There's a disconnect between cyber-security reporting and behaviour—and that is a concern for boards

Independent research commissioned by Aura Information Security reveals that New Zealand businesses aren't as secure as they say they are. In particular, staff adherence to sound cyber-security practices is still low despite IT training.

If this is the case, is the security information a board receives reflective of the cyber-security reality within the organisation?

The Institute of Directors caught up with Hilary Walton, Kordia's Chief Information Security Officer, to discuss the Aura research. We asked what this disconnect could mean for board oversight of cyber-security policies and processes.

What the research revealed

• 62 percent of New Zealand businesses say they carry out security training exercises with their staff, but only 37 percent of Kiwis say they have received training on good cyber security practices. 
• 65 percent of IT decision makers encourage employees to use a password manager but almost one in three employees used the same passwords on computers, websites and applications and use the same passwords on work and personal accounts or devices.
• Almost a third of New Zealanders don’t update their work computer or smartphone as soon as software updates become available. Delays in updating software can lead to significant vulnerabilities which hackers can exploit, says Walton. 
• Only 20 percent of New Zealanders check email links to ensure they’re legitimate.
• 15 percent of parents let their children use their work devices when working from home.

Cyber-security needs to be addressed now

Last year, we saw a number of high profile organisations impacted by cyber attacks including the NZX and RBNZ. In fact, half of Kiwi businesses were affected by between one and ten ransomware attacks and a staggering 35% were subject to more than 10 attacks according to the research.

“Cybercriminals ran rampant in 2020 and it’s only getting worse. New Zealand businesses are becoming more aware of the risks, but many aren’t doing enough to protect themselves. These businesses may have gotten lucky by not being targeted yet, but with more and more attacks happening each day, it’s only a matter of time," says Walton.

From cyber-security messaging to cyber-security behaviour

One of the key issues may be the disconnect between IT staff, who live and breathe cyber-security and understand the consequences, and other staff in an organisation who may be aware of the issues but just aren't internalising them. 

Walton suggests "a good place to start is properly educating staff because it’s incredibly easy for complacency and cyber fatigue to set in. This shouldn’t just consist of a one-off cyber security lesson which is quickly forgotten, but constant reminders and check-ins to ensure best practice is being followed. Reducing human errors will significantly strengthen your cyber defence.

“It’s also important to create a culture where staff feel comfortable to come forward if they think they may have clicked the suspicious link or attachment. The sooner the IT department knows about an issue the better. Hackers are known to lie dormant once they get access to a system, waiting for the opportune time to strike to do as much damage as possible. If you’re unsure, it’s always best to let the IT team know.” 

Tips for the board

Ask management how security messages are being translated into security behaviours

• Are there chances for employees not just to hear about cyber-security but actually to do? eg gamification of security training.
• What are the different channels used to deliver key messages and training? Are these the ones staff feel comfortable using?
• Has the organisation used a security culture questionnaire to understand the perceptions of employees to security.
• What is the frequency and clarity of security communications across the organisation. 

Did your organisation transition to remote working practices during 2020? If so:

• check whether the interim digital systems' implementations are now permanent. Are they fit for purpose?
• what kind of visibility and protection does the organisation have for home work set-ups, especially when home networks are being used?

Is the board comfortable with the level of security investment being made by the organisation? Consider:

• is the security strategy being delivered year on year, ie is your level of security improvement work being met?
• is the organisation able to mitigate security risks and what does the backlog of security work look like? If the backlog presents a risk, your investment may not be adequate.
• implementing a security maturity assessment to identify gaps and determine where the organisation should invest.

Tips for management

• Run a password manager workshop to show your team how easy it is to use unique passwords across applications.
• Chances are you started using work collaboration tools a whole lot more during lockdown. Make good use of these by communicating your organisation’s key security messages on a regular basis. Simple ‘tip of the day’ type messages can work well.
• Teach your team how to easily update smartphone apps in one hit. This is important because all apps encounter vulnerabilities, such as the one WhatsApp announced earlier this year which was exploited by remote attackers.
• Explain how to spot ‘phishy’ emails. Run a mini workshop or make use of the many great resources available online, eg Kordia’s CyberWise module.