annually. Security professionals need to work with all of the stakeholders that influence organisational change: executives, middle management, human resources and even partners and suppliers.

Awareness needs to be measured, maybe by running regular internal phishing campaigns to see who’s still clicking on unknown or unsolicited links, or by reporting on the numbers of malware items blocked by your countermeasures that, otherwise, would have led to a breach.

Incentivise staff by introducing fines related to careless use of technology – you could use a bonus or reward system that applies to all staff, so that those who are careful receive some kind of token of appreciation.

Australian business and government leaders must take pause to understand the cyber security threat. If you are a business or government executive, you are responsible for the sustainability of your business and the protection of your employees – a failure in cyber security defences can put all of that at risk.

Ask yourself, do you really believe you are doing enough – and if the answer is no, do something about it before it’s too late.