‘In Case You Missed It’ - Season 9 mashup
This season on The Security Collective podcast we have invited guests to speak specifically about how we can change the behaviours of our staff when it comes to their cybersecurity habits and actions.
This is a mashup episode where Claire wanted to cover some really important points that some of the guests made, and encourage you to go back and listen to the full episodes if you find these nuggets of gold to be incredibly interesting, and you want to hear what else these guests had to say.
Quick link to guest episode:
Transcript
Hello, I'm Claire Pales, and welcome to The Security Collective podcast. Today's episode is a bit of a wrap up from season nine and brings together five of our guests that we welcomed into The Security Collective this season. It's kind of an 'In case you missed it' episode where I wanted to cover some really important points that some of the guests made, and encourage you to go back and listen to the full episodes if you find these nuggets of gold to be incredibly interesting, and you want to hear what else these guests had to say. So we're kicking this episode off with Christie Wilson who talks about the dangers of making a joke out of cybersecurity education. We then talk to Susan McLean, she covers the three R's of cyber safety. And these are the types of things that work for any demographic, from children through to executives. Erica Hardinge comes through from ANZ - she's talking about getting more and more people into cybersecurity education as an industry and as a vocation. Amy Ertan joined us from the other side of the world, she wanted to talk about insider threat during COVID, and the true impact of remote working. And then finally, Olivia Grandjean-Thompsen talks about using cyber awareness for the greater good. I really hope you enjoy this roundup episode, in case you missed these incredibly talented, really generous guests. And if you love them, please go back and listen to the full episodes. But for now, let's kick things off with Christie Wilson.
CP: I think one of the things that really interests me about awareness and behaviour change programmes in particular is that people feel that they've got to be funny or zany, or you know, they have to be cartoon like in order to be engaging. And this has been a trend, I think with information security programmes where we're trying to educate. Do you think that this is because if it's fun and zany, the FUD factor, Fear, Uncertainty and Doubt, can be taken out of the messaging? Do you think that having something this light hearted works or what's been your experience?
CW: I think you're right, I think the thinking behind it was very much making things funny or zany so that you would get buy in from people. So I found that a lot of people who don't work in the security space are intimidated by security. They're scared of this concept of cybercrime and cyber criminals. They're hearing it in the news all the time. And they've been conditioned by those bad things that they're either seeing in the news, or the stories that they're hearing from friends and family. So I think the thinking behind awareness initially was to make it fun, as a way of reducing that fear. But the danger with that approach is that the cyber influence team can then develop a reputation for being seen as the Entertainment Committee. And what I mean by that is that if you make everything jokey and funny and zany and cartoon like all the time, we can miss that serious message that we want to deliver. So I really think you've got to consider the message that you want your audience to take away. For example, one of our cyber evangelists last year shared her identity theft story with me. And I thought this would be a really great story to share with our cyber evangelists at one of our monthly meetups. There's nothing funny or light-hearted about her story. In fact, it's quite a scary story. It's her talking about her suffering identity theft about 10 years ago, when a copy of her driver's licence was photocopied in a store in Moonee Ponds where she was getting a mobile phone. She was one of about 20 people whose ID was stolen. And she talks about the ongoing impact that that is still having for her nearly a decade later. It's had all sorts of different impacts. So she's really authentic when she talks about it. And she's also really vulnerable in his storytelling, because this significantly impacted her and it continues to impact her. She presented this story at the cyber evangelist group, it got really great feedback. And she's now presented this story several times to other groups across the organisation. And each time she shares it, we get really great engagement and feedback. And employees come up to us afterwards and they talk about how they've changed their behaviour based on her story. So this is a really serious story, there's nothing jokey, there's nothing zany in it, but it's got a really important message. So I think considering your audience and considering the message that you want them to take away from the information that you're giving them, storytelling is really important and being authentic I think is the key.
CP: So I did want to ask you that question, because when you say things like respect, responsibility and reputation, those three R's are absolutely transferable to the workplace and should be the lens through which people are looking when they're making decisions. So, when you educate in schools, as opposed to when you're giving advice to corporates, are there similarities and differences or does it just came back to being age appropriate?
SM: It's age appropriate. And it's interesting, because the key message is in my presentation, the facts do not change, it does not matter who I am speaking to. The only fact that would change is when I'm speaking overseas. and I've got, you know, reference a Singapore law or law in the UK versus a law in Australia. But the facts never ever change. And what I often say to teenagers in particular, I give this same presentation to kids in America, the only thing I changed is the law. Because that obviously varies, it varies within Australia. But we need them to be thinking about that it's not something separate to them as a person, it is them as a person. The three R's are in every presentation I give, it does not matter who I'm speaking to. I presented to a whole range of trainee Catholic priests, once. Again, they got the same three R's. And again, you will take it to mean different things, it will be referenced differently depending on where you are in your life. But even like I start working with children as young as eight, they can still get it and I don't give them the three R's, we have a discussion. And they've got to tell me what those three R's might be. Or you know, we get resilience, and we get rethink, and we get a few other guesses before we get the right ones. But I've never been anywhere where children as young as eight can't give me those three words. And then we talk about what they might mean. And of course, my explanation of reputation to a grade three is going to be very different to a 40 year old corporate, but it's still relevant. And that's what we need to understand it needs to be holistic, not focused on only one thing. And the earlier you start, the better.
CP: And through that group, you must regularly meet loads of different people who are either aspiring to get into the awareness side of the industry or who are in it and working in it day to day. What are you seeing as some of their pain points that they're facing in executing on their strategies, or even just doing their jobs as security influence and awareness managers?
EH: I think there's two main things. One is around justifying the investment in education and behaviour change programmes determining how much is enough. And then relatedly, measuring the impact of that programme. But as a couple of my leaders have said particularly over recent years, comparing dollar for dollar, the impact of spend on people and education versus technology just becomes a no brainer. Education and change management programmes are just an integral part of a holistic approach to information in cybersecurity. We can't do these things without the complete picture. It needs to be about people, process and technology to really come up with better solutions. And equally measuring the success of programmes that can start really small, what behaviours can be measured right now? How can you share those results across the organisation? And then just start to see how that can evolve over time?
CP: And do you see the industry growing? Are we seeing more and more people come in to cybersecurity awareness type roles, and not only want to get into that part of the industry, but organisations creating these roles?
EH: Definitely, it's a growing industry. And we're seeing that just through the number of people interested in joining SIT as a community and learning from others and looking for those doors into these sorts of roles as well, which is just fantastic to see. And it's a real mix yet again, of people with technical backgrounds and very much people focus roles, be it marketing, change management, HR like myself. There's just so much scope for opportunity here and to look at ways to continue to simplify and make it consistent.
AE: 2020 was such a different time, there was actually not too much movement, not too many people left their jobs because they didn't know that they would get another one. And of course, you had this whole dynamic of suddenly your home environment becomes your work environment. You have to adjust your work life balance, you of course, somehow have to incorporate in the fact that you have COVID stress, you have to care for family, loved ones children's, you might have COVID There are various different disruptions, so many of which your employer might not be aware about. So not surprising, but a main theme of our research actually became the psychological contract. This agreement between the employee and the employer about what that employment is, the trust and what you expect from one another. Now, the research tells us that where you have a positive psychological contract, your employees are happier, they're more likely to comply with security policies, they can see point of things. In contrast, where you have low or a negative psychological contract, you might have more people leaving in normal circumstances, you have people that are much less engaged, so less likely to maybe actually follow every single compliance aspect. Because the trust isn't there either way, for employee to employee. And this is where it becomes really interesting around 2020 and COVID, because research on lockdowns and remote working, remote working before COVID was generally thought to be a perk, something you could opt into. So the research says, you know, it's great, you have more flexibility, you're happier you can choose to do this. That doesn't necessarily hold we know that doesn't hold. People became very stressed, they couldn't necessarily get away from work. There was a lot of uncertainty around communication, around how do you actually collaborate as a team and get things done. And when you think about cybersecurity, you had all these sort of extra challenges around opportunistic cyber criminals, a lot more phishing, a lot more spam, a lot more people trying to socially engineer employees, particularly around COVID. Although security personnel that we interviewed did highlight that the scale went up massively, but it wasn't a new threat. So in terms of new security threats, technical controls, like spam filtering, and your secure VPNs could capture a lot. The main concern that security personnel reported to us was insider threat, the idea that now people are working from home, you don't have visibility over their actions, they may deliberately or unwittingly create or enhance a vulnerability. So the idea that actually, as a security engineer or security officer in your organisation, you can't see what many of your employees are doing. That was the biggest change.
OGT: During my time at AustCyber, I guess they've been two instances of success for me. First one is the National Missing Persons Hackathon, which I have loved. And we've done that twice before. So the first event was held in 2019. It came out of this need to educate the industry or the public really, as well, a little bit more about cyber and the importance of cyber and before I've spoken about making it relatable, and so we thought, okay, how do we actually do this? And how do we do it in an innovative out of the box kind of thinking way? So we decided to partner with the Australian Federal Police and a Canadian company called Trace Labs. And what we did was we ran a hackathon. So the Federal Police supplied the profiles of 12 national missing people. So these are real people. And what Trace Labs did was they provided their platform, and we had a whole bunch of volunteers. And at first we thought, let's just do it in Canberra because that's where AustCyber is based. But we actually had a fantastic response. And we had people who wanted to participate from Sydney, Brisbane, Gold Coast, Sunshine Coast, Adelaide, Melbourne, all across Australia. And we had it roughly 360 participants come and they participated in the hackathon, which went for about eight to nine hours. And at the end of that hackathon, what we actually had were almost 4000 new leads for police on these national missing people. And they did that through open source intelligence. And so it was a fantastic way to raise awareness, we got a lot of media for that, you know, the benefit of doing something for good, for purpose was obviously much greater than that. And so we ran that for firstly in 2019, and then we decided to do it as an online event in 2020. And again, a much bigger response than in 2019. And we had more media, more volunteers, more judges, and more leads. And it's yeah, it's been a fantastic outcome. And we continue to work with the federal police in that way. But it's just one instance of thinking outside of the box to really do kind of a longer term, effective, impactful communications campaign.