Q&A: “Just be mindful that people are interested in you…” - Sarah Sloan

The first is that we launched an interactive webinar session so people could come online, and we would run through the top ten tips that we've developed. We've developed this collateral document, called Secure by Habit: Ten Cybersecurity Tips for Parliamentarians and Staffers. We developed that material in close collaboration with the Australian Cyber Security Centre as well as the Department of Parliamentary Services.

And that was for a couple of reasons.

Obviously, we want to make sure that they're best practice, that they're reflective of real-world examples, but also that we're aligning with the government's messaging, and we're not confusing our stakeholders around what we're prioritising and why we're saying it. So the series was really comprised of those two components, the webinar, and then the Top Ten Tips, and the tips themselves. I mean, I'm happy to run through all ten of them…

Cyber Daily: Can we focus on the top three?

Sarah Sloan: I think actually the first one that we flagged was really just around acting like you’re a target, around the way you go about operating in your everyday affairs. Just be mindful that people are interested in you, and they're interested in parliamentarians, not least because of the role that they hold, but also the information they access, the decisions they make.

So really, the first one we kind of tried to emphasize with this group of stakeholders was just to be mindful of the cyber threats that we now face; they don't just stay at Parliament House. They don't just stay on their government devices, right? They transfer across, unfortunately, into your everyday way of life, even potentially, when you're on holiday, or when you're going about your everyday business.

VIEW ALL

That was one of the first ones that we were really keen to highlight and to underscore.

And then the other ones range from ones you'll be very familiar with – things like using strong pass phrases and obviously not having passwords across multiple accounts. I think our industry as a whole has been speaking about this for some time and trying to reaffirm that message, because it remains a critical and core message. Others were around turning on multi-factor authentication, where you can, and obviously, updating your devices is critically important. We also touched on Wi Fi, like trying to avoid public, open Wi Fi, where you can and talking them through the preference to use your own hotspot if you're looking for internet connectivity, and you're not in a position where you have a trusted, secure Wi Fi available.

Cyber Daily: So you're basically telling them to avoid airport Wi Fi, in other words?

Sarah Sloan: Yeah, we talked it through as being a conversation around trust and, once again, driving down risk. So, as you’re looking at Wi Fi networks, is it a trusted and known network, you know? Do you know who's running it? Is it password-protected? Is there a degree of trust in that dynamic, or is it, yet, to your point, open Wi Fi where you're not entirely sure who's running it, how secure, how up to date that network is, and whether you’re potentially falling for an impersonated network is, of course, one of the risks there.

We tried to make them as practical as we could in terms of the content, and really tried to tie in some real-world examples where we could – like being conscious of what you're even posting online. You know, we all want to share exciting developments in our life: the birth of a child is a common one, but just highlighting that obviously contains, sometimes, the full name and date of birth of their new child.

Obviously, as you know, that is all data that our adversaries can collect and then use at some other point in time. You know, whether that's a really targeted, timely phishing attack, for instance.

Cyber Daily: That’s really interesting, because you often look at – particularly politicians – that one of the things they will like to do with social media is use it to humanise themselves, so they want to share all that kind of stuff: the birth of a new child, or what they're doing as part of their social activities… But I guess that's all useful to the right kind of threat actor.

Sarah Sloan: I think it's all about, once again, risk reduction.

It's not saying that you can't do that. It's just saying maybe redact some information that you don't need to share. I mean, you can announce the birth of a new child. You can even share their name, but maybe not share their full name and maybe not share their exact date of birth. We talk through, also, examples of people wanting to post their first day of school for their children, all of that.

But law enforcement globally is trying to work with parents to say, “Hey, let's not post the picture of their school uniform,” for instance. Let's redact that out so that there's less information out there about your child. I think the message that we try to push through, once again, is a risk reduction strategy. It's not that you can't engage online; it's not that you can't share this information. It's just being conscious of what details you can actually omit to enhance your security as you go about your everyday work.

Cyber Daily: What kind of feedback have you gotten from parliamentarians about this advice that you give them, and how easy are they to actually educate?

Sarah Sloan: Yeah, that’s a good question.

The engagement on the launch activity was very strong. You might have seen that we actually had engagement from both sides of politics, which is lovely; to keep cyber security a bipartisan issue, I think, is a real strength of Australian institutions and our democratic systems.

We had Senator Claire Chandler, who was then the Shadow Minister for cyber security. We also had Andrew Charlton, who obviously was the Assistant Minister for Science, Technology and the Digital Economy, as well as the Speaker of the House, which I think was really amazing, to highlight that commitment to the topic of cyber security.

In terms of the webinar sessions, we had really strong engagement, actually, a lot of people engaging and asking questions. As you can imagine, members of parliament get a lot of material sent to them, emails from people that they're not necessarily familiar with. There were some great questions around that kind of topic, and, yeah, engaging with the material quite strongly.

I think in that regard, the feedback is quite strong, but you know, there's an interest from our parliamentarians to learn more. And you know, they're obviously very busy individuals, so we will be trying to share this material after the fact. We're hoping to send out the webinars so they can view them on demand. And obviously, we'll be distributing the Top Ten material far and wide, so that people have access to it.

Cyber Daily: And this will be not just the federal side of politics – you’re addressing the state and local side as well?

Sarah Sloan: Yes. We announced, as part of the launch activity, that we are rolling this out nationally, which is very exciting. We're not just focused on the federal parliament – we will be trying to go around the country and help support parliamentarians across the country with their cyber security uplift and resilience.

And, obviously, as we go around the country, once again, we'll be working in partnership with government agencies there. As you'd be aware, government agencies do a fair amount of activity in terms of trying to raise cyber resilience and awareness with government agencies and elected officials, and we're really hoping to kind of complement that effort.

I think in light of the threat landscape, there's never been a better time for us to back in, as the corporate and private sector, and support the messaging to our public sector colleagues around the importance of cyber resilience.