- David Halfpenny, thank you for joining Eftsure in Conversation. For those who don’t know, you really are one of the pioneers when it comes to cyber security education in Australia. What was the journey that led you to leading the Cyber Capability, Education & Training function at CyberCX, Australia’s largest cyber security firm?
My background is in academia. For over 25 years I was an academic in a number of STEM areas at various universities around Sydney.
During this time I was headhunted by TAFE NSW, who were in the process of beginning to offer degree programs. Whilst there were a range of Master’s degrees focused on cyber security, TAFE NSW was proposing to run the first dedicated undergraduate qualification.
So, I took up the challenge and helped develop the first Bachelor program in cyber security in the country.
Of course, now many universities are offering such degrees – which is great because we need skilled professionals!
- As Practice Leader/Principal Consultant – Cyber Capability, Education & Training at CyberCX, what is the nature of your current role?
At CyberCX, we have a really unique practice called Cyber Capability, Education and Training.
It’s something that doesn’t exist within any other cyber security companies in Australia.
We help organisations uplift the cyber security capabilities of their staff with customised education and training. We do this in a fairly unique way. Rather than hiring a lot of dedicated cyber security experts, we focus on hiring people with expertise in other areas, such as business analysts, game designers, or compliance experts.
The key thing is that all our people are very good at communicating complex ideas to a very diverse audience.
- What are some of the strategies organisations should implement to uplift the cyber capabilities of their staff?
All too often, organisations buy off-the-shelf training solutions. But after delivering them to their staff, they discover they are not particularly effective in terms of raising long-term cyber awareness.
It is essential that organisations start with a strategy.
This is where understanding education theory is useful. If you want people to learn new skills, and then apply those learnings in the workplace, you need to ensure the education they’re getting is not scary, that staff feel empowered and capable. It’s essential that staff want to engage with it.
That’s a big challenge when it comes to cyber security education for a number of reasons.
Firstly, there’s a technical component to cyber security which is often hard for non-technical people to get their heads around, particularly for older people in the workforce. They will often put up mental roadblocks and say: “That’s technology – I can’t do that,” and won’t engage with the learnings.
Secondly, there are many people who are resistant to cyber security because they see it as limiting their usage of technology. They want to be able to use technology without having to constantly think about the security implications of everything they do.
Finally, there’s also the challenge of cyber threats usually being presented as big, bad and scary. The typical image of a guy in a hoodie trying to hack you so he can steal all of your money and confidential information. It makes people feel like there’s nothing they can do about the threat. Fortunately, we are beginning to move away from that characterisation now.
The key is that training needs to convince staff that they are able to protect themselves and the organisation from cyber threats.
- Many cyber criminals are financially motivated. This puts accounting and finance staff on the front line when it comes to protecting their organisation. How can accounting and finance executives ensure their teams understand the threats and have the skills to limit the risks?
They need to understand the who, the why and the how.
As you said they are often financially motivated cyber-attacks. The people behind these attacks are organised criminal gangs. They are very good at what they do, and run their operations as a business.
Staff need to understand that just as malaria uses a mosquito to infect a host, cyber-criminals often use email as a vehicle to get infect an organisation’s network. But it requires people to trigger the attack by clicking dangerous links in malicious emails.
When it comes to understanding how these attacks take place, it’s important to use lots of examples. For example, focus on what phishing emails look like. Most people would now have the ability to avoid obvious phishing emails, however many people have never seen a really sophisticated spearphishing email.
Spearphishing is when an attacker has done their homework and they’ve crafted an email directed specifically to you or your organisation. It will look like it comes from a legitimate source, possibly even someone within the organisation. Many times they will not ask the recipient to do anything unusual that will raise suspicions, such as asking you to buy gift cards. It may simply ask you to open a pdf file and pay an invoice in which the bank details belong to the attacker’s bank account.
Spearphishing emails can be really hard to spot.
When I’m conducting security awareness training, the approach I take is to show people how I would hack into them if I was a cyber-criminal.
Once people see the types of tricks that attackers use, they wake up and start to ask questions about what they can do to stop them.
- And of course there needs to be an ongoing cadence when it comes to cyber security training?
Email is a big attack vector. Staff need constant training.
It’s important that staff don’t feel they are trying to be tricked. They should know they are going to be tested, and that testing needs to be pitched at multiple levels. Testing staff through a combination of obvious phishing emails, as well as more sophisticated spearphishing emails is important.
This will help ensure your team develops the essential “muscle memory” they require – so they instinctively know what threats to be on the lookout for.
The organisation should also communicate with staff about cyber security. Staff can be made to feel like they are an intrinsic part of the solution by letting them know how many phishing emails have been blocked, and how many types of malware were stopped, thanks in part to their vigilance.
- Many might assume that modern cyber security technologies can prevent most threats. But what you’re saying is that people sit at the heart of an organisation’s resilience. How can non-technical people be empowered to take responsibility for their organisation’s cyber security?
Cyber security comes down to three things: people, processes and technology.
The technology is there to support the people and processes. Likewise, the people and processes are there to make sure the technology is working the way it’s meant to.
If I’m an attacker targeting an organisation, I’m probably not going after the most technically-savvy individuals within the organisation. I would probably target non-technical individuals. The non-technical people may be more vulnerable to revealing sensitive information, or taking acts which harm the organisation.
That’s why everyone has responsibilities when it comes to cyber security, including non-technical people. Unfortunately, that’s a message that’s not really getting through.
Research shows that we can shift thinking to embrace a responsibility model by saying to all staff that you are responsible for your own cyber security, as well as the cyber security of your department and the broader organisation. This message can be reinforced in multiple ways.
By embracing a responsibility model, all people begin to feel better about cyber security. They also begin to feel more engaged with cyber security training. And they also feel better about any slight inconveniences they have to go through to be more secure. And these messages need constant reinforcement.
Think of it like branding. Coca Cola may be the most well-known brand on the planet. And yet, Coca Cola still has a huge advertising budget to keep their brand at the front of consumers’ minds. That should be the way you approach cyber security training.
People need to hear essential cyber security messages all the time, otherwise it’s just going to disappear from their minds.
That means, once a year training is not enough.
- So, if once a year training is not enough, how should organisations go about implementing ongoing training?
Although once a year training is not enough, it is still important.
Make your cornerstone annual cyber security training activities memorable. This can be achieved in a number of ways.
You could invite a guest from outside the organisation to give customised talks that are engaging.
However, the big trend now is towards gamification.
One of the popular activities we run are cyber escape rooms. In these, we play various scenarios where the participant is a police agent. They involve a whole series of loosely threaded storylines and games that participants progress through.
Gamification makes training fun and engaging. They become training events that are enjoyable, and staff look forward to them.
As I mentioned, annual training activities alone are not enough. Between these periodic events, you need to maintain ongoing cyber awareness initiatives, so cyber security is always front of mind.
One option is to run regular micro-training modules that are customised to your organisation’s needs. These can be particularly useful for people in finance and accounting. For example, you can provide micro-training modules around tax time, when accounting staff are more likely to be targeted.
Such micro-training modules can focus on specific end of financial year risks, such as manipulated invoices. The modules should reinforce messages around invoice security, such as not be paying invoices unless they are carefully checked.
Effective training is all about making it enjoyable and doing something memorable.
- How can you determine the efficacy of your training initiatives?
We tend to use a four-stage scale.
The first stage is where people have the mindset that they can’t be cyber secure. However, over time, they progress to the second stage where they develop some cyber awareness skills with assistance. By the third stage, they are able to do things without any help. The fourth stage sees staff actually being able to help others.
Once you’re at this fourth stage, you’re finally developing a cyber security culture in your organisation.
It’s important to remember that when it comes to cyber security training, it all starts with the top. There has to be management buy-in. But once the management is on board with cyber awareness training initiatives, you should absolutely have a cyber security champion in every department or function of the organisation.
These people can take generic off the shelf concepts and customise the information to suit their department’s particular needs. They can also lead discussions internally and facilitate conversations between their department and the organisation’s cyber security leaders.
While that might be a hard thing to get going, it is the perfect way to develop a cyber security culture within your organisation.
Download the Essential Cyber Security Guide for CFOs and understand what it takes to safeguard your finance and accounting function.