Are too many Councils "sitting ducks" for cyber criminals?

Back

Published: 19th July 2023

Are too many Councils "sitting ducks" for cyber criminals?

Feature article by M ike Ouwerkerk, WebSafeStaff, and Peak Services - Cyber Security Trainer

I hate to say this, but many councils are sitting ducks for cyber criminals. Why do I think this? Well, I recently finished delivering 300 cyber security awareness sessions to QLD councils via a fully funded initiative from LGAQ and Local Buy, so I’d say I have a pretty good understanding of the knowledge levels of council staff regarding identifying and dealing with cyber scams.

Let me run through the good, and the not so good of this massive undertaking:

The good

We managed to train a wide audience, with over 60% of Queensland councils participating, reaching a total of 4,000 participants.

The awareness course was incredibly well received. It’s a bit different to most cyber security awareness content – it’s very simple, with lots of stories and examples, fun and engaging, and it focuses quite heavily on home use to ensure people actually care about learning. We had consistently great feedback like “best course ever”, “we are a fortress” etc.

Once people did the training, they understood why they are so important in the fight against cybercrime.

The stats are sobering: 82% of data breaches are because someone was tricked, and the average cost of a data breach in Australia in 2022 is $3.35million.

We need people fighting for us!

A wide variety of people attended the training. We had Mayors, Councilors, CEOs, office staff, manual workers, and they all learned a lot with the training, because we are all exposed to the same scams. We had repeat customers! People would return to do the course even after just a few months. When I asked why, it was always because they learnt so much the first time, but they felt like they needed to reinforce their learnings, and top up on what they missed. This is so true, because awareness IS ongoing. You have to keep reinforcing knowledge, and keep people up to date on the latest scams.

In many sessions we had leadership attend. This is amazing, and sets a top-level example that councils do care about cyber security. Leading from the top is so incredibly important with change initiatives like this.

With a strong focus on home use, people will naturally share their new found information with their family. That means keeping their own money and information safe, and even keeping their kids safe online, which in this day and age is a massive concern.

The sessions were fun. 300 individual course deliveries is a lot, but the time flew. Some of the sessions were a blast, people were so engaged, asking questions, telling stories, and even jokes! When people are engaged, they are learning.

The Not So Good

I really hate to be negative, so let’s just say that there is certainly room for improvement:

Knowledge levels are sorely lacking, and this is massively concerning because staff are so much more likely to be tricked. In nearly every session I’m told that people are terrified because of what I’ve shown them. This should not be the case - I should be topping up their knowledge, and improving their confidence. We want suspicious people who are confident in spotting and dealing with cyber scams. I know that many councils already do awareness training, but when people turn up to my sessions and say they’ve learnt so much, it means that either current awareness initiatives are not sufficient, or knowledge is not sticking.

It appears that in many cases, awareness training is offered to staff rather than mandated. So, the people that attended training already had a reasonably strong care factor regarding cyber security, and that’s great, but do the people that didn’t attend training not care about cyber security? People don’t know what they don’t know. So many attendees learnt so much, and they had no idea of their lack of knowledge. Unless someone is strongly encouraging staff to attend (or even mandating), many people won’t be motivated to attend, and a massive cyber security risk remains.

But overall the process was amazing, and hats off to LGAQ and Local Buy for funding this incredible initiative! It will pay for itself many times over, because well trained people are the best defense we have against cyber criminals. Awareness training is a cyber security ‘quick win’. It’s quick, cost effective, and it can remove a massive chunk of cyber security risk. But it’s not something you do once. You have to keep it going, do different things, and keep people constantly informed and reasonably suspicious.

On that note, we’re working on a new awareness training course, which will be based on a knowledge test, with key learnings attached to the questions. The hope is that it will tweak people’s curiosity (and perhaps even ego) as to how much they do, or do not know. Attendees will record their scores, and this will be a fantastic resource for councils to assess the pre-training knowledge of their staff.

As always, my key message is that people are by far the best defense we have against cyber criminals, so train them, nurture and encourage them, and realise their potential. They are not the ‘biggest risk’. They are the ‘biggest asset’, waiting to be awesome.

If you’d like to provide this valuable course to your staff, please email training@wearepeak.com.au for booking information.

For more information on our Cyber Security training, please contact Peak Training Services at training@wearepeak.com.au | 07 3000 2174