Continuing with our theme this year of Culture and Systems, I feel that recent (local and very public) events require more focus and attention. It is crystal clear to me that family business leaders are well aware of the relationship between business culture and risk – specifically as it relates to equality, fair treatment, anti-bullying, terms of employment, and other similar matters.
Every leader wants to ensure that their business has a solid mix of risk mitigation strategies in place. And yet over the last couple of months, we’ve seen two very large Australian companies (one in the telecommunications sector and the other in the insurance sector) fall victim to widespread cyber incidents that have impacted millions of people.
Why do these things keep happening and what can we do about it?
The news is full of stories about companies that are targeted due to inadequate security. Most of these could have been avoided by simple security standards followed by their employees. The stats show that around ninety percent of cyberattacks are caused by human error or behaviour. A business is more likely to be compromised when an employee loses their laptop or mobile phone, inserts a USB flash drive into their computer, or opens a mysterious email, than from a malicious criminal attack from the outside.
Let’s take a phishing email for example. Again, the stats show that around ninety percent of cyberattacks start with a phishing email. How is it then, that most employees believe they would know how to recognise a phishing email and would not act to the request in that email? And yet, as many as 45 percent of employees hide cybersecurity incidents rather than report them. This is the opposite of what should happen, but mainly occurs when employees fear repercussions if they make a mistake.
According to numerous cybersecurity reports, some thirty percent of all phishing emails are opened. What’s even more damning is that 12 percent of the links are clicked!
Compounded by the pressures of COVID-19 over the past 3 years, ransomware is the fastest-growing cyberthreat to business. With nine out of 10 ransomware infections coming from some form of phishing event, investing in training about phishing emails can reduce risk significantly. Reducing inappropriate actions can make all the difference between pleasure and pain.
Does your business –
- Properly train your employees on cybersecurity practices? Many large companies spend millions of dollars on hardware and software yet neglect training. Teaching employees how to identify threats, reduce poor behaviour and follow basic security habits, can be the best return on investment. Ensuring that you always make it about learning, not consequences, is crucial.
- Measure and justify the expense? It can be difficult to measure and therefore justify the expense. Justifying the return on investment in employee training can be a difficult pill to swallow. It starts with you as a leader believing that by training your employees, you can reduce exposure to cyber losses. An appropriate strategy can also result in lower insurance premiums.
- Have formal policies relating to data assets? Help your people know exactly what they should and shouldn’t do in any given situation through the creation of formal policies to guide them. Some examples of policies you may need for your business include an acceptable use policy, data classification policy and an incident response policy.
- Regularly review practices? This is not a set-and-forget exercise. The approach, amongst other things, requires that innovation must keep pace with the ‘bad guys’. As a leader of a family business, you must understand the importance of breach reporting, changes to data laws and legislation, and regularly seek advice to stay vigilant in the current security landscape.
So, what does culture have to do with cybersecurity?
Unfortunately, there is no silver bullet for cyber security. But, by taking a wholistic and pre-meditated approach, every business can write its own play book. Now to be clear, I am not taking anything away from the need to invest appropriately in software and hardware. This investment should be commensurate with your business size, capacity, and business risk profile, etc.
One of the best ways for your family business to reduce cyber risk is to build a culture of cybersecurity that is integral to your overall business culture. It must be part of your broader company culture of day-to-day actions that encourage employees to make thoughtful decisions that align with your security policies. This entails creating a mindset in your team that the risk is real and that their daily actions impact that risk. Cybersecurity culture is important as it helps protect company assets.
A cybersecurity culture is more than just cybersecurity awareness. Of course, it requires your people to be aware of the security risk, but it also requires them to know the process for avoiding that risk. And so, keeping the business safe becomes about the building of an operating process, and the enforcement of it. Most businesses spend years and countless resources to acquire and create their data assets. All of that effort and energy can be undone in a matter of minutes. And if those data assets are lost, stolen or corrupted, the impact can be devastating for years to come.
A business-wide cybersecurity culture can save a lot of money, alleviate years of problems, significantly improve your family business’ reputation, and even lead to new business opportunities.