Australia’s cybersecurity under scrutiny: how Aussie businesses can improve
Cyber security threats have never been more real and pronounced than they are in 2024.
With tensions between major powers at an all time high, and independent scammers popping up constantly, the threat environment facing Australian businesses has never been more volatile.
Ranked fourth in the world for cybercrime density, Australian businesses and individuals are some of the most vulnerable digital targets in the world.
Building security culture
Any major consulting firm will likely give the same advice about the first step to improving cyber security - build a culture that takes security seriously.
For many companies and those leading them, cyber security and the expenses it necessitates are no more than line items on a budget they’re trying to keep as trim as possible.
If you want to wind up as a statistic cited on cyber.gov.au, that’s the way! Otherwise, developing a company culture that treats its digital assets and everything they represent with respect starts at the top.
Leaders need to stop asking, "How little can I spend on cybersecurity?" and start asking, "How can I most effectively reduce my chances of falling victim to an unforeseen vulnerability?".
This mentality comes with caveats. As with any KPI or business priority, it’s very much possible to over-focus on one thing and wind up giving yourself a good kicking.
There’s nothing employees dislike more than being forced to attend weekly seminars about something they don’t understand and can’t control, only to feel like they’ve wasted their time and that everything will return to normal if they just tick the boxes and keep their heads down until next month.
That’s not how real change is made and embraced.
If you want to build the right culture, the first step is to get people in the door who know what they’re doing.
Competent IT professionals
As a leader, IT is your responsibility, but it isn’t your job. Hiring probably is, though, and there are qualifications you can look for beyond a computer science degree that will tell you whether or not your IT department has the credentials to address security risks in a targeted, competent manner.
The first is an advanced degree. Candidates with a high-level qualification such as the ECU Master of Cyber Security should be a no brainer.
Candidates with these qualifications will be extremely well-versed in information technology systems, their potential vulnerabilities, and how to manage them.
Degrees in information security are also desirable. Information Security degrees tend to have a broader scope, including topics like social engineering, risk management, and legal and ethical aspects of information security, but they will also have in-depth domain-specific knowledge of information systems and technology.
Advanced degrees aren’t the only option, though. For a small or medium-sized business, hiring people with these advanced degrees might be cost prohibitive, or even unnecessary.
Popular certifications can grant sufficient knowledge for a smaller business to ensure that best practices are followed without having to obsess over every detail that might be more relevant to a larger business with more complex needs or a higher risk profile.
Dedicated personnel with in-depth domain knowledge can help leadership understand the IT vulnerabilities and needs of the business.
They should also be consulted when developing new policies related to cybersecurity. These employees can be a major asset in getting the rest of the ship to steer in the right direction - remember, every employee needs an understanding and appreciation of cybersecurity in order to have a safe and comprehensive approach as a company.
Secure infrastructure
The first job for any cyber security professional should be ensuring that the IT systems that the business depends on are secure, reliable, and up to date.
Any system administrator worth their salt will know when a server needs to be updated or replaced.
As a leader, it’s important to walk the walk every day by listening to those you’ve hired to help you understand your threat environment, and to take their advice seriously.
That probably sounds easier than it is. IT systems can be some of the most expensive and disruptive parts of your business to upgrade and maintain.
When the computers your employees use every day receive a vital security update, it might feel like a burden to lose an hour of work to blue screens, progress bars, and eternally-spinning wheels.
Most updates can be done after hours, and replacing servers, switches, routers, and cables is usually best left until the office is clear.
But sometimes the need to perform maintenance will be urgent, and it should be treated just as seriously as any profit-earning part of the business.
After all, not doing it could result in profit loss.
Training for all
Having quality IT personnel maintaining your systems and ensuring that they are configured and managed properly is a great step in the right direction.
But the reality is that any employee with access to sensitive information, or systems that contain it, is a potential threat vector.
For that reason, it’s vital that all employees understand the importance of information security and receive training from those who have the expertise to keep company systems secure.
As many as 90 per cent of blocked threats involve some form of social engineering, whether it be a scammy phishing email sent out to an ill-gotten email list or a well-planned honeypot targeting a vulnerable employee, most cyber threats begin with a careless mistake or clever social ploy rather than a fully remote hack.
Every employee who so much as uses the same Wi-Fi network as anyone who works with sensitive data is a potential threat vector, and that means everyone needs training.
Learning isn’t enough, though - the business as a whole needs to embrace good habits and practice them every day.
That begins and ends with managers, directors, and executives - the people who set the tone and create the culture - and applies to every person in the business.
No matter how qualified your IT staff are, or how expensive your company network is, it’s all for nothing if all of the pieces don’t come together and work as a functional whole.