Cultural change urgently needed in defence against cybercrime attacks
Spending millions of dollars and IT specialists working around the clock to defend against the wave of cyber-attacks
currently engulfing New Zealand will only be a losing battle until organisations invest in changing staff culture.
Author of the book 'She'll Be Right (Not!) – a cybersecurity guide for Kiwi business owners – SMB cybersecurity expert
Daniel Watson, said that the recent spate of cyber-attacks on New Zealand organisations emphasises the urgency of
addressing cultural change.
"Staff are the last line of defence. They click on what they click on, and as a result, they can quickly fall prey to
tactics like password harvesting – for example, fake Dropbox accounts designed to collect your login details.
"People also tend to use the same or similar passwords. This allows hackers who have 'harvested' just one password to
breach the defences of an organisation."
Watson said that it isn't unusual for staff members who have inadvertently clicked on a malicious link to say nothing
for fear of getting into trouble.
"That's a cultural issue. Staff afraid of getting into trouble put the business at risk because they don't report
mistakes, and it can take days or weeks before the breach is discovered – this is a cultural issue. You want to
encourage staff to step up rather than be afraid of admitting mistakes."
Watson said sextortion, phishing and credential harvesting are scams that staff typically get tripped up by, and one of
the biggest obstacles to reporting an issue is shame or embarrassment.
"Once somebody has login details, they can re-direct invoices and change supply arrangements. It just takes one small
slip up that somebody is too afraid to admit to, and the cybercriminals are in."
There are three important aspects to changing the culture of a business to one that is cyber vigilant:1. Top-down change
Watson said culture change starts at the top. Senior management needs to lead by example and make clear that
cybersecurity is an organisation-wide issue – not just something for IT to worry about.
"Implement a set of security policies from the top down. For example, any financial transactions or marketing invoices
must be approved by management or change of account details to require two-factor authentication."2. Make cybersecurity an operational issue
Watson said embedding cybersecurity into a company's operations is crucial and should include awareness training and how
to recognise a scam.
"Put in place an incident response plan – much like a health and safety plan, where if you see a hazard, you report it.
If management responds negatively by ignoring the report, browbeating or ridiculing staff, they will likely hide things
under the carpet and hope the boss won't notice."3. Rapid response
"Create a culture of rapid response. The sooner staff notify IT, the quicker the experts can get in there and mitigate
the damage," Watson said.
For more information visit: https://www.linkedin.com/in/daniel-watson-cybersecurity/