Interview: Mindshift - the Kiwi firm putting the 'people' back in cybersecurity
There’s a well known ‘holy trinity’ of security: People, process, and technology. Ask any CSO or CIO, or even just a business owner and they may say that they have solutions and security practices to keep their business protected. But do these take the right approach to educating every organisation's front line: its employees?
We spoke to Mindshift director Melonie Cole to find out more about why cyber awareness and talking to employees should be front of mind for every business.
Mindshift is a company that launched in 2018 to work with businesses to help them educate people about cyber risk.
Cyber risk is introduced to businesses in different ways. When employees are working online and working with information, risk is as much about what people do as what they don't do.
“Often people are the last thing to be considered when it comes to change and the way people work - whether it’s in terms of new technologies, or workplace changes like working from home. This has a major life impact and it affects how they feel about information security,” says Cole.
“If you don't give people the information they need to make good decisions online, you can’t hold them accountable for the mistakes they make.”
The key to helping employees make good decisions can be as simple as changing the tone of the message. For example, organisations may have rules that prevent downloading of files to USB drives. They might communicate this policy in a list of things employees shouldn’t do. This, says Cole, is a negative way to start awareness conversations.
Instead, organisations should put the ‘why’ first, by explaining how employees need to protect their information, their employer’s information, and their customer information.
"For example, you can explain to staff that if they put sensitive information on a USB drive and lost it on the way home, that’s going to have a major impact on their information, their employer's information, and their customers' information. Data breaches can happen that way.”
“One little thing someone has learned and then put into practice could make a huge difference in their lives. Cyber awareness complements technical solutions, tools and products to protect their businesses.”
Mindshift also helps to spread cyber awareness through first looking at key risk areas caused by people’s behaviour. Cole points to phishing as the most common attack vector, but it is only the tip of the security iceberg.
Cole and her team reinforce key security messages through a variety of channels, often using existing online security training as a start point. This is all with the goal of creating better online security habits.
She notes that tips and advice about working from home have been particularly critical this year. Many businesses have adopted a hybrid working model where staff are in the office and at home. The home environment may not have the quality of connection and quality of security that people take for granted at the office.
Cole explains, “That could be things like leaving your desktop open when you step out, or having private work conversations when your flatmates are around, or just leaving your documents lying around where people could, even accidentally, see confidential information."
“It’s a bit like leaving your house unlocked when you go out, leaving the windows open and leaving all your devices just sitting around."
People can be easily distracted at home and may not be fully focussed on work. Slowing down and finding the right moment to send an email, for example, goes a long way to forming good security habits at home.
Other security habits could include:
- Encouraging people to lock screens when they step away
- Making sure that confidential information isn't seen by others
- Using work-issued laptops for work use only
"Small things can make a huge difference, so I encourage businesses to make the most of this opportunity to help their people develop security habits which will eventually become normal," says Cole.
As New Zealand moves in and out of different alert levels, people may be more prepared to adjust to working from home life.
Cole believes people may be more accepting of the extra steps they may need to do to connect to work and get to their documents, like using a few extra layers of security, as those ways of working should be feeling pretty normal by now.
"Keeping security guidance simple, relevant, and memorable is the key. A 20 page ‘working remotely’ guide will certainly be more interesting if it’s a video or something visually exciting," she says.
“When businesses share security advice with their staff, that can be easily applied to home and shared with friends and family, it’s a double whammy! People are much more likely to remember and put into practice things like keeping backgrounds free of private information when on video calls when they’re applicable to their lives outside of work.”
“There may be an assumption it’s easier for people to work from home because they’re used to it - that may be true - but the new risk may be complacency," says Cole.
"There’s an opportunity for regular contact with your employees to ensure they’re working securely and understand why this is so important”.
There are plenty of resources available for businesses and their employees.
CERT NZ is a good starting point for information and cybersecurity incident reporting: Click here to go to CERT NZ's website.