Limited functionality available
Cyber threats have traditionally been viewed as a technology problem, with responsibility sitting with IT departments to keep systems and data safe. However, the research shows that nearly 55% of cyber breaches within organisations are because of human error1. The people factor in cyber is often ignored, yet it is the most critical element of building a strong cyber-defence.
Historically, the workplace was identified as a central office location which provided secure internet connection for employees. There was a strong reliance on organisational controls and monitoring to safeguard against cyber threats rather than personal accountability. In a post-pandemic world, these traditional safeguards are no longer enough. The workplace is no longer the place where employees go to work, it is flexible and can be anywhere that employees can collaborate and have access to an internet connection1. As we welcome the future of work, the complexity and maturity of cyber threats have continued to increase with remote work being a key factor for 17.5% of breaches in 2020-212.
Organisations need to begin exploring how they can build adaptability into the way that they manage cyber threats, so that they can maintain digital and customer trust3. This can be achieved by implementing an integrated cyber-defence approach, which considers both the people and technical factors of cyber threats.
A data breach refers to confidential information being extracted, or a data source being infiltrated either through negligence or with malicious intent. While most data breaches are attributed to hacking or malware attacks, other methods include insider leaks or human error4. Despite the method, people are for the most part, at the root cause of cyber incidents. Attackers exploit people – not technology. Organisations can lead with their people by exploring the following:
1. Leadership: How we support our people.
Like any change, in particular a process change, organisations need to ensure that there is the right level of leadership advocacy. To drive the change, organisations should seek to create future leaders that role model the required cyber conscious behaviours and mindsets.
2. Strategy execution: How we organise our work
To transform an organisation that prioritises building cyber conscious behaviours and capability, organisations should seek to align their strategy to execution of customer value. Setting the appropriate risk appetite and cyber roadmap, creates a deliberate shift towards transparency, visibility, and an orientation towards how the organisation will measure ongoing cyber success and risks.
3. Operating model: How we organise ourselves
To improve transparency and communication between teams, organisations should seek to break down traditional functional silos and align the organisation to deliver with cyber risks front of mind. This includes optimising cyber functions so that they are closely aligned with all projects across the business, as well as embedding cyber team members across business units to increase communication and knowledge across the organisation.
4. Ways of working: How we do the work
Equipping teams with the right set of cyber related controls and processes will help organisations to closely monitor and mitigate high cyber risk areas across the business. This can be achieved by incorporating minimum viable cyber compliance to meet organisational risk appetite into everyday work processes, and then closely monitoring and analysing breaches to optimise controls accordingly.
5. People: How we think about cyber
To mitigate negligence in relation to cyber, traditional approaches such as cyber awareness training are often ineffective. Targeted behaviour change interventions should be developed to help employees adopt the required cyber behaviours and understand the role that they play in protecting their data.
Underpinned by technology, an integrated approach should leverage a suite of technologies that gather actionable intelligence to enable an organisation to adapt to the evolving threat landscape. To help achieve this, organisations should explore the following:
1. Cyber Strategy: Setting the direction
To set the direction, organisations should consider developing a cyber risk program that identifies the strategic objectives related to cyber and establish the risk appetite of the organisation. With this program, they can then build towards a level of security equal with current and emerging threats.
2. Security: Protecting what matters most
To protect what matters most, organisations should take a risk-based approach to implementing effective controls around the organisation’s most sensitive assets; regularly assessing the effectiveness of the controls and applying compensating controls in areas of weakness.
3. Vigilance: Keeping your eyes open
To stay alert, security teams should be empowered with actionable intelligence to proactively detect and manage cyber threats so that they can respond more effectively to cyber incidents. By centralising monitoring systems, organisations can identify and monitor new indicators of compromise, which may detect an imminent attack or incident.
4. Resilience: Adapting and responding to attacks
Lastly, to adapt and respond to attacks, organisations must consider both proactive and reactive incident management processes and technologies so that they can rapidly adapt and respond to cyber disruptions. This can be achieved through target incident response playbooks, regularly simulating and testing responsiveness across the organisation, and maintaining service continuity in the event of a breach.
For organisations to continue to thrive in this new era of digital work environments, managing the imminent threat of cyber-attacks means leading with a ‘people-first’ mindset, supported with technical infrastructure. Equipped with the right knowledge, tools, and behaviours, employees can begin to take accountability and see themselves as the first line of defence, rather than part of the problem. An integrated cyber-defence approach places people at the forefront and in turn, helps to build long-term digital trust.
For further insights on how cyber is shaping our future, please refer to: “Future of Cyber”. If you want to learn more about how you can become more adaptable in how you operate within your organisation, please refer to: “Enterprise Adaptability: Building the Agile Enterprise”.
Tanya is an experienced management consultant who specialises in helping organisations to drive adaptability through; Enterprise-level operating model design, agile ways of working, and large-scale strategic transformations. She is also a core member of the Enterprise Agility team, within Deloitte's Organisational Transformation practice. With experience working across a breadth of industries, particularly in Financial Services and Insurance sectors, Tanya is passionate about solving people-related problems that drive innovation and efficiency within organisations.
Celia is a Consultant in Deloitte Australia's Human Capital Organisation Transformation Consulting practice. She has worked on a broad range of engagements, including organisation change management, leadership development and HR Document Governance and Assurance. She has experience across the Public Sector, Health Sector and Energy and Resources Sector.
Tom is a leader in the Deloitte Organisation Transformation practice focusing on enterprise adaptability, accelerating digital transformation and organisation design. He has guided multiple clients globally on their journey to truly anchor their organisation in customer centricity, adaptability and being able to thrive in a digital world. As a natural innovator and connector, he thrives on helping organisations to learn, adapt, build and execute their strategy and loves to design and guide organisations to create a high performance culture where it is inspiring and fun to work in.