There have been 6 highly publicised data breaches impacting Australians in the past 4 weeks. It’s obvious that the resulting reputational damage for the relevant brands, will be hard to recover from.
Many questions are being asked about why organisations are behind where they need to be with the management of information security risk. So, what is the answer to that and why isn’t more being done?
Firstly, there are a range of reasons, including the fact that Australia has not had the required policy and legislation (ie see the Privacy Act reforms that have been coming, for years…).
In addition, our experience shows it’s because understanding risk necessarily comes before doing something about it.
Now this sounds obvious, but let’s be honest, some senior leaders, can remember a time when we didn’t have the internet, well, not in the broader business community… I can remember 10-12 inch discs myself, so this is not intended to be ageist in any way.
The tech sector has grown faster than governments and educators could keep up with. It was some time after most of us experienced the internet, before formal business qualifications included much about technology use. If workplace training was offered at all, particularly at that time, it was usually just for use of a single software program ie Word.
There continues to be a lack of understanding of the way ICT networks and technical devices connect and operate, and therefore the associated risks which exist in our organisations.
In addition, cyber/information security itself is still a “relatively” new space. Although there are now many people in ICT departments who understand security risks, those people are often not heard at the senior leadership level, let alone in the Boardroom.
Consumer technology, more so than organisational technology, has led all of us to increased use very quickly. But, many people still have almost no understanding of the risks associated with technology and the devices they use every day.
How your organisation can start to address the risks in a short time, and at a low cost
Become informed. It really is that simple. Educate your leadership team or Board with a face-to-face small group session on information security.
This is the part that’s not hard. All you need to do is get your team to the session. We’ll engage, present, tell stories and answer questions. We get fantastic feedback, people really do enjoy attending.
What happens after you understand the risks, and why your support is needed
There are also organisational challenges to address information security risks effectively. They include the following:
- There can be cultural barriers – ie your organisation has a low level of maturity for technology use, creating a barrier to engage in discussion
- The risks need to be dealt with organisation-wide – that is, across departments dealing with risk, governance, privacy, HR, ICT and others
- Changing user behaviour is hard – it sure is, and virtually impossible unless people understand why they need to change behaviours, and are therefore motivated to do so
- Ongoing support is required from senior leaders – running an educational program once, and expecting people to learn something new and change a behaviour just doesn’t work.
- Demonstration of good information security habits needs to be from the top down – your organisation will need up to date practical policies and procedures and the supporting education.
So, why not get started with the first step and become more informed…?
Contact us on 1300 264 946 to discuss the ways we can help your leadership team to understand information security risk. With that information, you can then plan your next steps.