Companies that foster proactive health and safety (H&S) culture benefit from optimal safety performance. Australia’s mining and aviation industries, for example, are globally recognised for maintaining impeccable H&S standards, due to the large-scale investment of resources, time and effort. When considering the requirements of organisational H&S – integrated systems, standardised practices, compliance, and governance as well as specialist resources – we can start to see a similarity between H&S and cyber security. The only difference? There’s no legislative requirement driving the implementation of cyber security within organisations. We look at why security awareness is so important for every business.
Organisational H&S: An analogy for cyber security
A successful H&S program requires specialist resources to establish the right systems, tools, technologies, and practices to support a safe workplace and empower staff to reduce and eliminate hazards and risks. H&S champions understand the nuances of specific workplaces and conduct hazard and risk assessments to identify any gaps or areas for improvement. They provide training and education to develop strong safety awareness across their workforce. Senior H&S leaders also coordinate emergency responses when a major incident occurs, ensuring proper procedures are followed to protect employees and the organisation from further harm.
Now think about this through the lens of cyber security. Systems, tools, and technologies take the form of event detection and monitoring, endpoint protection, malware analysis, and reporting. Fostering a cyber-aware culture is delivered through security awareness training and education. Governance and compliance are achieved through the likes of penetration tests and vulnerability assessments and the application and adherence to best practice standards such as the ASD Essential Eight and NIST’s cyber security framework. Then, in the instance of a major cyber security attack, cyber incident response and triage specialists rapidly contain the danger, eliminate the threat and conduct forensic investigation and analysis for future prevention.
RELATED CONTENT: Common cyber security mistakes and 3 simple ways to fix them
The case for mandatory security awareness
In the absence of a legislative backbone, some view security awareness as a compliance goal, where the aim is to tick a box on an annual audit and nothing more. The approach often involves a short online course for employees to complete once a year to meet the minimum requirements of standards such as ISO 27001. But is this enough?
SafeWork Australia estimates the cost of work-related injuries, illnesses and H&S claims brought against Australian organisations totals over $61 billion every year. In comparison, a Microsoft cybercrime report published in 2018 suggested the direct economic loss from cybersecurity incidents to Australian businesses was $29 billion. Furthermore, the impact of a cyberattack can be higher than these direct costs, since they do not include intangible long-term effects on organisations and workers.
Indirect H&S costs relate to damaged reputations, loss of management trust, and a loss in overall productivity. Cybercrime causes similar issues, as individuals affected by identity theft suffer longer-term mental health issues, such as anxiety and depression.
One example was a security breach suffered by the US Government’s Office of Personnel Management (OPM), which resulted in more than 21.5 million government workers’ personnel records being stolen by cybercriminals. Those records contained personal information like health records, contact details, all their identity documents (passports, social security numbers, tax returns) and even physical identifiers, such as fingerprints. This mega-breach resulted in significant anxiety and concern spread across the whole of the US government. It is seen by many as a total catastrophe both at the individual level and the whole government level since most of these workers will remain government employees for the rest of their careers and will continue to be a target for ID theft and espionage.
RELATED CONTENT: 8 cloud security tips to keep your data safe in the cloud
Reporting cyber attacks
Another factor to consider is that many organisations don’t publicise cyber attacks because they don’t have to. Even with the new Australian data breach reporting laws and an increase in the volume of reported breaches, many hacks, denial of service attacks and ransomware infections go unreported. The Office of the Australian Information Commissioner (OAIC) isn’t particularly interested in denial of service attacks since the legislation only seeks to protect the public from personal information exposure. As a result, the figure of $29 billion could be considered conservative against the true potential financial cost cyber incidents can have.
Security awareness: Who’s job is it anyway?
A question often asked of H&S and equally relevant to cyber security is “Who’s responsibility is it to foster a safety culture?”. Is it the specialist team (H&S or cyber security)? Is it HR because it’s focused on people? Or is it the learning and development team because it’s about training and education?
In the case of cyber security, it’s everyone’s responsibility to promote and participate in cyber safety culture built upon a solid foundation of security awareness. Boards, executives, and senior leaders should invest the right amount of time, effort and resources into maintaining a strong security posture that protects their organisation from potential threats and risks. Connecting cyber security with H&S can also be beneficial in adopting a more holistic approach to complete organisational safety and may allow companies to leverage existing skills, capabilities and infrastructure to support security awareness training and education.
Ultimately, security awareness isn’t something you always need a cyber security expert for. By focusing on quality, industry-endorsed content, dedicated leadership, and in-house capability to test the change of risk across the business, you have the right mechanisms to build a cyber-safe culture. However, specialist cyber security knowledge and expertise can help fill in the gaps and complement your in-house capabilities with a small amount of investment.
RELATED CONTENT: Cyber hygiene: 4 easy tips to keep your data safe
How we can help with your security awareness
Kinetic IT’s PROTECT+ can design a custom security awareness program tailored to your business needs, which fits within your organisation’s existing H&S solution. We have the content and the systems, all you need is the desire to affect positive change across your business.
We’re here to help. Get in touch with our team to learn more about PROTECT+ security awareness.