When it comes to cyber security, are you: 1. Freaked Out 2. Empowered or3. Waiting?
Next Article |
Written by Mike Ouwerkerk, Cyber Security Expert, Training Team
Free cyber security fundamentals training is available to all Queensland councils through the Telstra and Local Buy partnership in conjuction with Peak Services. Book your free training
I love my job. I get to talk to people, share my knowledge, answer great questions, and hear amazing stories from people about cyber scams they’ve encountered. Sometimes the stories are about how they’ve spotted a scam and avoided catastrophe, and other times they’re not so fortunate, but hey at least it’s a learning process.
I got into cyber security awareness training from IT consulting. My clients were getting hacked, and it was obvious to me that this was largely because of their staff behaviour. I put together some content, started offering the training, and it made a massive difference. Frankly, the content I had was pretty raw at that stage - not well structured, not good to look at, and yet it made a massive difference. Why? Because I had their attention in a live session, they were focusing on what I said, the knowledge was incredibly useful for them, and they could ask questions and engage in the session!
After years in the field, the content and delivery is pretty polished and I typically have two types of results in how people feel post training:
- Oh boy, what have I been doing!? (Freaked out)
- Wow, some awesome tips in there, that’s really good to know! (Empowered)
Frankly, I’m happy with either outcome, because it drives suspicion, and ultimately that’s what cyber security awareness training is about. You don’t have to know everything, but if you’re at least suspicious you’ll stop and think before you act, and ask for help when needed. That’s most of the battle won against the cyber criminals! And from there, you continue to build our knowledge and become a massive cyber security asset.
I wish I could share my knowledge with everyone, but unfortunately, people don’t know what they don’t know, and that means they’re sitting ducks for cyber criminals, at home and in the office.
Here’s one (yes there are many) example of what people often don’t know - how to handle URLs. What’s a URL? It’s a link to some content on a website. We get links all over the place - emails, website menus and links, buttons. And yet people don’t often understand some basics like:
- How to read a link to extract the domain name (there’s actually a proper method for this).
- Why you need to hover, and how to hover on a mobile phone.
- How short URLs (including QR codes) are used by criminals, and how to unshorten them.
- Why unsubscribe links can be dangerous.
Cyber criminals love to use links to trick people into going to a malicious website. From there, 1 click and you can potentially be hacked. That’s an unfortunate fact, and there is a heck of a lot of people not dealing with URLs appropriately, so the risk is massive. And that’s just one area of cyber security awareness!
The sad reality is that cyber criminals know that there are massive knowledge gaps, so people are heavily targeted. For a long time now It’s been easier to trick people than it is to hack systems. The Queensland Audit Office (QAO) knows this. It’s why they recommended that councils implement mandatory awareness training for all staff (as per the Local Government Report 2021). It’s literally one of the most cost-effective methods of reducing cyber risk, given how heavily staff are targeted!
Why are breaches so damaging? Well, for one thing, the global average time to discover and contain a breach is 287 days2. In that time, the criminals have spread to other systems, potentially taken a lot of information, and done a lot of damage. Fixing that costs a lot, and staff not being able to work while it’s being fixed costs a lot more! Then the breach has to be reported to the OAIC (Office of the Australian Information Commissioner), and reputation damage follows when you have to tell people you lost their data. The average cost of a data breach in Australia for 2022 sits at $3.35 million. That’s just the average though. More people, more systems, more data – it can easily stretch into the hundreds of millions!
Managing cyber security risk effectively is also extremely important in helping councils achieve liability coverage with many insurance providers. Due to the increasing number and cost of breaches, many insurance providers now request detailed information on cyber security risk management activities, including awareness training activities.
10 years ago we used to talk about data breaches like it might happen. Now It's not a matter of “if” you get breached, but “when”, “how bad”, and “how often”. Everyone is a target, and while people may not realise it, they are at the front line of the battle, largely unarmed with the knowledge to defend themselves.
I always think It’s better to be empowered with knowledge than freaked out with knowledge, but it’s also better to be freaked out with knowledge than not having the knowledge and waiting for the inevitable!
Contact our Training Team to book your free Cyber Security Training (for QLD Council's and their officers), funded by the LGAQ and Local Buy Industry Development Fund. Email training@wearepeak.com.au
1 QAO Local Government Report 15: 21/22 www.qao.qld.gov.au/sites/default/files/2022-05/Local%20government%202021%20%28Report%2015%E2%80%932021%E2%80%9322%29.pdf