Companies that foster proactive health and safety (H&S) culture benefit from optimal safety performance. Australia’s mining and aviation industries, for example, are globally recognised for maintaining impeccable H&S standards, due to the large-scale investment of resources, time and effort. When considering the requirements of organisational H&S – integrated systems, standardised practices, compliance, and governance as well as specialist resources – we can start to see a similarity between H&S and cyber security. The only difference? There’s no legislative requirement driving the implementation of cyber security within organisations.
Organisational Health and Safety: An Analogy for Cyber Security
A successful H&S program requires specialist resources to establish the right systems, tools, technologies, and practices to support a safe workplace and empower staff to reduce and eliminate hazards and risks. H&S champions understand the nuances of specific workplaces and conduct hazard and risk assessments to identify any gaps or areas for improvement. They provide training and education to develop strong safety awareness across their workforce. Senior H&S leaders also coordinate emergency responses when a major incident occurs, ensuring proper procedures are followed to protect employees and the organisation from further harm.
Now think about this through the lens of cyber security. Systems, tools, and technologies take the form of event detection and monitoring, endpoint protection, malware analysis, and reporting. Fostering a cyber aware culture is delivered through security awareness training and education, governance and compliance are achieved through the likes of penetration tests and vulnerability assessments and the application and adherence to best practice standards such as the ASD Essential 8 and NIST’s cyber security framework. Then, in the instance of a major cyber security attack, cyber incident response and triage specialists rapidly contain the danger, eliminate the threat and conduct forensic investigation and analysis for future prevention.
The Case for Mandatory Security Awareness
In the absence of a legislative backbone, some view security awareness as a compliance goal, where the aim is to tick a box on an annual audit and nothing more. The approach often involves a short online course for employees to complete once a year to meet the minimum requirements of standards such as ISO 27001. But is this enough?
The costs of H&S claims brought against Australian organisations in 2017 totalled around $61.8 billion. In comparison, a Microsoft cybercrime report published in 2018 suggested the direct economic loss from cybersecurity incidents to Australian businesses was $29 billion. Furthermore, the impact of a cyberattack can be higher than these direct costs, since they do not include intangible long-term effects on organisations and workers. Indirect OHS costs relate to damaged reputations, loss of management trust and a loss in overall productivity. Cybercrime causes similar issues, as individuals affected by identity theft suffer longer-term mental health issues, such as anxiety and depression. One example was a security breach suffered by the US government’s Office of Personnel Management (OPM), which resulted in more than 21.5 million government workers’ personnel records being stolen by cybercriminals. Those records contained personal information like health records, contact details, all their identity documents (passports, social security numbers, tax returns) and even physical identifiers, such as fingerprints. This mega-breach resulted in significant anxiety and concern spread across the whole of the US government. It is seen by many as a total catastrophe both at the individual level and the whole of government level since most of these workers will remain government employees for the rest of their careers and will continue to be a target for ID theft and espionage for that time.
Another factor to consider is that many organisations don’t publicise cyberattacks because they don’t have to. Even with the new Australian breach reporting laws and an increase in the volume of reported breaches, many hacks, denial of service attacks and ransomware infections go unreported. The Office of the Australian Information Commissioner (OAIC) isn’t particularly interested in denial of service attacks since the legislation only seeks to protect the public from personal information exposures. As a result, the figure of $29 billion could be considered conservative against the true potential financial cost cyber incidents can have.
Security Awareness – Who’s job is it anyway?
A question often asked of H&S and equally relevant to cyber is “Who’s responsibility is it to foster a safety culture?”. Is it the specialist team (H&S or Cyber Security)? Is it HR because it’s focused on people? Or is it the learning and development team because its about training and education?
In the case of cyber security, it’s everyone’s responsibility to promote and participate in cyber safety culture built upon a solid foundation of security awareness. Boards, executives, and senior leaders should invest the right amount of time, effort and resources into maintaining a strong security posture that protects their organisation from potential threats and risks. Connecting cyber security with H&S can also be beneficial in adopting a more holistic approach to complete organisational safety and may allow companies to leverage existing skills, capabilities and infrastructure to support security awareness training and education.
Ultimately, security awareness isn’t something you need a cyber security expert for. By focusing on quality, industry-endorsed content, dedicated leadership, and in-house capability to test the change of risk across the business, you have the right mechanisms to build a cyber safe culture. However, specialist cyber security knowledge and expertise can help fill in the gaps and complement your in-house capabilities with a small amount of investment. PROTECT+ can design a custom security awareness program tailored to your business needs, which fits within your organisation’s existing H&S solution. We have the content and the systems, all you need is the desire to affect positive change across your business.
We’re here to help. To learn more about PROTECT+ Security Awareness, please get in touch.