CISO  Cyber Security

3 Reasons Your Largest Cyber Threat is Within Your Organisation – and What to Do About It!

Table of Contents

Companies once thought of their organisation’s security as a castle-and-moat scenario in which no one outside of their organisation was able to access their data. Only those inside the castle (on the network) had access to the information. Now, with the need for remote work, combined with our tech savvy workforce, many more bridges have been built over the moat, transforming the castle into a highly interconnected and accessible city skyscraper – both physically and virtually. Are these new bridges providing unauthorised access to organisational data? It depends on how they are built and if the occupants of the skyscraper are aware of their role of protecting the organisation from cyber threats, as well as the implications of building an insecure bridge.

Centuries ago, your biggest threat would have come from a mob of angry soldiers with fire torches and arrows outside of your castle. Today, the biggest threat to your skyscraper comes through your email. Mimecast found that more than 91% of cyber-attacks infiltrate an organisation via phishing email, with a 400% year on year increase in such attacks according to the FBI.

An organisation’s users are the front door of your interconnected skyscraper and email is the window they look through.

Who are they letting in over the bridge and into the front door? Is the window large and clear enough for them to spot an attacker who may be dressed like they are innocent?

Zero Trust (ZT) is the armour and visibility your people need to protect the skyscraper. You may think it’s just a popular fad term in the cyber security industry. However, Zero Trust is more than just a buzzword. It is an approach that requires informed trust decisions by providing more context than ever before, especially when relating to one of its pillars: people.

Let’s break down three ways the people of your organisation can impact your exposure when it comes to cyber threats.

Keep in mind, no one is immune. Execs are often the targets of whaling and spear-phishing impersonations. Even IT administrators are vulnerable to attacks, despite their experience.

1. Employees Are The First Line Of Defence

At the end of the day, the people who are operating within the organisation are humans. We aren’t quite there with robots yet, and even they are capable of error. Humans are busy, filtering through countless emails daily, while trying to keep up with their roles. Stress, fatigue, not paying attention, unawareness and the pace at which we work can all leave room for unintended or even intended consequences. 

IBM’s Cyber Security Intelligence Index Report reveals that human error was a major contributing cause in 95% of all breaches and over 70% of all breaches are due to social engineering. The Mimecast State of Email Security 2022 report found that more than 8 out of 10 respondents believe their company is at risk due to inadvertent data leaks by careless or negligent employees.

Understanding that your employees are your first line of defence is imperative to a strong security strategy. However, the frontline of your cyber security defence is cultural, not technology based. Your employees don’t need to know what ZT is, but they do need to adopt the ZT mindset which involves not trusting everything by default or at face value. Reframe ZT away from not trusting your people but rather empower them to make better trust decisions informed by context.

Empower your knights in shining armour by focusing on preparedness and vigilance. Teach them the red flags that they should look out for. Eg: If an email comes through from their “CEO” but the email address is unrecognised, they should know what action steps to take next, such as not clicking on the email and the appropriate person to alert of the phishing attempt.

Further, you should be providing them as much context as possible using email analytics, such as whether that email was external, if that email contains content such as urgency, large payment requests, if it came from a remarkably similar email address to other internal staff or other scam related behaviour. Remember – you should make that glass window to the outside as clear and as large as possible via providing more context.

2. ‘Tick-the-box’ approach provides a false sense of security

Companies fear reputational damage from breaches and non-compliance. They all expect the data stored within their organisation to be safe and never want to compromise their customers’ personal information. As a result, organisations often focus on compliance and meeting the requirements of legislation and treat this step as the final destination of their cyber security program. This leads to them mistaking being compliant as being secure – which are two completely different things. 

Often, organisations prefer to pay the fine and sweep the breach under the rug rather than risk reputational damage. Organisations should be weary of this approach – as sometimes you may have a covert breach you aren’t even aware of. Unfortunately, in that case, customers might find out there’s a breach before you do through examples such as a ticket machine displaying a ransomware notice, on an advertising billboard or a website defacement. 

According to the 2022 Mimecast State of Email Security Report83% of participants responded that their organisation was the victim of a cyber-attack that spread from one infected employee to others (up from 73% in 2021). 

Could employee naivete be an open window?

According to the report, 40% of the respondents said that was one of their biggest security concerns for the coming year. However, employees aren’t always properly prepared to deal with an attack.  Only 23% said that their company provides regular cyber awareness training.

With these considerations in mind, when you create a policy and meet compliance requirements, don’t just stop there. Take it a step further by implementing measurable phishing awareness training programs. Test your employees through regular interactive quizzes, social engineering and phishing simulation tests. Be sure to track these tests over time to ensure the awareness program is effective and make adjustments to your awareness program based on the results. That’s how you can provide assurance that your policy is being adhered to, and that your employees are armed with knowledge as to how they can flag an “innocent-looking” intruder before they are fooled into letting them over the bridge and into the front door.

3. Security is seen as the enforcer Rather than the protector

According to Security magazine, over 2,200 cyber-attacks are made every day – roughly one every 39 seconds.Cybercrime is constantly evolving, and organisations are struggling to stay ahead of perpetrators. Therefore, a whole-of-organisation approach is needed across all maturity levels. The entire organisation needs to wear the armour and continue to evolve with growing threats. This starts with the company culture. 

From a cultural perspective, companies should take an approach whereby the IT/Security Department are seen as the people who help and guide – not people to be feared. They should be the protector rather than the enforcer. This helps to remove the ‘unauthorised bridge building’ into the organisation by ensuring that other departments throughout the business want to work with IT/Security teams and involve them in their processes voluntarily. This way, bridges can still be built to enable the organisation’s agility, but they can be built securely so both parties win. If you’re looking for somewhere to start – uniting with departments such as Legal, Procurement and Project Management in particular will help considerably, as most technology initiatives go through them. 

Additionally, don’t forget to make sure your employees know who to talk to on cyber security matters and have an easy way of contacting them for help. There is a considerable amount of organisations whose employees don’t know how to get in touch with their Security teams apart from through a helpdesk ticket, which can be a deterrent. A dedicated information security portal, email address or contact number is a step in the right direction.

Today’s tech savvy younger generation might not recognise the importance of engaging with IT/Security and may take a “do it myself” stance when they have the knowhow from a technology perspective. This is an opportunity to reframe that approach, making IT/Security the ambassador for instilling a culture of cooperation and transparency throughout the business. Secure business enablement and employee experience allow the IT/Security Department and employees to work closely together and bridge gaps. 

A company’s IT/Security Department should not be conscripting the troops. Rather, it should be seen as the department that helps to build a cohesive army in which all employees, no matter the department, are working together in unison against cyber threats.

Could employee naivete be an open window?

According to the report, 40% of the respondents said that was one of their biggest security concerns for the coming year. However, employees aren’t always properly prepared to deal with an attack.  Only 23% said that their company provides regular cyber awareness training.

With these considerations in mind, when you create a policy and meet compliance requirements, don’t just stop there. Take it a step further by implementing measurable phishing awareness training programs. Test your employees through regular interactive quizzes, social engineering and phishing simulation tests. Be sure to track these tests over time to ensure the awareness program is effective and make adjustments to your awareness program based on the results. That’s how you can provide assurance that your policy is being adhered to, and that your employees are armed with knowledge as to how they can flag an “innocent-looking” intruder before they are fooled into letting them over the bridge and into the front door.

Conclusion

Implementing ZT is not a band aid solution to cyber threats but rather an ongoing, holistic approach. Understanding ZT in the context of the people within your organisation and the actions you can take fosters opportunities such as uniting your people and strengthening your culture as everyone does their part to protect the skyscraper. This approach creates a stronger, resilient, company-wide alliance against cyber-attacks in which everyone will be empowered with the armour and visibility needed to able to look through that window and flag an intruder before they step on to the bridge.

If that sounds like a lot, have no fear. Sekuro are using their experience to help many organisations strategically unite their people against cyber-attacks. Learn about how we can help you take a holistic approach to Zero Trust across your People and 7 other pillars via Sekuro’s Zero Trust Strategy. 

Lee Roebig Sekuro 2024

Lee Roebig

Director of Strategy & Architecture, Customer CISO, Sekuro

Lee is an experienced Cyber Security professional with 17+ years in the technology Industry. He has previously worked in cyber security leadership and architecture roles inside multiple global organisations prior to joining Sekuro. At Sekuro, Lee helps clients with Cyber security strategy, Zero Trust, Virtual CISO, mentorship, executive advisory and security architecture. He has worked with numerous clients on cyber security strategies across industries such as health, insurance, construction, manufacturing, leisure including multiple ASX listed companies.

More Articles

Sekuro's Latest Insights

Get in Touch

Discover the Smarter Way to Transform Your Organisational Security – Connect with Our Experts Today.

Complete the form and we will get in touch within 24 hours. 

Aidan Tudehope

Co-Founder of Macquarie Technology

Aidan Tudehope, Co-Founder of Macquarie Technology

Aidan is co-founder of Macquarie Telecom and has been a director since 1992. He is the Managing Director of Macquarie Government & Hosting Group with a focus on business growth, cyber security and customer satisfaction. 

Aidan has been responsible for the strategy and execution of the investment in Intellicentre 4 & 5 Bunkers, Macquarie Government’s own purpose-built Canberra data centre campus. This facility is leveraged to deliver Secure Cloud Services and Secure Internet Gateway.

With a unique pan-government view on the cyber security landscape, we are invested in leading the contribution from the Australian industry on all matters Cyber policy related.

Aidan holds a Bachelor of Commerce Degree.

James Ng

CISO, Insignia Financial

James Ng, CISO, Insignia Financial

James is a leader with a range of experience across various cyber security, technology risk and audit domains, bringing a global lens across a diverse background in financial services, telecommunications, entertainment, consulting and FMCG (Fast Moving Consumer Goods). He is currently the General Manager – Cyber Security at Insignia Financial and most recently was at AARNet (Australia’s Academic and Research Network) where he oversaw a managed Security Operations Centre (SOC) capability for Australian universities. Prior to this James was the acting Chief Information Security Officer for Belong and led the cyber governance and risk team at Telstra.

Noel Allnutt

CEO, Sekuro

Noel Allnutt CEO | Sekuro

Noel is a driven and award-winning IT leader. He has a passion for developing great teams and accelerating client innovation, and in enabling organisations to create a secure and sustainable competitive advantage in the digital economy. Noel also hosts the ‘Building Resilience Podcast,’ which explores the world of sport and deconstructs the tools and ethos of world-class athletes that can help create growth and optimise business and life.

Audrey Jacquemart

Bid Manager, Sekuro

Audrey Jacquemart, Bid Manager, Sekuro

Audrey is an innovative cybersecurity professional with a versatile profile spanning across Product Management, Presales and Delivery. She has worked within organisations from start-ups to large international organisations in Europe and APAC before joining Sekuro.

Nicolas Brahim

Principal Consultant, CRP and OT

Nicolas Brahim, Principal Consultant, CRP and OT

Nico leads Sekuro’s Cyber Resilience Program and OT Cybersecurity, ensuring continuous support and effective program execution for our clients. With over a decade in the security industry, including the creation and leadership of several Security Programs for IT and OT across Australia, New Zealand, Argentina, Chile and the US, his core philosophy emphasises an equal balance of people, process, and technology in delivering actionable and simple solutions.

Trent Jerome

Chief Financial Officer, Sekuro

Trent Jerome

Trent is a seasoned CFO with over 30 years’ experience in Finance. Trent has broad experiences across Capital raises, debt financing, M&A and business transformation. He is a CPA and member of AICD. Trent works with Boards around risk and risk mitigation plans and assists Boards in navigating the risk mitigation versus cost conversation.

Ada Guan

CEO and Board Director, Rich Data Co

Ada Guan, CEO and Board Director, Rich Data Co

Ada is the CEO and Co-founder of Rich Data Co (RDC). RDC AI Decisioning platform provides banks the ability to make high-quality business and commercial lending decisions efficiently and safely. With over 20 years of global experience in financial services, software, and retail industries, Ada is passionate about driving financial inclusion at a global scale.

Before launching RDC in 2016, Ada led a Global Client Advisor team at Oracle Corporation, where she advised Board and C-level executives in some of the largest banks globally on digital disruption and fintech strategy. She also drove Oracle’s thought leadership in banking digital transformation for Global Key Accounts. Previously, Ada implemented a multi-million dollar program to deliver a mission-critical services layer for Westpac Bank in Australia and formulated the IT strategy that was the basis of an $800m investment program to transform Westpac’s Product and Operation division and complete the merger with St. George Bank. Ada is an INSEAD certified international director and holds an EMBA from the Australia Graduate School of Management, and a Master of Computer Engineering from the University of New South Wales, Australia. She also graduated from the Executive Insight Program at Michigan University Ross Business School and IESE Business School.

Megan Motto

Chief Executive Officer, Governance Institute of Australia

Megan Motto, CEO, Governance Institute of Australia

Megan Motto is Chief Executive Officer of Governance Institute of Australia, a national education provider, professional association and leading authority on governance and risk management. The Institute advocates on behalf of professionals from the listed, unlisted, public and not-for profit sectors.

Megan has over 25 years of experience with large associations, as a former CEO of Consult Australia, as well as holding significant positions in Australia’s built environment sector and business chambers.

She is currently a director of Standards Australia, a member of the ASIC Corporate Governance Consultative Panel and a councillor of the Australian Chamber of Commerce and Industry (ACCI) where she chairs the Data, Digital and Cyber Security Forum.

Megan’s expertise spans governance, risk management, public policy and education. She holds a Bachelor of Arts/Bachelor of Education, a Masters of Communication Management and a Graduate Diploma of Corporate Governance and Risk Management. She is a Fellow of the Governance Institute of Australia, the Chartered Governance Institute and the Australian Institute of Company Directors and is also a member of Chief Executive Women. Megan is also an Honorary Life Trustee of the Committee for Economic Development of Australia (CEDA) and was a 2014 recipient of the AFR/Westpac 100 Women of Influence.

Shamane Tan

Chief Growth Officer, Sekuro

Shamane Tan, Chief Growth Officer, Sekuro

Sekuro’s Chief Growth Officer, Shamane Tan, is passionate about uniting minds and experiences, excelling in aligning C-Suite and Board members with cyber security imperatives. As the author of “Cyber Risk Leaders,” she unravels executive communication nuances and distils C-Suite expectations. 

Her work extends to “Cyber Mayday and the Day After,” a roadmap for navigating crises by mining the wisdom of C-level executives from around the globe. It’s filled with interviews with managers and leaders who’ve braved the crucible and lived to tell the tale. Her most recent book, “Building a Cyber Resilience: A Cyber Handbook for Executives and Boards,” was featured on Forbes Australia’s top list of books for CEOs. 

Shamane has also founded a transcontinental cyber risk and executive meetup spanning Sydney, Melbourne, Adelaide, Perth, Singapore, the Philippines, and Tokyo, fostering mentorship, women’s empowerment and thought leadership. As a strong advocate for the importance of having a voice and helping others use theirs, Shamane Tan has spoken at TEDx and global conferences, including FS-ISAC, RSA, Silicon Valley, Fortune 500 and ASX companies. 

Recipient of the IFSEC Global Top 20 Cybersecurity Influencer award and named among the 40 under 40 Most Influential Asian-Australians, Shamane leverages her unique fusion of technical prowess and business acumen to help organisations progress on their security maturity journey.

David Gee

David Gee, CIO, CISO, NED, Board Advisor & Author

 

David Gee, CIO, CISO, NED, Board Advisor & Author

David has just retired in July 2024 and is building out his portfolio. He is an Advisor with Bain Advisory Network and also an Advisor to JS Careers (Cyber Recruitment) and Emertel (Software Commercialisation).

He is a seasoned technology executive with significant experience and has over 25 years’ experience in CIO and CISO roles across different industries and countries. At Macquarie Group David served as Global Head Technology, Cyber and Data Risk. Previously was CISO for HSBC Asia Pacific. His career as a CIO spans across multiple industries and geographies including – Metlife, Eli Lilly and Credit Union Australia. He was winner CIO of the Year 2014, at CUA where he successfully completed a significant Transformation of Core Banking, Online and Mobile Banking systems.

David is past Chairman for the FS-ISAC Strategy Committee and awarded Global Leaders Award in 2023 for his contributions to the cyber security industry. A regular conference keynote speaker and 150+ published articles for CIO Australia, Computerworld, iTnews and CSO (Cyber Security), David now writes for Foundry CIO.com and AICD.

His most recent book – the Aspiring CIO & CISO was published in June 2024 and David is writing his second – A Day in the Life of a CISO with a number of CISOs from around the world for 2025.

Naomi Simson

Co-founder, Big Red Group and Former Shark Tank Judge

Naomi Simson, Co-founder, Big Red Group

INTRODUCTION

For 25 years as an entrepreneur, Naomi Simson has been bringing people together whether it’s with her business experience, her speaking or writing. Passionate about small business and local community, Naomi is considered a home grown success story.

Naomi had a corporate career with Apple, KPMG, IBM and Ansett Australia prior to becoming an entrepreneur. She is a prolific blogger, podcaster and business commentator, and appeared as the #RedShark in four seasons of Shark Tank Australia and she appears regularly on ABC The Drum. She is a non-executive director at Big Red Group, Australian Payments Plus, Colonial First State and Weebit Nano, as well as the Cerebral Palsy Research Foundation and the University of Melbourne Business and Economics Faculty.

A true business leader and influencer, with more than 2.7 million LinkedIn followers, Naomi is Australia’s most followed person on the business networking platform. She has four seasons of her podcast ‘Handpicked’, and she has authored two best-selling books Live What You Love, and Ready to Soar, and is sought after speaker.

FULL BIO

For 25 years Naomi has been bringing people together whether it’s with her business experience, her speaking or writing. She is a strong advocate of business owners.

Known as an entrepreneur and business leader; following the growth of RedBalloon which she founded in 2001, Naomi co-founded the Big Red Group (BRG) in 2017.

Naomi had a corporate career with Apple, KPMG, IBM and Ansett Australia prior to becoming an entrepreneur. She is a prolific blogger, podcaster and business commentator, and appeared as the #RedShark in four seasons of Shark Tank Australia. She is a non-executive director at Big Red Group, Australian Payments Plus, Colonial First State and Weebit Nano. As well as the Cerebral Palsy Research Foundation and the University of Melbourne Business and Economics Faculty.

A true business leader and influencer, with more than 2.7 million LinkedIn followers, Naomi is Australia’s most followed person on the business networking platform. She has authored two best-selling books Live What You Love, and Ready to Soar, and is an engaging, humorous and insightful speaker. She has four seasons of her Podcast – Handpicked.

Naomi is relatable across a broad variety of audiences and topics, often drawing on her personal experiences to provide thoughtful and valuable views into topics; including the customer obsession, intentional leadership, growth mindset, personal development. She is a regular panellist on ABC The Drum.

Peter Ngo

Product Line Manager, Global Certifications, Palo Alto Networks

Peter Ngo | Sekuro

Peter leads the Commercial Cloud, Global Certifications organisation at Palo Alto Networks which oversees global cloud security compliance efforts to various frameworks and standards including IRAP, SOC 2, ISO, PCI, C5, ISMAP, and IRAP and more for 25+ cloud products.

He has held many roles over the years covering areas of IT Operations, and Governance, Risk, & Compliance (GRC) for a wide range of industries including technology, insurance, and manufacturing.

Peter holds various security and professional certifications, including the CCSP, CISSP, PCI ISA, CISA, CISM, CDPSE & ISO Lead Auditor, in addition to a Master of Science degree in Information Assurance. 

Jack Cross

CISO, QUT

Jack Cross | Sekuro

Jack Cross is an experienced business leader with expertise in digital technologies and risk management. Through a steadfast commitment to integrating people, processes, and technology, he champions the fight against cyber threats while mitigating organisational risks. 

Over the past 15 years, Jack has navigated diverse leadership roles within the Defence and Education sectors, honing his skills in steering multidisciplinary teams through intricate and sensitive technical landscapes. In addition to this experience, he holds numerous formal qualifications such as: a Master of Systems Engineering (Electronic Warfare); CISSP; and CISM certifications.

Nadene Serman

Global CTO, Infotrack

Nadene Serman | Sekuro

Nadene Serman is a leading IT executive with a proven track record spearheading first-of-its-kind technology and business transformation for some of the most prominent organisations globally and in Australia. As the Global Chief Technology Officer of InfoTrack, she is a key protagonist of innovation as an enabler of InfoTrack’s next stage growth. Her energy, commercial acuity and strategic capability have fueled her success.

Nadene leads with clarity, transparency and urgency, uniting people in complex, multi-layered technology and business execution, and go-to-market transformation and innovation. She tackles and resolves complex and seemingly intractable challenges while building support and collaboration – even in times of crisis. Her people-first, ‘think straight, talk straight’ approach makes her a formidable force.

John Doe

President Great Technology

Cyber Resilience Program | Sekuro

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.