Retail leaders have a historical opportunity to rethink their approach to cyber education and build awareness into the culture of the business, writes Michael Warnock.
As we approach the middle of 2019, retail organisations the world over are bracing for a busy year of cyber-attacks. For many, their natural defence mechanism is to deploy new technology and create better processes. Unfortunately, what most fail to recognise is that it’s actually their people that are often the weakest link in the cyber security chain.
Let’s face it, most people only really care about cyber security when they are a victim of an attack. And by then it can be too little, too late. The good news is there are fresh options to improve cyber awareness and improve the culture of the organisation.
In the retail industry the most significant change has been the transition from bricks and mortar to digital channels, both online and mobile.
As a result, many retailers are off the mark when comes to cyber resilience. Investments in technology and people to deal with the change – and the growing number of cyber-attacks – have been lacking.
Retail is complex and it will be surprising if we don’t see significant cyber security events this year, which is all the more reason to look at security differently.
The cultural change opportunity
There is a good opportunity for retail industry leaders to rethink their approach to cyber education and build that into the culture of the business. Cyber education is not something people should do every 12 months with a few questions, it needs to be continuously reinforced.
There are three pieces to cyber security resilience: people, process and technology. For the past 12 to 24 months there has been a big focus on processes and technology, and unfortunately people still click on things they shouldn’t.
With people still the weakest link in cyber chain, the conversation needs to be non-technical and presented to business at all levels.
Australian retailers are at risk so the cultural conversation must be from individuals to board level, who can fall foul of the law when it comes to Europe’s General Data Protection Regulation (GDPR) and our Notifiable Data Breaches (NDB) scheme regulations.
There is also a risk of personal information exposure, and the punishment resides at the business owner level, however, as we have seen, contractors can slip up causing brand damage. In the SME market, businesses are often targeted by cyber criminals looking to use ransomware to extort money.
With many people still not believing cyber security to be a concern, there needs to be an all-in approach which can only be achieved by changing the organisation’s culture.
Raising the profile of cyber awareness
If security isn’t top of mind for most people, let’s look at a few ways to improve awareness and hence bolster resilience.
- Start by giving people an education tool, which covers good practices for passwords and phishing, and allows them to consume it at any time. And make sure they do refresher sessions on a regular basis, not just once a year. Aura has its own training tool called CyberWise, an online training module that covers the basics of cyber security as well as practical real-world examples of what common attack techniques look like.
- Complement that with visual signs such as posters around the offices to get people talking about the importance of cyber security.
- An underutilised resource for cyber education is gamification. An online gamification approach to security makes cyber more social and adds to the visual reinforcement around the office to constantly remind staff that this thing is real.
- The tried and tested workshop can also be good for communicating to senior management. But make sure you put war stories in front of them. General staff need some gamification and app-driven approach to make the experience fun, as opposed to going into a room, listening to presentations and then working out where to from there.
- This may be simple, but put cyber security on the agenda. Every senior management or board meeting should at the very least address the topic of security and what is being done to ensure the organisation, and its people, are aware of the risk.
Keeping up with the dos and don’ts
With the right tools and awareness the culture of an organisation will change, but to maintain a good standing – and keep up with evolving threats – develop a processes for monitoring and managing your cyber health.
As the old saying goes, if you can’t measure it, you can’t manage it, so do some testing such as simulating a cyber-attack and review how it was handled and make appropriate.
For example, by simulating phishing attack to users before and after the deployment of a cyber education platform you can measure a drop in the success of the fake scam. In my experience the top end of town understands this, but SMEs are still struggling due to lack of budgets or general security discussions.
Getting stakeholders from the business to review what’s happening in cyber and coming up with ideas to improve education and culture takes time, but making the environment “fun” does a direct effect on people’s willingness to learn.
In another good example, a large enterprise highlighted to staff who has done well in cyber in an email newsletter. Proactive rewards and recognition are good and your fresh approach should be rewarding and more “carrot than stick”.
You can measure staff participation for a learning management system and this should be done as part of an ongoing program. Also, make sure this information gets pushed out to the wider business.
It is possible to get good culture into other areas of the business, however, the owners must share success stories. Making sure the benefits are seen all across the business is imperative – there is no point having two organisational units with lax security as the bad guys can get in there too.
With new tools and a fresh approach, cyber security awareness should be easy to use, customised and deliver the ability to move education to front-and-centre of people’s working life.
Retail has an exciting future, but the adoption of new paths to consumers must be balanced with greater cyber investments and awareness programs.
By Michael Warnock, Australia Country Manager, Aura Information Security