Teaching better cybersecurity habits to mentally overstimulated staff can be difficult when their average attention span is just over 8 seconds – but two Australia Post staff engagement specialists have learned that diversity and regular engagement can counteract the brain fuzz that drives many staff to make the same mistakes over and over.
That company enjoyed great success in building a cybersecurity culture when it was designing the Digital iD portable identity service that it launched earlier this year, head of cyber security business services Susie Jones told the audience at the recent Cyber in Business conference in Melbourne.
By partnering cybersecurity professionals with business and software development professionals throughout the project’s evolution, “we found that we got the product to market faster, and produced a far superior product than we had ever set out to provide,” Jones said.
Many cybersecurity initiatives failed to integrate enough perspectives on the issue, limiting the efficacy of educational efforts and limiting their scope to narrow operational silos.
“If you want to accelerate change in the culture of your business, look more broadly throughout your team, and see who else might be awesome to add to the team,” she said. “When we run training we have all the different people in the enterprise that wouldn’t naturally talk to each other about these things. It’s all about diversity in the people you involve in your cybersecurity work.”
That diversity can help overcome the challenges caused by chronic information overload that, one widely-cited Microsoft study found, has reduced the average person’s attention span from 12 seconds in 2000 to just over 8 seconds now.
That study has been questioned by some who argue that attention is highly task-dependent and averages are meaningless – but for Australia Post information security awareness and education manager Ivana Kvesic, its implications have shaped the organisation’s outreach on cybersecurity and other critical issues.
“We can put [messages] out there but we don’t know whether people are actually paying attention,” Kvesic explained. “And why would they not pay attention? It’s because they don’t know they need to care. People will not care unless they know why they need to change.”
Applying a “truly multi-faceted approach” had paid strong dividends within Australia post, with engagement of people in groups adding human elements around interaction, story-telling, and even calls to action.
That said, she noted, driving change can be a difficult task given that many organisations are wrestling with “decades of really bad habits”.
“In looking at how we reach out to [staff] and get short, sharp communications to them, it’s through awareness,” she continued. “Short, sharp functions grab people and tell them when they need to care.”
Despite ongoing efforts by most companies to improve cybersecurity hygiene, many employees continued to tune out, Jones said: “people think they need to be a CEO to be a target of social engineering,” she explained.
“We need to change the perception of cybersecurity in business. Because it’s no longer an IT problem; it is everyone’s responsibility to keep our data safe. And unless they understand why a phishing scam reaches their computer, or how it got through the firewall and our controls – they need to understand this to be able to put into practice the skills to proactively protect themselves.”
Australia Post’s employee-education program has “been working quite well” by drawing on commonly-used principles of change management – including leading with culture, starting at the top, involving every layer, making the rational and emotional case together, acting the way into new thinking, engagement, leading outside the lines, leveraging formal solutions, leveraging information solutions, and assessing and adapting.
Efforts such as an internal cybersecurity summit – complete with stalls set up at Australia Post’s offices and examples of real-life scenarios where social engineering can happen – had proven to deliver strong engagement with managers that would then pick up the ball and run with it, pushing awareness down through their reporting lines.
Other successful techniques had included educating and empowering employees; giving business context to the cybersecurity messages being conveyed; training someone in their role; and getting involved with government and industry-run cybersecurity initiatives.
Australia Post has, for one, been promoting engagement with the Security Influence & Trust (SIT) Group, which this month launched a new website as a centre of gravity for its efforts to improve overall awareness and improvement of cybersecurity posture.
Such peer engagement supports efforts to contextualise cybersecurity training, and highlights the ongoing importance of trying broad-based approaches to user education as cybersecurity threats continue.
“These are new skills that people need to learn,” Kvesic said. “There are so many layers, so many facets and so many different skills that we need to learn to improve our posture as an organisation and as individuals. We need to invest in our people – because, trust me, it will cost you a lot less to invest and be proactive as opposed to recovering from an incident.”