Build a human firewall as part of your company's culture.

Almost half of New Zealand’s population has experienced cybercrime in the last six months, whether through scam calls, phishing, online shopping scams, or extortion. More New Zealanders are becoming aware of these threats and taking steps to protect themselves, but there’s still more work to do.

Cyber safety is not about ticking boxes with a couple of training sessions, adding multifactor authentication (MFA), or giving a talk on passwords. Companies must think beyond the basics: cybersecurity needs to be baked into the culture, according to Josh Alcock, principal security strategist, Fortinet.

“Cybercrime is becoming part of our daily lives, and part of the cost of doing business,” he says. “It's got to be ingrained into an organisation’s everyday culture so that there's trust and partnership between the security team and everyone else.”

Run by CERT NZ and the National Cyber Security Centre (NCSC) from October 21-27, Cyber Smart Week 2024 is the ideal time for organisations and individuals to take action to strengthen New Zealand's cyber resilience.

Three factors for building a ‘human firewall’

Cybersecurity rests on three pillars: people, technology, and processes. According to Alcock, it's straightforward to get the right technology and processes in place. People, however, are complex, and the largest share of cyberattacks come through human error.

“Having a human firewall is one of the best defences against cybercrime,” he adds, “and that requires work on multiple fronts.” 

The first is continuous education, training employees on cyber risks and how to identify them. If you can, recognise the employees who show strong cybersecurity practices and perform well on security awareness testing. 

It’s also vital that the education matches the individual’s risk profile: “Training should be both interesting and relevant. For example, someone in the finance team is going to be much more of a target than a picker in a warehouse, so they need different training.”

The next factor is developing easy-to-follow cybersecurity policies.

“We can write policies and have controls in place. That part is easy,” says Alcock. “But if your policies are hard to understand and people can’t figure out how to apply them to their everyday work, you’ve failed in your job at policy writing. You need a company culture where cybersecurity isn’t siloed but ingrained across the entire operation. There must be buy-in from the top to push it down by example.”

The third factor is creating a culture of security throughout the business, where your security team works closely across the organisation. Do company leaders tend to lag behind employees on cyber awareness training? “Hell, yeah,” laughs Alcock. “Some executives want exceptions from policies or don’t want their online activities monitored as closely. There's a bit of a trope that executives are the ones who bring in a laptop infected with malware from visiting shady sites. But again, it all comes back to culture.” 

If creating a culture of cybersecurity isn’t incentive enough for your top-level execs, perhaps they could consider the personal risks. Among organisations surveyed by Fortinet, 51% said their senior leaders had faced “fines, jail time, loss of position, or loss of employment following a cyberattack,” according to the 2024 Cybersecurity Skills Gap report.

Removing the stigma of being a ‘victim’ of cybercrime

A strong cybersecurity culture encourages employees to talk more openly about their cybercrime experiences. Individuals and businesses that have lost money to cyber fraud are often reluctant to admit it because of embarrassment, language barriers, or potential reputational damage. Ransomware, for instance, often results in ransoms being quietly paid without any reporting. Romance scams are also under-reported because those targeted can feel both heartbroken and humiliated. In the workplace, similar feelings can come into play, including concerns about reputation and embarrassment, making people hesitant to talk about being conned.

But, Alcock says, your company should encourage a culture where people feel comfortable enough to tell the IT team when they’ve made a mistake. It might be a toll scam, a phishing scam, or a suspicious email. 

“People are scared to admit they clicked on that dodgy link because they think they’ll be reprimanded, but I think it should be the complete opposite,” says Alcock. “The cybersecurity area of your business wants to know what’s happening. We need to get rid of the stigma around being the victim of a cyberattack. It’s inevitable, and it happens to everyone. If it hasn’t already happened to you, it will happen.”

New Zealand doesn’t yet have mandatory reporting like some other countries. But whether it’s you or your company that’s been affected by cybercrime, reporting it to CERT helps paint a clearer picture of the scale of the problem. 

“Health and safety used to be a checklist, and now it’s a culture. People aren’t scared to report it when they cut their hand at work, because they trust that good processes are in place to deal with it,” Alcock says. “I’d love to see a similarly strong culture of cyber awareness and security practices in every business in New Zealand. Getting that right would make us a much less appealing target for cybercriminals.”

During Cyber Smart Week, Fortinet encourages businesses to reassess their cybersecurity practices and build a human firewall.

For more information, visit the Fortinet blog.