Cyber security advice for boards in the era of hybrid working
Businesses should factor in cyber security risks when laying out a hybrid working policy.
Independent research commissioned by Aura Information Security reveals that New Zealand businesses aren't as secure as they say they are. In particular, staff adherence to sound cyber-security practices is still low despite IT training.
If this is the case, is the security information a board receives reflective of the cyber-security reality within the organisation?
The Institute of Directors caught up with Hilary Walton, Kordia's Chief Information Security Officer, to discuss the Aura research. We asked what this disconnect could mean for board oversight of cyber-security policies and processes.
Last year, we saw a number of high profile organisations impacted by cyber attacks including the NZX and RBNZ. In fact, half of Kiwi businesses were affected by between one and ten ransomware attacks and a staggering 35% were subject to more than 10 attacks according to the research.
“Cybercriminals ran rampant in 2020 and it’s only getting worse. New Zealand businesses are becoming more aware of the risks, but many aren’t doing enough to protect themselves. These businesses may have gotten lucky by not being targeted yet, but with more and more attacks happening each day, it’s only a matter of time," says Walton.
One of the key issues may be the disconnect between IT staff, who live and breathe cyber-security and understand the consequences, and other staff in an organisation who may be aware of the issues but just aren't internalising them.
Walton suggests "a good place to start is properly educating staff because it’s incredibly easy for complacency and cyber fatigue to set in. This shouldn’t just consist of a one-off cyber security lesson which is quickly forgotten, but constant reminders and check-ins to ensure best practice is being followed. Reducing human errors will significantly strengthen your cyber defence.
“It’s also important to create a culture where staff feel comfortable to come forward if they think they may have clicked the suspicious link or attachment. The sooner the IT department knows about an issue the better. Hackers are known to lie dormant once they get access to a system, waiting for the opportune time to strike to do as much damage as possible. If you’re unsure, it’s always best to let the IT team know.”
Ask management how security messages are being translated into security behaviours
Did your organisation transition to remote working practices during 2020? If so:
Is the board comfortable with the level of security investment being made by the organisation? Consider: