cfo-nz logo
Story image

Interview: Mindshift - the Kiwi firm putting the 'people' back in cybersecurity

18 Aug 2020

There’s a well known ‘holy trinity’ of security: People, process, and technology. Ask any CSO or CIO, or even just a business owner and they may say that they have solutions and security practices to keep their business protected. But do these take the right approach to educating every organisation's front line: its employees?

We spoke to Mindshift director Melonie Cole to find out more about why cyber awareness and talking to employees should be front of mind for every business.

Mindshift is a company that launched in 2018 to work with businesses to help them educate people about cyber risk. 

Cyber risk is introduced to businesses in different ways. When employees are working online and working with information, risk is as much about what people do as what they don't do.

“Often people are the last thing to be considered when it comes to change and the way people work - whether it’s in terms of new technologies, or workplace changes like working from home. This has a major life impact and it affects how they feel about information security,” says Cole.

“If you don't give people the information they need to make good decisions online, you can’t hold them accountable for the mistakes they make.”

The key to helping employees make good decisions can be as simple as changing the tone of the message. For example, organisations may have rules that prevent downloading of files to USB drives. They might communicate this policy in a list of things employees shouldn’t do. This, says Cole, is a negative way to start awareness conversations. 

Instead, organisations should put the ‘why’ first, by explaining how employees need to protect their information, their employer’s information, and their customer information.

"For example, you can explain to staff that if they put sensitive information on a USB drive and lost it on the way home, that’s going to have a major impact on their information, their employer's information, and their customers' information. Data breaches can happen that way.”

“One little thing someone has learned and then put into practice could make a huge difference in their lives. Cyber awareness complements technical solutions, tools and products to protect their businesses.”

Mindshift also helps to spread cyber awareness through first looking at key risk areas caused by people’s behaviour. Cole points to phishing as the most common attack vector, but it is only the tip of the security iceberg.

Cole and her team reinforce key security messages through a variety of channels, often using existing online security training as a start point. This is all with the goal of creating better online security habits.

She notes that tips and advice about working from home have been particularly critical this year. Many businesses have adopted a hybrid working model where staff are in the office and at home. The home environment may not have the quality of connection and quality of security that people take for granted at the office.

Cole explains, “That could be things like leaving your desktop open when you step out, or having private work conversations when your flatmates are around, or just leaving your documents lying around where people could, even accidentally, see confidential information."

“It’s a bit like leaving your house unlocked when you go out, leaving the windows open and leaving all your devices just sitting around."

People can be easily distracted at home and may not be fully focussed on work. Slowing down and finding the right moment to send an email, for example, goes a long way to forming good security habits at home.

Other security habits could include:

  • Encouraging people to lock screens when they step away
  • Making sure that confidential information isn't seen by others
  • Using work-issued laptops for work use only

"Small things can make a huge difference, so I encourage businesses to make the most of this opportunity to help their people develop security habits which will eventually become normal," says Cole.

As New Zealand moves in and out of different alert levels, people may be more prepared to adjust to working from home life.

Cole believes people may be more accepting of the extra steps they may need to do to connect to work and get to their documents, like using a few extra layers of security, as those ways of working should be feeling pretty normal by now.

"Keeping security guidance simple, relevant, and memorable is the key. A 20 page ‘working remotely’ guide will certainly be more interesting if it’s a video or something visually exciting," she says.

“When businesses share security advice with their staff, that can be easily applied to home and shared with friends and family, it’s a double whammy! People are much more likely to remember and put into practice things like keeping backgrounds free of private information when on video calls when they’re applicable to their lives outside of work.”

“There may be an assumption it’s easier for people to work from home because they’re used to it - that may be true - but the new risk may be complacency," says Cole.

"There’s an opportunity for regular contact with your employees to ensure they’re working securely and understand why this is so important”.

There are plenty of resources available for businesses and their employees.

CERT NZ is a good starting point for information and cybersecurity incident reporting: Click here to go to CERT NZ's website.

Find out more about Mindshift and how it works here. You can also catch Mindshift's session from the recent Smart CIO summit here.

Story image
'Connectivity' to play greater role in future resilience of companies — IDC
As the wave of remote working continues to become more of a permanent fixture, and reliance on cloud platforms and video collaboration tools increases, connectivity as a concept will be embraced more than ever.More
Story image
Reaping the rewards of data analytics: What are the adoption challenges holding us back? 
“Instead of requiring people to change their habits and leave their workflows to get insights, infusing the data and actionable intelligence directly where users need it most is the key driving better business outcomes.”More
Story image
Fujitsu acquires data analytics management consultancy, Versor
Versor will operate as a Fujitsu company under the continued leadership of Dougall McBurnie. More
Story image
Organisations struggle to manage databases following COVID-19 digitisation
"Now that the dust has settled, many companies are left grappling with data platforms that can't easily handle all of their diverse data types and workloads."More
Story image
Meniga partners with Visa to accelerate expansion in APAC
As part of the new partnership, Meniga will join the Visa Ready Program, signifying that the company’s solutions meet Visa’s standards regarding security and functionality, and granting Meniga the status of certified Fintech Enablement partner.More
Story image
Considering Microsoft Teams for calling? What you need to know
Software-based systems such as Microsoft Teams are a popular choice for businesses needing to replace their business telephony. More