Cybersecurity Awareness Training
Company: Facilities management company in Australia
Employees: 900
Key drivers:
Critical concerns faced by CEO and board of directors related to data security and information security. Company had numerous phishing attacks in the past and senior management suspected someone internally was sharing confidential information with the rivals.
Company was managing huge personal data of iIl-legal migrants.
Challenges:
The nature of the business requires sharing, processing, and storing data which posed a significant risk to information security, with sensitive data being susceptible to accidental or deliberate compromise.
In this instance, senior management were confident of cyber security controls being implemented, as they recognised the importance of protecting data. The key gaps that were identified were not having an information security leadership, a dedicated information security team, and the absence of an ISMS made it challenging to ensure consistency in its operational activities and management practices.
Solutions:
- Traditional one-size-fits-all approaches to security awareness often led to moderate and indeterminate results. A strategy we have used at our client is to:
- Prepare cyber security awareness training as per job roles and responsibilities
- For first year we took quarterly cyber security awareness training. We kept the same content to reinforce good cyber hygiene in employees.
- Most of the employees were not based at the Head office and did not have access to internet as well. We conducted cybersecurity awareness sessions to all staff working from remote sites.
Result:
- Increased their employees’ knowledge of cyber security measures
- Everybody started feeling like they are part of security.
- We noticed changes in the employees’ behaviour. Employees started to report phishing attacks to management. Now they are not afraid to report cyber incidents or any abnormalities they witnessed in their systems. They started feeling the cybersecurity department is their friend instead of an enemy.
- Employees started taking extra care while opening external emails.
- Head of department started questioning approval request forms from their departments and started notifying the changes (like change in employees job responsibility, Loss of company assets such as laptops or mobile phones, termination etc.) to IT team in a timely manner.