In our latest blog post we take a look at the Australian Institute of Company Directors and the Cybersecurity Cooperative Research Centre’s Cybersecurity Governance Principle 4 : promote a culture of cyber resilience.
Firstly, what is cyber resilience? It’s when an organisation can:
- Respond quickly to incidents.
- Continue functioning during ongoing attacks.
- Block secondary access attacks during incidents.
Too often, we think of cybersecurity as being separate from other workplace issues. But it’s actually an ingrained part of our whole culture. In fact, cyber resilience begins and ends with an organisation’s culture. It has to flow through teams, processes, and planning to be effective.
If you’ve ever tried to change the culture in a workplace, you’ll know it’s a difficult process. It takes time! But it can be done. A culture starts to change when people understand that there’s a better way, why that way will be better for them, and how they can get there.
Education is a huge part of culture change. It’s also a huge part of cyber resilience.
Involve board and executives in cybersecurity education and testing
Awareness training is important for people at all levels in your organisation. While your lower-level staff might face the most attacks, anyone might. And the higher someone’s position, the more access they could grant an attacker. Your board and executives also need to understand the challenges facing your cyber response team. This will help them include business strategies and budgets that adequately support the team.
Don’t restrict cyber awareness training to regular staff. Get everyone involved! Include managers, senior managers, board members, and volunteers. Make phishing testing mandatory for all as well. This helps to ensure that everyone has a good grounding in cybersecurity and what to do during an incident.
Run occasional ransomware simulations. See what happens in real time when an attack is occurring, and you’re losing data and systems. Track metrics like time to response and lateral movement breaches. Have the board observe these exercises. Seeing first-hand what goes into a response can be an eye-opening exercise. It can also make cybersecurity feel much more real – rather than an abstract concept. Set up a board committee to work on any issues discovered during the simulation exercises.
Here are some questions for directors to ask:
- Do we get everyone to take awareness training?
- How often does each person do the training?
- Do we customise training by team or role?
- How do we measure the effectiveness of the training?
- How are the board and senior managers involved in the training?
Add cybersecurity to the role statements and KPIs of key leaders
It’s incredibly important to have leadership on board with cybersecurity. Not just so they can support it – so they can lead it. Strong leadership is essential to building effective strategies. Business strategy comes from the top down. When leaders include cybersecurity in business strategy, it imbues cyber resilience throughout the organisation.
Send a clear message to key leaders that they need to lead cyber strategy. Add security to leadership job roles. Include security metrics in their KPIs. This provides incentive to focus on cyber risk, but it also underscores its importance to the organisation as a whole. While some tasks can be delegated to regular staff, other responsibilities must stay with directors. Make sure that board members know they can’t deputise someone for every task.
Communication from leaders reinforces the importance of cyber resilience to staff
You can tell your staff that cybersecurity is important. But when you show them that it’s important to your organisation, it sinks in. When leaders are regularly talking about good cyber practices, it becomes part of the mental landscape.
Give staff regular updates about good cyber practices. These could be emails, or physical signs in the workplace. For best results, make content short and engaging. Don’t try to pack lots into one piece. It’s better to teach one small idea well than a larger one ineffectively.
Include awareness training. This is a key tool you can use to build a cyber resilient culture. Where appropriate, customise training for specific job areas and tiers to keep it relevant and interesting.
Consider getting involved in formal intelligence exchanges, like ACSC Partnership Program and Joint Cybersecurity Centres. This provides you with the information you need. It also sends a message to your staff that this issue is important to your organisation.
Pick a staff member to lead cybersecurity practice in a department. Give this person the resources they’ll need to answer questions from their peers. Encourage them to start new initiatives to encourage better practices.
Create a cybersecurity mindset
When you have a cybersecurity mindset, you include security in every business decision you make. You ensure that your organisation can keep running with minimal disruption through attacks and incidents.
Make sure the board knows which data and systems are crucial to business continuity. Ensure that you have secure backups and an alternative operating platform that you can restore to. Test to make sure that this backup and restore procedure works and results in a fully-functioning system.
Talk to the board about its mitigation strategy if your platform is compromised:
- How will you talk to customers about the incident?
- Who will inform law enforcement agencies?
- What sort of backup plans do you have to offer customers who are affected by the incident?
Consistent and purposeful change is vital
Changing a workplace’s culture can be hard work. Staff need to know that cyber resilience is important to the board and upper management. Continual education can help you communicate this to staff. Regular training and testing, with positive feedback and rewards for good performance, motivates and educates employees.
Talk to PhishNet to develop a training plan, and start moving towards becoming more cyber resilient today.