As South Africa’s government prepares for the Fourth Industrial Revolution by digitising government services, and key economic centres continue to adopt smart city technologies, the risk – and potential consequences – of cyberattack is growing by the day.
By Thomas Mangwiro, public sector cybersecurity expert at Mimecast
As the recent ransomware attack on Johannesburg’s City Power illustrated, cybercriminals can now significantly disrupt government’s ability to deliver key services to citizens.
Our country is an attractive target: the SA Banking Risk Information Centre believes South Africa has the third-highest number of cybercrime victims worldwide.
In a Mimecast study conducted by Osterman Research, security issues that topped the list of concerns for organisations included a breach of sensitive data, phishing and spear-phishing attacks, ransomware and CEO impersonation fraud. While technology-based solutions play a vital role in preventing, detecting and recovering from cyberattacks, employees still remain an organisation’s most valuable line of defence.
Empowering employees with greater awareness of how to spot potentially risky online behaviour has become critical, especially considering that as much as 90% of all successful cyberattacks start with email, and that one compromised user can easily (and quickly) spread malware and other risks to the rest of the organisation.
However, the same Osterman report found that only 10% of organisations surveyed conduct security awareness training more than six times per year. Simply conducting more regular awareness training within government departments could eliminate much of the potential threat. In fact, some studies suggest up to 95% of all security breaches involve some form of human error. Equipped with greater awareness of cyber threats, public sector employees could potentially avoid and prevent threats and secure government’s ability to continuously deliver essential services to citizens.
Building a stronger security culture within the public service requires regular awareness training. Senior managers should be champions of a strong and ongoing cybersecurity programme and rally their teams behind them. Where to start?
These six steps will help public sector leaders make security awareness part of the culture:
* Get the buy-in and commitment of senior leadership. With strong, vocal leaders driving the awareness programme, it is far more likely to take hold and become part of company culture.
* When you provide awareness training to employees, make sure the training subjects relate to their roles and functions. When training is directly relevant to a person’s day-to-day experience, it’s far more likely to be memorable and for the person to apply the learnings. Keeping things short and simple also helps.
* Set regular training intervals for all employees. Ninety-four percent of South African organisations in our latest research believed user awareness training is extremely or very important. And yet, only 53% offered monthly or ongoing awareness training.
* Make it fun. Adding some humour to the training material makes it more engaging and memorable.
* Stick to basics. Many of the common attack types can be prevented through basic security hygiene. Provide employees with practical real-life examples of how lapses in basic security can lead to a breach.
* Measure progress and performance. Working with a security awareness training provider that uses analytics to track employee engagement and progress with their awareness training gives public sector managers invaluable information about where the potential risks are.