As Cybersecurity Awareness Month has wrapped up for 2024, it’s a timely reminder that safeguarding of Australian businesses deserves attention every day of the year—not just for a single month. Cyber threats don’t follow a calendar, and we all know that staying vigilant year-round is essential, now more than ever.
Managing cyber security and other technology risks will be top of mind for CIOs in 2025 across Australia and New Zealand, with 82% of respondents saying it is a key priority for next year, according to Gartner.
But with so many vendors to choose from it can be difficult to determine where you begin focusing your security uplift efforts. I would posit that rather than starting with a specific vendor, it is more effective to focus on Basic Cyber Hygiene. The Critical Security Controls from the Center for Internet Security (CIS) provides an excellent framework.
The Critical Security Controls) provide a prioritised set of best practices aimed at enhancing an organisations’ cyber security efforts. Recognised globally, the CIS Controls present straightforward and actionable steps to bolster your IT security. Also, worth noting is that the CIS takes a safeguard centric approach rather than a vendor first approach and breaks down Security Controls into Implementation Groups.
The CIS framework defines 18 Security Controls, organised into Implementation Groups (IGs) based on priority. For example, Implementation Group 1 (IG1) includes 56 safeguards, primarily foundational measures. Within IG1, the Skills Awareness and Security Training control includes 8 of its 9 safeguards, whereas the Network Monitoring and Defence control has no safeguards assigned in IG1.
“In simpler terms, if your organisation is just beginning its cyber security journey, focusing on Essential Cyber Hygiene will have a far greater impact than investing in solutions like Security Information & Event Management (SIEM), especially if the foundational security controls aren’t yet in place.” David Dowling, Head of Product & Solution Design.
Finding reliable breakdowns on cyber security spend per employee can be challenging. Fortunately, Australian organisation CISO Lens has compiled a fantastic Benchmark Report that provides valuable insights, including – the average security budget of $3,200 spent per staff member. While your organisation may not be tracking security spending on a per employee basis, if you start it will give you the figures you need to help your business case.
By understanding average security expenditures relative to your workforce size, you can better assess your current budget and identify areas where improvements or consolidations can be made. This insight will help you pinpoint any gaps in your security posture, enabling you to make a stronger case for additional funding and investments in necessary tools and technologies. Ultimately, having a clear picture of your security spending can guide your organisation in making informed decisions to enhance overall cyber security effectiveness.
IT leaders often struggle to keep pace with the rapidly evolving landscape of vendors and their solutions. In 2022, Forrester categorised the market for Security Awareness and Training (SAT), revealing that a staggering 80% of security incidents were traced back to just 8% of users. In 2024, Forrester predicts that 90% of data breaches will include the human element.
With this predominance of human related breaches, it highlights a crucial shift in the industry: the focus is moving from traditional security awareness to a more comprehensive approach known as Human Risk Management (HRM). I
This transition enables cyber security teams to concentrate on the risks associated with human behaviour, allowing for more targeted strategies to mitigate vulnerabilities posed by users.
HRM is the process of identifying, assessing, and mitigating risks that arise from human factors within an organisation. It focuses on the behaviours, decisions, and interactions of individuals and teams that could impact the organisation.
When adopting a HRM solution for your organisation, you need to engage with members of the leadership team, namely Operations Management, Finance, and People and Culture. This initiative should not be regarded as yet another IT project; instead, it is a fundamentally people-centric project.
Involving a broader range of leaders is crucial to ensuring that your HRM project is not perceived merely as a tool for sending phishing simulations to employees. Rather, it should empower staff to recognise and report suspicious emails, phone calls, and even interactions on platforms like LinkedIn. Implementing user-friendly workflows, such as a “Report Phish” button, will facilitate this process and enhance your organisation’s overall security awareness.
Slipstream Cyber (a part of Interactive) is the Mimecast’s APJ Partner of the year for 2024 and we have worked with a number of our customers to roll out Human Risk Management solutions.
A common challenge that IT teams face is not having dedicated Cyber Security. It can be difficult to prioritise HRM when you are so focused on daily operations. Get in touch to discuss how we can seamlessly manage your HRM project.
Think this service suits your business? We work with a multitude of different industries across the board, so get in touch with us if you think you’re in the right area and would like to talk to one of our team about becoming cyber secure.