NMX Digital

Tag: employees and cyber security

  • Human Aspect of Security and Privacy

    Human Aspect of Security and Privacy

    Why do employees not care about cyber security?

    Human behaviour plays a pivotal role in cybersecurity, heavily influenced by psychological factors and workplace culture. Stress, cognitive overload, and lack of motivation can lead to poor security practices. Employees under high stress or facing unrealistic expectations are more likely to make errors such as clicking on phishing links, using weak passwords, or neglecting security updates. Toxic workplace cultures, where employees feel undervalued or overworked, can exacerbate these behaviours, leading to a heightened risk of security breaches. I have been impacted by inadequate leadership, which caused a drop in morale, burnout and a total lack of ownership.

    When employees experience high-stress levels, it affects their ability to perform their everyday tasks and overall communication, along with security protocols. According to the research conducted by the Victorian Department of Health, the symptoms can vary from physical and psychological to behavioural. Below is the chart with all the symptoms an employee may experience.

    For instance, an overworked employee might feel frustrated with a newly introduced security protocol on top of an already big and tiresome workload. An employee may think that since the organisation is not taking care of the employee, then the employee doesn’t have to work as hard or comply with the security measures. This not only compromises the organization’s security but also affects overall productivity and morale.

    Addressing these issues requires a holistic improvement plan that prioritizes employee well-being and fosters a positive security culture. Implementing regular mental health check-ins and providing resources to manage stress can help reduce the cognitive load on employees. There are many resources available to help employees, however, if the leaders of the organisation are not involved or are not nurturing a collaborative environment, regardless of the available tools, nothing will work. It is the role of the leadership to establish clear, achievable security policies and provide comprehensive training. It is essential to empower employees to follow best practices and promote a culture of appreciation and recognition. Encouraging open communication and feedback can also help in identifying and addressing stressors and security concerns proactively.

    Active workforce involvement is crucial for creating a secure environment. Employees should be encouraged to participate in the development and refinement of security protocols, ensuring they are practical and user-friendly. Creating a network of security ambassadors or champions within teams can help disseminate information and foster a culture of vigilance. Regular town halls or feedback sessions can provide platforms for employees to voice concerns and suggest improvements. This participatory approach can lead to greater buy-in and adherence to security measures, as employees feel valued and heard.

    In one of the organisations where I worked, compliance was at the forefront of the organisation, encouraged and emphasised by the leadership. At the beginning of my journey with this organisation, I spent 2 weeks ensuring that I had a solid understanding of all the compliances: from HR to IT and Security. I have completed hours of readings, videos, and multiple-choice tests before being allowed to be on the tools. It was ingrained in my brain to act with vigilance and a strong understanding of the company’s values. A positive culture, daily catch-ups with the leadership, non-hierarchical structure of the organisation and overall enabling environment created a fantastic workplace. Everyone wanted to do their best and everyone wanted to make sure that their teammate, regardless of the department, was feeling supported, encouraged and cared for. This kind of environment may be hard to create, but it is not impossible.

    Several challenges arise when addressing the human aspect of cybersecurity, especially in toxic work environments. One major challenge is changing established negative behaviours and attitudes. Overcoming this requires consistent effort and leadership commitment to fostering a positive culture. Providing training that emphasizes the importance of mental health and well-being can help shift mindsets. Another challenge is ensuring that security measures are not perceived as additional burdens. Simplifying security protocols and integrating them into daily routines can make compliance easier and less stressful.

    To evaluate the effectiveness of the improvement plan, organizations can use a range of metrics. Employee engagement surveys can provide insights into morale and perceptions of the workplace culture. Monitoring the number of reported security incidents and compliance rates with security policies can indicate the effectiveness of training and awareness programs. Metrics such as the frequency of password changes and participation in security training sessions can also provide valuable data. Regularly reviewing these metrics can help organizations identify areas for further improvement and ensure that their security strategies remain aligned with employee well-being.

    In conclusion, the human aspect of cybersecurity is deeply intertwined with psychological factors and workplace culture. By addressing the behavioural impacts of stress and toxic environments, organizations can significantly enhance their security posture. Developing a holistic improvement plan that includes mental health support, clear communication, and employee involvement is essential. Recommendations include investing in employee well-being programs, fostering a positive security culture, and regularly evaluating the effectiveness of these initiatives. By prioritizing the psychological and cultural aspects, organizations can create a more secure and resilient environment.

  • Cyber Review

    Cyber Review

    Thanks to Matthew Mansour

    Lecturer | IT Consultant for SMEs | IT Auditor

    … and Thanks to TAFE for this eye-opening scholarship.

    In this report, NMX digital consultancy is presented with an opportunity to provide company “X” with a cybersecurity framework. NMX will help X establish an educational framework with an emphasis on a human-centric approach for both organisations and foster an environment of professional and personal responsibility.

    Both entities, NMX and X, are independently owned companies that work together on a variety of projects. NMX is an independent marketing consultancy, offering tailored customer-centric digital solutions. X is an independent brokerage company assisting clients with contractual risk management and mitigation. Both companies are at the start-up stage, however, X works with enterprise-level companies. On the other hand, NMX is at the beginning of its start-up journey and has the knowledge to help X comply with ever-growing cyber risks. X, as a more established start-up, has the capital to outsource operational business tasks such as accounting, IT management and marketing. X relies on its IT provider, Jupiter Group, for ensuring security via Microsoft 365 and Microsoft Azure. Despite a robust security architecture provided by Jupiter Group and Microsoft, the X team is lacking cybersecurity awareness, making X the perfect target for cyberattacks.

    As mentioned earlier, both companies are at the very early stages of development and while X has the capital to implement strong security practices, the company is lacking the understanding of the importance of this subject. The job of NMX is to educate, collaborate and implement a seamless approach to cybersecurity that would come as second nature to X employees. NMX’s focus is to educate X leadership and employees about the crucial significance of cybersecurity in their organisation. Due to the small team size, the process won’t be as strenuous, however, due to a high focus on the revenue-generating activities by all team members, the security questions are subjugated to a minimal priority. The integral message that needs to be delivered to X is that the [c]ore to creating an effective cyber security culture is recognising that people make an organisation secure, not technology by Everard, T. (n.d.). What is Cyber Security Culture and why does it matter for your…. [online] PA Consulting. Available at: https://www.paconsulting.com/insights/what-is-cyber-security-culture-and-why-does-it-matter-for-your-organisation.

    To make the educational material as relatable as possible, we will be considering the way our brains process and memorise information. According to Matthew Oterbridge, there are many ways our brains retain and recall information (MATTHEW OUTERBRIDGE. (n.d.). Learning How to Learn: An Infographic. [online] Available at: https://www.outerbridge.blog/articles/learning-how-to-learn-infographic.) and to accommodate all learning styles, we will implement a 5-way information presentation. The primary focus for NMX is to ensure that by the end of the course, the managing director and his right hand are acting as leaders in cybersecurity excellence and lead by their example on how to mitigate and navigate the murky waters of cyber threats. The members will receive the information via video recordings followed by a short test, pdf with infographics summarising the video content, the news and articles about “breaking” cybersecurity news and articles that would inspire lunchtime conversations. At the end of each module, the team members will be required to complete a short test.

    The above covers the general framework and information presentation types. Most importantly, NMX will be constantly evaluating the engagement, reporting activity, and general attitude of the team and running Q&A assessments.

    Timeline and schedule 

    • Timeline
      • Week 1: Audit and compliance check + Leadership Commitment
        • Identification of the core issues, and collection of all necessary information from the IT department, marketing, finance and other departments.
        • Introduction to the BASICS of CYBERSECURITY
          • Why do we care? What are the implications? Who is at risk?
            • Share the cyber news (industry-specific or personal)
              • www.brokernews.com.au. (n.d.). Brokers warned: Prepare for cyber threats. [online] Available at: https://www.brokernews.com.au/news/breaking-news/brokers-warned-prepare-for-cyber-threats-284503.aspx [Accessed 11 Jul. 2024].
        • Policy Review
    • Week 2: Incident Response Plan Implementation
      • Initial incident response plan implementation
        • Access controls and monitoring
      • 1-5 NMX framework
        • Assessment: ensuring that everyone in the team has the same level of understanding
        • Policy review edits to improve the
      incident response plan and ensure everyone is on the same page.Week 3: Reporting procedures feedback, Improvements & scenario analysisRun a phishing simulation.Based on the engagement; collect, rework, and readjust the most up-to-date
        • module and implement new standards and compliances.
        • Ensuring all departments are aligned and understand the new approach. 
      • Week 4: Training Assessment and Employee Feedback
        • Testing, revising and reviewing the effectiveness of the new compliance and identifying any possible issues.
        • Collecting testimonials for a deeper analysis and recognizing any knowledge gaps
        • Including Cyber Security in the employee’s KPIs from the next module

    1-week break for evaluation and study break.

    • Week 5-8: Rinse and Repeat
      • Repeat of Week 1-4 tasks based on the identified gaps or any additionally identified threats.

    1-week break for evaluation and study break.

    • Week 9-12: Cement & Concrete
      • To avoid complacency, shift the responsibility for the next 4 weeks’ topic choice to the “influencer” of the team (preliminarily agreed with the MD)
        • The topics will be written in advance based on the latest evaluation.
      • Nominate a team leader who will be responsible for all cyber questions and empower the person with all available tools and information.
      • Provide the team leader with the tools and resources to help further the implementation of a cyber-safe culture.
      • Update the policy and update the incident response plan.

    Final touch, at the end of our course, the members will receive stickers to put on their laptops or screens. It will make the members not only remember the course but can also invite conversations with new hires, clients and potential prospects.

    NMX digital consultancy will continue supporting X providing undivided attention through partnership as the digital space continues developing, shifting and changing. NMX strongly recommend revisiting the security standards every 6-9 months to ensure that everyone in the team is aligned with the latest updates and changes in the cyber security space. The entire course is dedicated to being customized, re-evaluated and re-adjusted to the necessary curriculum to encourage the team members to cultivate a deep understanding of cyber security and nurture a culture of personal responsibility in a professional setting. As X continues its growth, the requirements will change and the need for shared responsibility and accountability. It’s NMX’s long-term commitment to keep X informed, educated and protected.