Share this article on:
With human error the central cause of most security breaches, a culture of security awareness is critical to bolster enterprise security, Cyber GC principal Annie Haggar argued ahead of the inaugural Cyber Security Summit 2023.
Ms Haggar – who recently founded Cyber GC to teach in-house legal teams the importance of cyber security compliance and law – said ahead of the inaugural Cyber Security Summit 2023 that employers and employees need to understand that human error is responsible for most cybersecurity breaches.
Examples include being careless with passwords and technology updates, working with outdated software or hardware, and being vulnerable to phishing attacks or other social engineering tactics aimed at stealing a company or individual’s credentials.
As such, Ms Haggar proposed, if employers view every employee as part of the enterprise security risk, they also need to view them as part of the solution.
This could be done by providing end-to-end training to new employees about being careful with passwords, phishing emails, and their personal use of technology.
Ms Haggar’s comments preceded the Cyber Security Summit 2023 in June, where she will provide insights into enterprise cyber security, why it is important, the types of cyber threats associated with it, a comprehensive strategy to minimise risk, and effective policies for maintaining confidentiality and integrity of data.
Enterprise security should be viewed as a holistic package that asks everyone to consider security as a part of their job, Ms Haggar said.
More traditional enterprise security protections, data management and protection, and security technologies should sit alongside this, she added.
“I see enterprise security through a different lens. I see the bigger picture,” Ms Haggar told Cyber Security Connect.
“I see that businesses are vulnerable to enterprise security risk when they don’t have a culture of security that runs through their organisation. So, if you have people who think that security is just the job of the IT team, that’s where your enterprise security is leaving you vulnerable.
“You need to have everybody thinking that their job has something to do with cybersecurity. If they don’t know what that is, they really need to be part of the plan at fixing that and protecting their role and areas of responsibilities from a cybersecurity perspective.”
Security culture starts at the top
Embedding this culture should begin with the leadership team setting expectations and ensuring that it flows down to all employees.
The leadership team must lead by example and live up to the same standards that they expect from their employees, Ms Haggar insisted.
“You can't have your executives think using unsecured devices, storing things, and sending messages and documents around in unsecured ways is okay if they expect their employees to live up to a different standard,” she said.
With a recent study finding that a single email attack could cost an Australian business on average $1.4 million (with many businesses saying this is a sharp increase from the year before) it is essential for leadership teams to remind employees to send emails with the appropriate levels of protection, and encrypt and mark documents with the required amount of security.
How could lawyers and HR help?
It is also within the remit of an organisation’s legal and HR department to consider how to bolster its cybersecurity posture and how this could impact their jobs, Ms Haggar said.
“If you are a lawyer (which is my background) and you think cybersecurity has nothing to do with you, then you’re missing the fact that you need to be advising your business and your client on the cyber and enterprise security risks to the business,” she asserted.
“You need to be thinking about how your legal job needs to take into account cybersecurity risks.”
This might involve changing their contracts to ensure all suppliers to the business meet minimum security standards, or changing the terms and conditions with customers to offer enhanced protection to the company against cyber-attacks, Ms Haggar added.
The HR department could play a critical role, she said, by taking action against employees who constantly cause security breaches by clicking on suspicious links.
“Do you have the capacity as an HR person to take disciplinary action under your employment contracts?” she asked.
“Do you have an HR and security policy that allows you to restrict that person’s systems’ access or potentially withhold bonuses, demote them, or take other disciplinary action to protect the organisation from this person? And ultimately if they are a repeat offender, could you potentially fire them?”
Ms Haggar concluded by encouraging everyone in an organisation to assist each other to enhance its security culture.
“Without that leadership and example setting from the top, you’re really going to struggle,” she said.
To hear more from Annie Haggar about how to protect your business’ data by rolling out an enterprise security strategy that aligns with your organisational culture, come along to the first-ever Cyber Security Summit 2023.
It will be held on Thursday 1 June 2023 at Hotel Realm in Canberra.
Click here to buy your tickets and don’t miss out!
For more information, including agenda and speakers, click here.