Public-sector organisations hold millions of private records, from financial information to medical records. Whether it’s a hospital, local council or government agency, robust data security is vital for these vulnerable organisations
.
The problem is that cybercrime is now mainstream. No longer the domain of disaffected geeks trying to impress each other with their hacking prowess, today cybercrime involves organised crime. In particular, criminals have been targeting patient records to lodge false health-insurance claims. Someone’s medical identity can be bought on the internet for
just over $1000.
When Telstra released its
Cyber Security Report late last year, it showed that 41 per cent of organisations surveyed had experienced a major cyber-security incident in the past three years, and only 43 per cent of organisations considered themselves well prepared to respond to a cyber-incident.
Security: A job that’s never done
Even for organisations following best practice, cyber safety and security is a journey not a destination, with IT departments regularly reviewing external risk factors and adjusting their policies.
While some companies run regular exercises to simulate a security breach and test the response, few organisations test their controls and systems through engaging
‘white hat’ hackers.
So what can large organisations in the public sector do to ensure their cyber safety and protect their data? While it’s important not to be complacent, the physical hardware and software, like firewalls and antivirus systems, that organisations use are typically good quality and up to date. Similarly, patches for operating systems and applications are usually up to date, although there can be a time lag for these as IT tests a patch before rolling it out across their business.
People: The weakest link
The real root of most security risks is the organisation’s people. Employee-purchased smartphones, tablets and notebook PCs are all vulnerable entry points. Hackers are constantly trying to persuade people to click on links that open malicious attachments or take them to websites with malicious code.
Indeed, the Telstra report found that 45 per cent of internet security incidents were the result of staff clicking on malicious attachments or links within emails.
Given that the workforce has been living with viruses and malware since the late 1990s, it’s surprising that users haven’t got it by now. James Turner, IBRS IT security industry analyst, believes that organisations aren’t taking the human factor seriously. Turner argues that security-awareness campaigns have to be a sustained attempt at behaviour modification, to the point where it permeates the organisation and becomes part of “the way we do things around here”.
Leadership is key
This is not necessarily an easy thing to do. Nevertheless, organisational leadership, from line managers to the C-suite, need to be involved. Turner argues that executives need to accept and commit to changes in their own behaviour and lead by example.
Measurable outcomes
Another key element of a successful security-awareness campaign, Turner says, is to be clear on the desired outcome, setting measurable monthly, quarterly and yearly targets. “Some of these areas include the number of malware outbreaks, the number of calls to the helpdesk reporting phishing attempts (an increase is good as it shows awareness) and a reduction in users sharing credentials.”
Staff engagement
However, Turner believes that all of these measures are meaningless if staff engagement is low. “Before running a security-awareness campaign, IT needs to collaborate with the HR department and understand what the engagement level of staff is within the organisation. Because if engagement is low, you need to fix that before you can tackle security awareness.”