With the threat landscape fundamentally changing, it’s more important than ever for businesses to educate their employees, according to Craig Columbus, Russell McVeagh chief information officer.
Columbus will cover this topic and join a number of other presenters at the NZTech Advance Security Summit, taking place next month.
He says, “In terms of the quality and quantity of attacks, the threat landscape is the worst I’ve ever seen it.
“The attacks I’m seeing now are very sophisticated - it worries and concerns me. There’s a belief among Kiwis that they won’t be targeted, that it’s only happening to other people, but this isn't the case."
In order manage risk, businesses need to start recognising the value and necessity of cyber security and data protection.
When the most common password used is still ‘123456’, security starts with education, says Columbus.
“Education is paramount. People don’t know what they don’t know,” he says.
Today businesses are targeted by very real attacks that are much harder to spot than spam emails or suspicious looking offerings.
For instance, some targeted attacks use cold calling to uncover specific information and unleash an attack on a specific business.
A call may be made to the accounting team, from what appears to be an accounting software specialist, and ask what accounting system the business runs as part of their pitch.
However, once the cyber criminals know what code the business is running, they can exploit and attack the business.
Recognising that the number of targeted attacks such as this is increasing drastically, Russell McVeagh launched a cyber security education programme this year.
The programme teaches employees about a variety of threats, including email scams, spear phishing and malware distribution. It also includes a section on social media.
All of this combines to give people general knowledge and best practices around cyber security, says Columbus.
Now, the programme is the first thing a new employee completes when they begin at the firm.
Furthermore, as the threat landscape is changing every day, with new exploits being discovered and developing constantly, all employees also attend regular sessions to ensure they are still following best practices, he says.
On top of this, internal newsletters are sent out to remind employees about what to do and what not to do, as well as highlight some of the latest threats and how to nullify them.
Columbus says the response to the programme has been positive across the board. While employees may begin the programme saying, ‘Why do we need this?’ they leave with a greater understanding of the necessity of cyber security and how to stop threats before they can do real damage, he says.
In fact, the programme has had a welcome side effect. Due to employees’ increased awareness of malicious attacks, they have started sending threat information to Columbus and the IT team.
“As a result of educating users, we get earlier alerts, are able to formulate an action plan quicker, and are building a threat database,” says Columbus.
Businesses have a reluctance to invest in programmes such as these, thinking that their employees have enough common sense, that they don’t have the time or the money, and it isn’t of great value - but none of these reasons hold up, he says.
“Common sense isn’t enough anymore. It may seem expensive or time consuming, but it’s been a good use of our resources – and when you think about the potential cost of an attack, the time and expense is worth it.
“We have to change the way we approach security. Education is key and getting your people up to speed is half the battle,” says Columbus.
Taking place November 30 in Wellington, the NZTech Advance Security Summit focuses on securing our digital future in technology, and welcomes all those interested in learning more about business security.