It is imperative that staff members follow the cyber safety policies and procedures an organisation, this will assist to eliminate breaches in security, or significantly reduce them. Organisations need to review if there are any gaps in procedures or education and understanding by staff. Training can then be implemented across an organisation to increase cyber security.
By the end of this topic, you will understand:
- how to review operational behaviours to ensure compliance with workplace cyber safe policy
- how to provide topical training to ensure organisation wide understanding of cyber safe requirements
- the value of briefings to key personal on the outcomes of cyber safe compliance checks and training.
A major vulnerability that is exploited by hackers is human behaviour. We all look to create the most output for the least effort. In the workplace, policies exist to build procedures that are designed to be cyber safe. While these procedures are cyber safe, the trade-off is often found in reduced productivity.
Cyber security does increase productivity, in fact, it creates additional steps in workflow that provide no benefit to productivity. Consequently, regular educational re-enforcement is needed to ensure staff understand that without policy compliance, the business is at risk of being shut down. Staff have a personal stake in ensuring policy is followed.
The compliance or cyber security manager in a business should regularly review work practices to ensure cyber safe behaviours. Cyber unsafe business activity can be classified in two ways. Activities are not cyber safe when they are:
- not allowed by a business’s cyber security policy
- allowed by a business’s cyber security policy but the policy requires amendment to prohibit the work practice.
Performing a review of a business to establish current work practices should be conducted inclusively; working with staff and managers to build a mutual desire to improve cyber security. A business will often be a complex organisation with various departments and managers. Cyber security reviews should be explained, scheduled and conducted in such a way that they remove any sense that they seek to place blame. In doing so, staff and managers will be more willing to be open and helpful with responses to inform a review.
Gathering Information
The following are useful methods to gather information to review cyber security practices. It is vital that the reviewer understands the current business cyber policy before conducting a review. In this way, they can recognise policy breaches.
- Observing workplace behaviours to determine current behaviours to compare with required policy. This can be done by visiting various parts of the business to witness and understand how work is conducted. Example observations include seeing computers unlocked, passwords written on notes and taped to monitors and personal devices plugged into PC USB ports.
- Asking questions to understand how access to the network is achieved and how data is managed.
- Reviewing historical cyber security incidents to look for patterns and gaps in compliance is helpful. A business should keep a log of any activity that is or may have been a cyber security threat. These reports can be found as documented incidents (such as reported to a help desk) or may be auto generated reports from anti-malware software. By reading these reports it is possible to understand the vector that the incident used, if the incident was caused by policy prohibited behaviour, or was caused by a gap in policy requirements. Importantly, historic incidents should have been remedied to close the cyber security gap. These incidents are useful in understanding the potential across the business and in particular departments for lapses in cyber safe behaviour. When reviewing these departments, care should be taken to ensure that similar cyber unsafe behaviour is not occurring.
- Businesses will often have documents that describe how various functions are to be performed across their business. Reading such workflow documents can assist in identifying cyber compliance failures or gaps in policy that are not prohibiting cyber unsafe behaviour.
- Meeting informally with staff and managers to ask them if they are aware of work practices that should be improved is useful. The approach should be to seek collaborative improvement, rather than to seek question and blame. Often staff will have suggestions to improve policy based on their experience in other workplaces too.
Risks Associated with Workplace Cyber Security
In order to protect the organisation from cybersecurity attacks and raise awareness, it is really important to familiarise yourself with common cyber security risks. Let’s see the five most common risks below:
Phishing, a prevalent cyber threat, involves deceptive emails, messages, or websites designed to trick employees into divulging sensitive information. By posing as trustworthy entities, attackers can gain unauthorised access to confidential data, making phishing a significant risk to workplace cybersecurity. Employee awareness training and robust email filtering systems are essential defences against this threat.
Inadequate password practices, such as using weak passwords or reusing them across accounts, present a substantial risk to workplace cybersecurity. Weak authentication mechanisms make it easier for unauthorised access. Establishing strong password policies, encouraging multi-factor authentication, and regularly updating passwords help fortify defences against this vulnerability.
Insider threats arise when individuals with insider knowledge, such as employees or contractors, misuse their access privileges. These threats can be intentional (malicious) or unintentional (negligent), leading to data leaks, the introduction of malware, or other activities compromising the organisation's security. Managing insider threats requires a combination of employee training, strict access controls, and continuous monitoring.
Ransomware is malicious software that encrypts files or systems, demanding a ransom for their release. Ransomware attacks can result in severe consequences, including data loss, operational disruptions, and financial harm. To mitigate this risk, organisations should implement robust cybersecurity measures, including regular data backups, employee education, and advanced threat detection tools.
Failure to promptly apply software updates and patches leaves workplace systems vulnerable to exploitation by cybercriminals. Unpatched software often contains known vulnerabilities that attackers can target to gain unauthorised access, install malware, or execute other malicious activities. Establishing a comprehensive patch management strategy is crucial to addressing this risk and maintaining a secure digital environment. Regular software updates, vulnerability assessments, and timely patching are essential components of an effective defence against this threat.
Strategies and Techniques for Promoting Workplace Cyber Security
There are many strategies and techniques that can be used to promote workplace cyber security, and it is of paramount importance for all organisations to ensure they implement those techniques to avoid major cyber security breaches and incidents.
Read the information below to find out more about the most popular strategies and techniques commonly used by organisations to promote workplace cyber security:
- Employee Training and Awareness:Conduct regular cybersecurity awareness training programs to educate employees about common threats, phishing attacks, and best practices for maintaining cybersecurity. Ensure employees are aware of the importance of strong passwords, the risks associated with sharing credentials, and the significance of reporting suspicious activities promptly.
- Create and Enforce Strong Password Policies: Implement and enforce policies that require employees to use strong, unique passwords. Encourage the use of multi-factor authentication to add an extra layer of security.
- Regular Software Updates and Patch Management: Establish a robust patch management system to ensure that all software, including operating systems and applications, is regularly updated. Automate software updates whenever possible to minimise the risk of vulnerabilities.
- Access Control and Least Privilege Principle: Implement the principle of least privilege, granting employees the minimum level of access needed to perform their job functions. Regularly review and update user access privileges to align with their roles and responsibilities.
- Network Security Measures: Use firewalls, intrusion detection/prevention systems, and secure Wi-Fi networks to protect the organisation's network. Employ virtual private networks (VPNs) for secure remote access, especially for employees working outside the office.
- Incident Response Planning: Develop and regularly update an incident response plan to guide the organisation's response to cybersecurity incidents. Conduct regular drills and simulations to ensure that employees are familiar with the procedures to follow in case of a security incident.
- Data Encryption: Encrypt sensitive data both in transit and at rest to protect it from unauthorised access. Implement encryption for communication channels and devices to safeguard information from potential breaches.
- Mobile Device Management (MDM): Establish policies and use MDM solutions to manage and secure mobile devices used for work purposes. Implement remote wipe capabilities for lost or stolen devices to protect sensitive data.
- Regular Security Audits and Assessments: Conduct periodic security audits and assessments to identify vulnerabilities and weaknesses in the organisation's cybersecurity posture. Use penetration testing to simulate real-world attacks and assess the effectiveness of existing security measures.
- Collaborate with Cybersecurity Authorities: Stay informed about the latest cybersecurity threats by collaborating with cybersecurity authorities, such as the Australian Cyber Security Centre (ACSC). Participate in information sharing and threat intelligence programs to enhance the organisation's situational awareness.
- Secure Remote Work Practices: Establish secure protocols for remote work, including the use of virtual private networks (VPNs) and secure communication tools. Provide guidelines for secure home network configurations and the use of personal devices for work purposes.
Watch
Watch the video (3:09 mins) below and learn how existing staff can help inform you on cyber safe (and cyber unsafe) practices:
The outcome of a review gives insight into where gaps in workplace operations exist that expose a business to the potential for cyber security breaches. The review should be written as a report that:
- identifies gaps in cyber safe behaviour
- identifies the cause of the gap
- suggests remedies to close the gap.
The risks that cyber security addresses take multiple forms. They range from managing physical cyber security (such as ensuring computers and phone screens are locked when not in use) through to managing technical hacker exploits such as using email to trick staff into providing access information (such as usernames and passwords).
Some risks are managed by patching software. This stops hackers using an unforeseen method in the software (such as in a browser) to illegally gain steal from a business. Risks that rely on staff to comply with cyber safe workplace behaviour can never be remedied. There will always be a need for continued policy and procedural education to enforce cyber safe best practices.
Enforcement
In a workplace, most staff will react positively to advice, training and positive behavioural correction. Some people however may continually breach business cyber security policy for any number of reasons. In this case, business policy to correct repeated negative behaviour should be applied. Typically a business’s HR department manages issues such as these. It may be necessary to remove staff from positions that allow them breach cyber security. In all cases, HR departments are bound to work within Australian labour laws such as the Fair Work Act.
Techniques for implementing and promoting workplace cyber security awareness
Read the following techniques to find out how to implement and promote workplace cyber security awareness:
- Establish regular communication channels to disseminate cybersecurity information.
- Share updates on emerging threats, best practices, and policy changes through newsletters, intranet, or internal emails.
- Conduct interactive workshops or webinars to engage employees in discussions about cybersecurity.
- Provide practical tips, case studies, and real-world examples to illustrate potential risks and solutions.
- Launch awareness campaigns with catchy slogans, posters, and digital displays to capture employees' attention.
- Use different mediums such as posters, screensavers, and internal messaging systems to reinforce key cybersecurity messages.
- Introduce gamified elements into cybersecurity training to make it more engaging.
- Develop cybersecurity quizzes, challenges, or competitions with rewards to encourage participation and knowledge retention.
- Offer incentives or recognition for employees who demonstrate good cybersecurity practices.
- Encourage reporting of security incidents and near-misses by creating a positive reporting culture.
- Conduct regular phishing simulations to test employees' ability to recognise and respond to phishing emails.
- Provide immediate feedback and educational content to employees who fall for simulated phishing attacks
Techniques for facilitating training that promotes cyber security awareness
Read the following techniques to find out how to facilitate training that promotes workplace cyber security awareness:
- Develop interactive training modules that cover key cybersecurity topics, including password security, safe browsing habits, and recognising social engineering tactics.
- Include multimedia elements such as videos, animations, and quizzes to enhance engagement.
- Create realistic simulated cybersecurity scenarios that mimic potential threats and attacks.
- Conduct tabletop exercises where employees can collaboratively respond to simulated incidents, fostering a proactive and prepared mindset.
- Tailor training content to specific roles within the organisation, addressing the unique cybersecurity challenges each role may face.
- Provide examples and case studies relevant to different departments or job functions.
- Implement continuous learning platforms that offer ongoing cybersecurity education.
- Use online courses, webinars, or mobile learning apps to provide bite-sized, accessible content that employees can engage with regularly.
- Facilitate collaborative learning sessions where employees can share insights, experiences, and best practices related to cybersecurity.
- Encourage teamwork in solving cybersecurity challenges and exchanging knowledge.
- Conduct simulated incident response drills to familiarise employees with the procedures to follow in the event of a cybersecurity incident.
- Evaluate and refine response plans based on the outcomes of these drills.
- Implement metrics and assessments to measure the effectiveness of cybersecurity training programs.
- Use metrics such as click-through rates on simulated phishing exercises and improvement in employees' knowledge over time.
Case Study
Arranging Staff Training
As cyber security officer at ACE Pty Ltd you have identified in a review that accounting staff are not locking documents with a passcode before sending them to clients.
Consulting with the ACE Training Manager, it is agreed that a short e-learning program will be developed based around a PowerPoint presentation you create. There will be a short quiz at the end of the PowerPoint using ACE’s Learning Management System (LMS).
It will take 2-3 weeks to begin the training, so in the interim you:
- Brief the accounting manager that the practice is occurring and, in line with policy, ask that all documents are to be locked as needed from now on. You provide a one-page information sheet so the manager can discuss this with their staff.
- Send an email to the accounting team that notes that while no breach has occurred, it is likely it will occur at some time. If this occurs, the business will be exposed to a privacy breach and there are significant financial penalties in this event. You thank the accounting team for their co-operation and invite questions from them.
Simulated Games
There are many online free gamified simulations produced to teach cyber safe security principles.
Using practical interactions, simulations are a fun and engaging way to grow awareness. Many of the typical gaps in cyber security practices are covered in these activity-based learning tools. Before using any games, review them yourself and see how they fit with the people in your business. Decide if the game design and style will resonate and deliver the message you need to get across.
Examples
The Weakest Link is a scenario-based game that poses questions to answer based on cyber security events.
The Weakest Link: A User Security Game (isdecisions.com)
Terminal is a movie style game that allows the player to be a cyber security analyst responding to threats:
Enterprise Security Solutions | IBM
Companywide Competitions Based on Email Bulletins
Holding a monthly cyber safe competition with fun prizes focuses attention across a business. This can form part of a monthly email bulletin that addresses cyber security enhancements and policy. It can take the form of a quick to enter competition that builds cyber safe thinking and grows cyber awareness. It builds an expectation that every month there will be a quick cyber safe challenge and keeps cyber security topical.
Case Study
Cyber Safe Quiz
At ACE Pty Ltd all staff have received an email which is the monthly cyber security bulletin. After reading the bulletin, staff are informed that Phishing attempts by hackers will always remain a constant threat. Further, staff should be vigilant and not open any suspicious emails. As part of the email, a quiz question is asked:
Which of the following emails could be a phishing email?
- You receive an email with the title – ‘You have won a million dollars’
- You receive an email title ‘To the accounts team’ from accounts@peopleus.com.au. You work in the warehouse and have never heard of peopleus.
- You receive an email from sales@ace.biz.au. This is not our company domain name
- All are phishy.
The task for ABC staff is to select the correct response, send back the email and then be entered in a draw for a $100 voucher. The program costs ACE $1200 per year and ensures that cyber security remains topical in the business.
Recording Training
It is important to record when training and information is provided. In this way, a review of prior training can indicate when refresher courses are due and if all staff have received the same required training. Further, it provides a business with a record that staff have received training and, if the training is sufficiently detailed, that the business has taken the necessary steps to provide adequate training.
Providing adequate training to staff on cyber security matters is a compliance requirement for Australian businesses:
- The Privacy Act requires in privacy principle 1 that a business ‘must take reasonable steps to implement practices, procedures’ including ‘regular staff training’.
- The Security Legislation Amendment (Critical Infrastructure) Bill 2021 or Essential Services Act (SOCI) requires that businesses engaged in providing critical infrastructure must deliver improved cyber security resilience. An amendment to the bill in 2023 will require the development of a written risk management program. Such a program will require documented training events to reduce the risk of a cyber security breach.
As a result, recording on training – what, when and to who it was provided – is required for compliance reasons. Further, assessment of comprehension and regular updates should be undertaken by businesses to demonstrate their best effort to comply with regulations.
Training records can take a variety of forms:
Spreadsheet – The training provided for a smaller business may be recorded in a simple spreadsheet to note names, topics and dates of the training including the method of communication (such as by email or e-learning).
Database – For bigger companies, training records may be attached to Perec (Personnel Records) to simplify reporting and training scheduling
Learning Management Systems (LMS) – Some companies will have dedicated Learning Management Systems to allow delivery of training, assessment, and the recording of results.
Building a Schedule
Bombarding staff with cyber safe messages will likely make them ‘tune out’ and be less likely to absorb key messages. Creating a schedule of training and communication events that are spaced and ordered by priority will assist in raising cyber security awareness. Consider the example schedule for the next month for ACE Pty Ltd below. The urgent need is to ensure client finance documents are locked with a passcode before emailing and this is the priority gap to close.
Case Study
ACE Cyber Security Training
Month 1:
- Week 1: Send an email to all accounting staff to ensure documents are locked as needed. The accounting team manager is to deliver a provided 1 page info sheet on what is required and why
- Week 2: Deliver a short e-learning course.
- Week 3: Review the results of the training.
- Week 4: Report the results of training to the accounting manager and deliver follow-up activities if required.
After targeted training on cyber safe practices has been provided, summative assessment of the results from the training provides valuable insight to tune and improve further training delivery. Considering what training techniques worked well or need improvement, creates continuous improvement in training outcomes. This results in greater overall cyber security awareness.
Once training has been provided, briefing the relevant staff about training outcomes provides certainty to key people in the business that security gaps are being remedied. Further, it also builds ownership of the problem with a business’s management. As closing cyber security gaps may result in changes to work practices, managers that understand the implications of cyber unsafe work practices will be more willing to adopt changes in how their teams operate.