How COVID-19 will enable companies to embrace digitisation and remote work

COVID-19 has officially been declared a global pandemic by the World Health Organisation and countries around the world are taking drastic measures to flatten the curve of infections. In light of this, many companies are asking employees to work from home to avoid their workforce being infected and potentially spreading the disease.

Analysis by KPMG estimated that three million Australians could be infected by COVID-19. This, according to Dr. Brendan Ryenne, KPMG chief economist, would translate to a 1.2 per cent loss in productivity, or a loss of 30 million workdays. Given the risk, companies who embrace digitisation and remote work are likely to reduce potential losses, as they’re able to maintain a productive workforce despite the logistical challenges. Those who are already digitally equipped will fare well in this climate and those who aren’t are faced with challenges and opportunities.

There’s been a rise in fully remote companies like Remote. In a survey, Remote found that 99 per cent of respondents wanted to work from home at least some of the time and 95 per cent encouraged others to work remotely too. The main advantage of remote working, from the employees’ perspective, was the flexibility in their work schedule.

According to the Australian Bureau of Statistics, in 2016 almost a third of employees in Australia regularly worked from home and in 2019 an Indeed report showed that 68 per cent of Australian companies allow working from home. Many companies, including those who have been deterred from remote work, are being forced to have a distributed workforce during these difficult times.

One issue that often discourages companies from operating with remote staff is privacy, however there’s no reason why those who have a heightened focus on privacy, like finance and law for example, can’t be fully digitised and distributed.

Take neobanks, for example. CB Insights revealed that neobanks raised US$2.5 billion in the first half of 2019 and Aussie neobanks, like Xinja and Up Bank, have announced solid customer adoption rates. Revolut, which expanded into Australia last year, and is possibly the best known global neobank, has raised US$336.9m according to Crunchbase earning unicorn status. Neobanks know all about operating remotely; they’re defined by their digital nature and not having physical branches like traditional banks. This has transcended into their ability to navigate their way through COVID-19. UK neobank Starling Bank, for example, isn’t worried about the office exodus. “We have been built for this [COVID-19],” said CEO Anne Boden. “We’re built on technology that allows us to offer a scalable and resilient service that’s not tied to a particular location and that can continue to be available to customers 24/7.”

Take the legal sector too. According to Jodie Baker, deputy chair at the Australian Legal Technology Association, Australia is leading the legal tech revolution. In the past few years, there has been rapid expansion of legal technology. In the UK and US, there are such things as legal robots who can perform relatively mundane tasks like legal research. In Australia legal tech for data analysis, block-chained access to legal aid, and comparison and collaboration software all exist and are set to make their mark in the coming years.

The companies who have embraced remote work fully know that productivity, not time spent in a chair, is essential. Take for example Jason Fried, CEO at remote company Basecamp. In his TED talk ‘Why work doesn’t happen at work’,he claims that the best work that people do is actually in their own space and time, and that staying later doesn’t result in higher productivity. “There is a ‘presence prison’”, he says, “at many large organisations where one feels that they must stay back late.” Furthermore, a study completed by Airtasker found that remote workers are more productive, exercised more and save money by not commuting.

Companies who see COVID-19 as an opportunity to digitise are likely to fare much better in this climate than those who don’t. Given the extremely high infection rates, it’s necessary that companies consider digital ways of working now and potentially in the longer term. Research shows that remote, distributed teams can work— the test will now be to see if companies with a heightened focus privacy, and have previously snubbed a remote form of working, seize on the opportunity and the technology that’s available. These new ways of working could change industries for the better and accelerate digitisation.

Daniel Bowbyes, GM Strategy, Datacom Cloud

Parliament is out – so what does the virtual parliament look like during COVID-19?

At 5pm on Wednesday 25 March, Parliament adjourned for the next five weeks.

Although it is due to open again on 28 April, it will not do so until the national alert status has been lowered. Standing Orders say select committees can continue to work remotely on bills in the meantime but in the absence of a physical parliament, the House cannot pass legislation without changing, or at least meeting to decide to change, the rules.

Seamless collaboration or virtual disconnection

There are three basic processes that must be managed remotely during this period – cabinet meetings, select committee meetings and parliamentary debates. Remote working causes issues for each one.

Cabinet meetings and select committee meetings are the easiest to resolve – they’re very similar to normal video conferences (VC) in the business world.

But how would a virtual debating chamber session function on a conference call? Assuming the Speaker (currently the Right Honourable Trevor Mallard) sets up and hosts a VC, would he have the power to mute an MP during a debate, and does he have the legal right to do so?

Does the opposition have the power to challenge/mute the prime minister?

Will question time be streamed on the live chat in the sidebar and if so, can they add in GIFs to the reaction of some of the statements made?

With the growing uncertainty of how long our country will be on lockdown, one must wonder how government services can proceed in a virtual world and about the practicalities of a digital parliament. In addition, how do the rules change for those who would normally attend in the lobby, chamber or gallery?

Securing a future virtual state

Due to the nature of the organisation, Parliament must maintain the highest trust and security for the people who keep it running. With select committee meetings being held via video conference, how can we ensure that these virtual meetings are kept secure, especially when some VC platforms like Zoom appear to not be encrypted end-to-end.

It’s important to note these quick facts:

  • The average cost of a breach to public sector costs A$1.7m
  • Breaches from system glitches and human error account for 49 per cent of attacks today
  • The chance of experiencing a breach in the next two years is 29.6 per cent.


While the impact to public sector is significantly lower in comparison to other industries, in times of crisis and extreme circumstance, the risk becomes greater and our government becomes a more likely target.

In New Zealand, government bodies participate in information threat sharing, and recognise the value and necessity of leveraging third party consultants, such as managed service providers, to better prepare for an attack. In many instances, there is a top-down approach to embodying the importance of embarking on a risk-first strategy. These are just a couple of the many tactics that can aid in mitigating the associated risks and costs.

It’s easy to say we don’t really need parliamentary oversight of the government during this time, but when there’s a crisis, that’s precisely the time when such oversight is so very important. Fortunately, today we have the tools to enable parliament to do its work whether they meet in person or not.

5 tips to staying safe and secure when video conferencing from home

As the New Zealand Herald reported, Zoom has some serious security issues in its Windows client that can be “used for limited remote code execution and, worse.”

And for many of us this means about the same as E=MC2. What does this mean for us non-cybersecurity folks working from home during the COVID-19 lockdown? And how can you explain that to your mum, eh?

Here are our top five tips about working from home, video conferencing and staying safe.

1. Don’t talk to strangers

Businesses tend to use video conferencing solutions that allow anyone with a valid company email to join freely. If this sounds like your place of work, then stick to that. It means anyone from outside the company can’t join your discussions.

Some video conference solutions allow you to dial in from a mobile phone number as an alternative way in – if you see an unknown number pop-up on your chat, challenge them to make sure there aren’t any lurkers.

But for the rest of us, make sure the platform you’re using has an option to set an entry password that you can share separately with all attendees. That way you won’t have any random stranger suddenly pop-up in the middle of a shared lunch. Take advantage of the waiting room feature if it exists. You can vet and approve unexpected attendees prior to them potentially wreaking havoc.

Of course, there are those platforms that actively encourage people to drop in – Houseparty is one good example where you can issue an open invitation to anyone in your address book. If you are using these services, be aware that people you might not want on the call can join in. While that is unlikely to be problematic for your children’s schooling, Aunty Jean might think she’s joining a family dinner and a boozy flat game of virtual Truth or Dare might not be her cup of tea.

2. Do you even know what a .bz2 file is?

It’s simple. If you don’t know what a file is and if you don’t know how or what to use to view it, do not click on it, do not open it, and do not share it. If someone sends you a weird link over a video conference session, double-check that it is a real thing they’ve actually sent to you and not something that will hijack your computer. If you think dealing with tech support is hard work in the office, when you’re working remotely it’s doubly difficult. If the person is known to you, but there are attachments, check with them first – and not by email! Their account might have been hacked.

And of course, if you do need to share a file with your colleagues, then use file encryption, encrypted email, or whatever your company uses for secure file sharing. Emailing databases about the place is not considered smart, and certainly is not good practice.

3. Big brother may not be watching, but your housemate might be listening

Chances are your partner or flatmates find your work calls boring but you might not realise that your voice carries to the neighbours. Always consider who else is around when you’re on that conference call, especially if you’re working with sensitive information. Someone might be recording the call without your knowledge or just interested to find out about that big company deal you’re helping put together.

The lesson here is watch what you say. Check the participant list. Consider alternative communication channels for highly confidential conversations. The same applies for screensharing. Close your documents and shut down any irrelevant applications. And in the interests of not driving your family and flatmates nuts with your calls, get a good quality headset rather than shouting at your laptop. Trust me on that one.

4. You know what they say about repetition…

It might be boring, but it pays off. And so does accessing any system or application with more than one type of login.

Hopefully, your company has already introduced multi-factor authentication (MFA), which will require you to check your phone for a code before logging in to any vital system. But in case they haven’t, many platforms allow you to enable MFA yourself. This reduces the chances of someone using your stolen credentials to hack your account and again, wreak havoc. Again, if you think having to change all your credit card details and passwords is a pain when you’re able to move about the city, it’s doubly difficult when we’re all in lockdown, so avoid giving the bad guys access to your details.

5. If it smells funny, don’t sniff

Just because we are talking about video conferencing, doesn’t mean emails suddenly aren’t relevant. If you receive any unexpected emails or an expected email that seems ever so slightly off, don’t click on any links or open any files. Notify your IT team and delete the email. Always check before following those important orders you received from ‘’, or similar that arrived in the dead of night, and need you to urgently pay an invoice or similar. It might be from your boss, but equally it might not.

Most importantly, remember to strike a balance between risk and benefit.  Good cybersecurity is not about stopping business activity, but about using appropriate tools for appropriate tasks.  Houseparty is a great tool for remote classrooms, but not for executive communications. And finally, find a way to incorporate the norm into the new norm. Have fun with your calls, be kind to your colleagues, and screenshot the awkwardly frozen faces. Most certainly report back to your entire team when a colleague spontaneously decides to flash during your team catch up call. When we all get to back to the office, it’ll be good to have a little something up your sleeve for your next performance review.

Follow David Eaton, Associate Director, Cybersecurity at Datacom, on LinkedIn.

The weakest link

You may never find yourself exchanging phone numbers with a Saudi prince, but CEOs and business leaders swap contact details all the time. For Jeff Bezos at Amazon, this was just another routine step along the path that led to a massive breach of his security.  After a personal connection, what is more natural than accepting social media contacts?

Today, companies are under ever increasing pressure to ensure their business processes are robust enough to withstand a cyberattack. Firewalls and anti-virus software are installed, patches applied and staff required to change their passwords on a regular basis. Access to files is restricted to those who need them for particular aspects of their work, processes are put in place for staff who leave and user access to the computers they use is restricted to ensure they don’t do something stupid.

Yet at the same time, we see a rise in the number of possible attack vectors open to the criminals. Social media channels offer new ways to get past the watchdogs and security measures in place. Staff are making great use of cloud-based storage to share documents and larger files. Everyone in your business has a smartphone that’s capable of wreaking havoc yet we regularly let staff ‘bring their own device’ and companies like it because there’s more appeal for staff to work late or on weekends if they do so remotely.

All of this creates more opportunity for the bad guys and more risk for organisations, and especially for business leaders. Because while security restrictions are usually put in place vigorously across the company, the one person who should have extra layers of protection tends to demand fewer.

The boss tends to get the special treatment which allows him or her to have greater access to files and services. They may receive more leniency around passwords and security protocols, and have a hands-on role with their marketing team when it comes to a presence on social media including Twitter, Snapchat and WhatsApp, even if company rules prohibit such activity for others.

Jeff Bezos’s (and other high-profile business and political leaders) Twitter use demonstrates CEOs and organisational leaders are willing to live by a different rule to the rest of the team, and that leaves the organisation open to some serious challenges.

How do you tell the boss that he or she shouldn’t have admin rights on their laptop? That they shouldn’t give out their contact details to everyone they meet, no matter how royal? What about insisting they don’t use their work phones for personal use, such as social media, even when they use social media to talk with customers and represent the company?

It’s a minefield for the security team because, of all the staff in the organisation, those at the top are more likely to be targeted by criminals trying to harvest information and access sensitive information. ‘Spear phishing’, where criminals attempt to pass off communications as being from the CEO or financial department, is a growing area of concern. Having senior leaders who are active on social media, and use it interchangeably with email and other more formal channels of communication, makes life doubly difficult for the security team.

So in light of Jeff Bezos’s breach, here are five tips about cybersecurity for CEOs:

  1. Private vs company

If you do want to share your contact details, use a cut-out service. A phone number that you only use for those instances or an email address that your executive assistant (EA) manages. Keep some distance, and keep it ring-fenced so if there is a problem, it’s limited.

  1. Security isn’t optional

Boring but true. Talk to your cybersecurity leads about how best to handle your specific needs. Routine sweeps of your accounts and devices might be required – especially if you travel overseas a lot – so be prepared for some hassle and annoyance. It’s not their fault – it’s good that they nag.

  1. Set the boundaries for staff

Make it clear how you’ll communicate with the rest of the company. You might use a social media account to talk about the company publicly but you won’t use it to message the CFO at midnight to make an urgent transfer of money, for instance. That way if you are hacked it shouldn’t lead to the company running into financial strife.

  1. If in doubt, there is no doubt

Be suspicious of every communication you receive. If a competitor suddenly wants to share files with you, if a new supplier sends you something directly via an unusual channel, if someone offers to invest large amounts of money out of the blue, be suspicious and if in doubt, check in with your cybersecurity team.

  1. Less is more when travelling

Sure, you might need a laptop and a phone when you’re travelling but you’re also more vulnerable to an attack. Talk to your cybersecurity teams about risk mitigation when on the road and how best to handle that. You should back everything up before you go. You may also be advised to take a ‘travel-only’ laptop (and, depending on the country you are travelling to, perhaps a tablet only) and a phone that can be wiped when you return.

The best defence against cyberattacks is both preparation and planning. Consider the risks, and plan and anticipate the consequences of a breach in terms of your company, your business and you personally.  Doing these things means you’re in a better place to manage any potential attack. And remember that we all suffer from ‘optimism bias’ – “why would anyone target me?” Don’t rely on having never been attacked as proof that you won’t be. Just ask Jeff Bezos how that worked for him.

David Eaton is Associate Director of Cyber Security for Datacom.

Leading from the top: Why our CEOs need to deliver more than just profit

By Fiona Monks – Strategist, CX and Innovation at Datacom

Capitalism as we know it is getting shaky. There’s a wave of pressure coming from consumers, particularly our younger generations, demanding that businesses deliver more than just goods and services. They must regenerate the plant and empower our communities too.

And it’s not a fad or a movement that’s going to go away anytime soon. The reality of our planet’s finite resources will ultimately force the change in how businesses operate and how people consume. Now is the time for our corporate CEOs to lead from the top and show us this new way forward.

… capitalism has to purge its narrow fixation on financial capital and embrace at least five other capitals – natural, social, human, cultural and technological – with finance becoming only a mechanism to facilitate those, rather than an end in itself.


In New Zealand the Government’s response to the UN Sustainability Development Goals has been through the Living Standards Framework and the release of the Wellbeing Budget. Aotearoa has the chance to lead globally on ‘capitalism reimagined’ by leveraging our highly connected communities and embracing these goals through a Te Ao Māori lens.

So what is the  CEO to do? And what about the majority of us who aren’t CEOs? How can we craft this switch from a focus on the bottom line to a focus on the greater good? While the path for everyone will be different here are a few suggestions on where to start.

  1. Embrace your inner activist. Now is the time to connect with your personal and company values and stand up in the public eye for what you believe in. The audience is ready and waiting.
  2. Don’t try to solve everything yourself. At Datacom this is a big one for us, as we see the incredible value that’s generated when organisations come together to solve common problems. We’re part of the #TheBigShift, a movement that’s rethinking how we resource and deliver change in communities. It is a radical shift in how community impact is realised and we exist to build a collaborative multi-sector movement that creates and accelerates impact.
  3. Open your mind to new ways of thinking. You don’t need to become a subject-matter expert, but increasing your awareness of systems thinking and circular economies  will put you in good stead to better identify the opportunities available to your organisation. Going Circular can lead to new business lines, more robust and diversified business models and greater customer engagement.
  4. Empower your employees, colleagues and networks. The best ideas come from all levels of your business. It’s why we’re so keen to educate all of our Datacom team on Circular as part of Datacomp 2019. We want to enable everyone at all levels to spot opportunities to work differently and deliver multifaceted outcomes.

Datacomp: Moving Beyond Sustainability and Embracing Regenerative Design

By Taryn Ellis & Kerry Topp | Datacom

Decades of resource extraction, consumption, pollution and waste, have had a devastating cumulative impact on our planet and our people. Globally, a growing number of people realise this cannot continue and they are taking to the streets in protest. 

At Datacom we believe if we are to make a significant, urgent and meaningful impact, we need to examine our world-view and make fundamental changes.

Internationally the United Nations is doing just that. Through its Sustainability Development Goals (SDGs), it has called for countries to look beyond just economic measures of success. They are asking countries and businesses to look at social, environmental, and cultural wellbeing, as well.

Locally, the New Zealand Government has redefined what success means for New Zealand. Our Government believes that to be successful Aotearoa New Zealand needs to build a productive, sustainable and inclusive economy, which improves the wellbeing and living standards of all New Zealanders.

At Datacom we ask ourselves how do we add value and enable a unified view that prioritises genuine wealth and holistic wellbeing for all life? 

We believe it is possible for businesses to genuinely embrace, a new set of performance measures for businesses. We believe these measures must place an increased importance on positive contribution to the preservation and regeneration of society, culture and the environment.

We are testing this thinking in two ways;

  1. By mobilising our people and partners to look at areas where they could embrace doing better socially, environmentally and culturally. 
  2. And by shaping up a way for business to easily report on their impact and wellbeing.


Datacomp is our annual innovation activation. It brings together 350 – 430 people of diverse background and experience to solve gnarly challenges. This year we’ve challenged our participants to embrace Circular Design to reimagine how advanced tech can reinvent, reframe and reuse for the good of people, the planet & business.

Underlying this challenge is a not so subtle question we are also asking ourselves;

‘what if we bring together a single, multi-stakeholder conversation about value creation, not value extraction?’ 

Datacomp 2019 – Circular is both our experiment to test this but also our start to think and act differently ourselves. 

Overcoming obstacles to growth with Datacom and Aruba

Today’s CIOs are expected to drive business innovation, yet many are grappling with limited IT staff, resources and budgets. In a rapidly evolving landscape, leveraging the right tech is key to overcoming those obstacles and freeing up your team to focus on what matters – growth.

At Datacom, we partner with Aruba Networks – a leading provider of next-generation network access solutions – because it enables organisations to take advantage of a cost-effective mobile-ready network without sacrificing business-class performance, security or reliability.

Our Business Development Manager, Tom Cook, regularly sees the following common obstacles cropping up in the market – here’s how utilising Aruba’s networking solutions can help to overcome these issues to accelerate business growth.

Lack of network visibility
A survey by the Ponemon Institute polled some 3,866 IT and IT security practitioners in Asia-Pacific, Europe, the Middle East, Africa and North America and found that more than half (63 per cent) highlighted the importance of network visibility – the need for availability and capacity to monitor traffic on their network.

With Aruba Central, everything from setting up the network to monitoring and maintaining it is streamlined. Whether managing one site or a thousand remote locations, full visibility and control over all network traffic is possible via one enterprise-grade portal.

Slow response times to issues
Many organisations lack the capability to quickly diagnose and rectify network issues before they halt operations, or, worse still, allow a security breach.

Aruba’s connectivity health functionality provides the proactive monitoring and analysis required to address issues in all phases of the connection process, including association with access points, network authentication, address assignment and domain name service accessibility. Detailed drill-downs also help isolate problems and identify rogue devices quickly and easily

Lack of capital to upgrade
One of the most common obstacles to growth for small and mid-sized businesses is a lack of capital to invest in new systems or infrastructure, no matter how archaic the current set-up may be.

Thanks to the value of the cloud, the cost of implementing high-performing networks has come down significantly. Aruba offers enterprise networking solutions at a consumer-grade price. And the benefits your business can reap from an upgraded solution – in productivity, increased customer engagement, sales growth and more – means you quickly achieve a return on investment (ROI).

Additionally, you can choose a subscription option that fits your business today and scale up or down as needed, so you don’t have to justify a huge Cost of Capital (COC) from the outset.

Security concerns
With such rapid developments in both technology and cyber-crime, Tom regularly speaks with practitioners who believe some of their organisation’s existing security solutions are outdated and inadequate.

Aruba offers the option for integrated and automated security controls to protect business data from malware and unauthorised users, and intrusion detection and prevention to safeguard infrastructure. Aruba’s Instant Wi-Fi also includes a built-in firewall and smart application handling for granular visibility and control to make it even more secure.

Lack of centralised control of the network
Disjointed or incomplete network control capabilities are some of the leading causes of inefficient or insecure network management for businesses of all sizes. Aruba’s comprehensive dashboard provides a streamlined overview of the network, along with client and application performance monitoring views.

Simplified monitoring and control of headend and branch gateways through integrated software-defined WAN (SD-WAN) management is also provided. Intelligent workflows provide the ability to look into specific device, policy or circuit configurations to ensure performance aligns with business and user expectations.

If you’d like to learn more about how Datacom and Aruba can help you achieve better visibility, control and performance of your network, get in touch with a Datacom team near you.

Phishing Trilogy Part 3: The “Carrot and Stick” Approach

What’s the best way to fight phishing attacks? Is it punishing users or rewarding good behaviour?

By Emily Wang

This is part Three of the Phishing Trilogy, see the series introduction here:

Part 1 – From awareness to habits

Part 2 – A multi -layered defence

The ‘carrot and stick’ approach

People often scoff at phishing attack victims and put the blame on them. It needs to be recognised that this “blame culture” contributes to the real issue of slow reporting of phishing compromises which has a direct and material effect on organisations.

Studies collectively show, falling for phishing email is far from rare and the number of victims is growing. The real question is how to mitigate it? This article covers the discussion around the “carrot and stick” approach. They are not mutually exclusive and are most effective when used together to best suit your business.


The consensus in the awareness training domain is not to blame the users. We should encourage them to report any suspicious activities, particularly if they are the originators of the breach.

Since a hacker only needs one person out of the whole organisation to click on a single malicious link, it is impractical to achieve zero click rate. However, if we have one person that reports the incident, it allows the security and the IT team to review and quickly stop the phishing campaign from spreading and causing further damage.

The Cyber Security Breaches Survey published by the UK government (Department for Digital, Culture, Media and Sport, 2019) found that the most disrupting attacks were more likely to be spotted by employees than by software, which is the case for 63% of businesses. This also aligns with previous years findings. Hence, we should realise the importance of staff vigilance and to understand the power of empowering employees.


Another school of thought is to enforce punishment when people repeatedly fall for phishing attacks. For example, Paul Beckman, CISO at the Department of Homeland Security considered a policy to remove employees’ clearance if they repeatedly fail an anti-phishing test. Needless to say, this is a controversial idea and received a lot of criticism. One study showed that the perceived severity of consequences did not predict behaviour (Downs, Holbrook, & Cranor, n.d.).

Studies also show that training focused on prohibition of behaviour or attitudes can often have the opposite effect whereas training that emphasises positive effects can and do change behaviour (Robinson, 2011).

What is your mix?

This table outlines the differences between the two approaches. It is essential to understand your business to pick the right mix.

Be mindful about leaning too heavily on the “stick” approach. The ripple effects can put a strain on employees’ morale, leading to a sense of anxiety and distrust. In the worst case, it can lead to grudge attacks. Reports show that internal threats in cybersecurity are prevalent and cause more grave damage than external attacks (Tripwire, 2017).

It is our advice to develop an approach that balances the carrot and the stick. Taking into account the responsibility of the role and its importance in your organisation will help you to determine the appropriate balance. For example, an IT admin would be expected to be much more vigilant to phishing than a clerk our your logistics desk. It may well be appropriate for the IT admin as part of their employment agreement to agree to a policy where there is a sliding scale of consequence for phishing breaches, whereas that would not be appropriate for the clerk.

Food for thought

Regardless of what stance you take on the approaches. It is important to consider the following:

– Ask your HR, legal and management to contribute

  • What are the legal or contractual requirements?
  • What is the company’s policy on rewards and penalties?
  • What culture is the company trying to build?

– Be consistent with your approach

  • For example, if enforcement is going to be implemented, senior management need to follow the policy as well. They need to be role models

– Understand that people make mistakes and don’t blindly blame your staff

  • As discussed, aiming for zero click-rate is unreasonable. Therefore, we need to acknowledge honest mistakes can happen.

– Ensure that you have an incident-handling process in place. For example, who/how to report them.

  • Your staff needs to know the proper process to be compliant with the company’s policies

For more details on phishing and user awareness, contact Emily Wang or the Cybersecurity Advisory Practice .


Department for Digital, Culture, Media and Sport, T. (2019). Cyber Security Breaches Survey 2019. London. Retrieved from

Downs, J. S., Holbrook, M., & Cranor, L. F. (n.d.). Behavioral Response to Phishing Risk. Retrieved from

Robinson, L. (2011). How the Science of Behavior Change Can Help Environmentalists. Retrieved from

Tripwire. (2017). Insider Threats as the Main Security Threat in 2017. Retrieved November 19, 2018, from

Phishing Trilogy Part 2: A multi-layered defence

By Emily Wang

This is Part Two of the Phishing Trilogy, read Part One here

We can see how modifying habits can help to combat phishing attacks from the part 1 of this trilogy: “From awareness to habits”. However, it is unrealistic to expect no-one to click on a malicious link by only changing people’s email behaviour. In fact, some argue that a “Zero Click” goal is harmful (Spitzner, 2017). It doesn’t matter how much training is provided; people will make mistakes.

This is evident from many of our phishing simulation reports, where a few people would ignore the education page after they fell for a simulated phishing email. They realised their mistake as soon as they clicked on the link and would immediately close whatever popped up as a reflex act. This doesn’t in itself show that awareness training is futile; like many other defensive tools, awareness training should be used to reduce risk even though it is not possible to completely eradicate it.

The three pillars

Let us not forget about the three pillars of cybersecurity, namely people, process and technology. Using them together is like building a 3-legged stool. If any of the legs are too short, it will cause an imbalance.

Google recently announced that none of their 85,000+ employees have been phished since early 2017 (Krebs, 2018). What is their secret? Google requires all staff to use security keys to log in. This security key is an inexpensive USB-based device that adds to the two-factor authentication. That is, the user logs in with something they know (their password) and something they have (their security key). This is called “2-factor authentication”. It is a perfect example for aiding a person with technology and process measures, or as the security experts like to call it – defence in depth.

A multi-layered approach

The guidance splits the mitigations into four layers:

  • Layer 1: Make it difficult for attackers to reach your users
  • Layer 2: Help users identify and report suspected phishing emails
  • Layer 3: Protect your organisation from the effects of undetected phishing emails
  • Layer 4: Respond quickly to incidents

Take layer 1 as an example, here is how we can defend ourselves from all three angles:

Many controls can be placed into your organisation at different layers. To holistically implement counter-measurements, we need to consider your organisation’s constraint and what is suitable for your employees. At Datacom, we look at how to help customers reduce risks from all six areas. Importantly though:

Don’t wait until it’s too late and don’t rely on just one defence mechanism.

For more details on phishing and user awareness, contact Emily Wang or the Cybersecurity Advisory Practice .


Krebs, B. (2018). Google: Security Keys Neutralized Employee Phishing. Retrieved from

National Cyber Security Centre. (2018). Phishing attacks: defending your organisation. Retrieved from

Spitzner, L. (2017). Why a Phishing Click Rate of 0% is Bad | SANS Security Awareness. Retrieved November 18, 2018, from

Phishing Trilogy Part 1: From awareness to habits

By Emily Wang

This is part 1 of the Phishing Trilogy, read the series introduction here.

To click, or not to click, that is the question. How do people make that decision?

Behavioural economics states that we think with both an intuitive mind and an analytical mind. Most of the time we rely on our intuitive mind to make those “quick and dirty” decisions such as fight or flight. If we see a tiger coming from a distance, we don’t need our analytical mind to list all the pros and cons before we know to quickly run away.

This also applies to cybersecurity, and with phishing specifically:

1) We have difficulty perceiving a threat. We may not see the tiger unless we’re aware it could also be in plain sight

2) many of us haven’t harnessed our intuitive thinking to create a habit of spotting and reporting phishing emails

While traditional security training tries to improve our analytical mind’s capacity, it doesn’t focus on sensing and handling dangers intuitively. The difference between what we know – and what we feel, can lead us to make a wrong decision.


Greater phishing awareness from employees can help prevent phishing attacks. One study confirms that those with a deeper understanding of the web environment and how to correctly interpret URLs are less vulnerable to phishing attacks. But the perceived severity of consequences doesn’t predict behaviour.  This suggests that education efforts should be trying to increase intuitive understanding, rather than just warning about risk (Downs, Holbrook, & Cranor, n.d.).

Since New Zealand is far away from the rest of the world geographically, we like to think we are better shielded and safer from any physical or virtual attacks. There is also a sense that because we are a smaller ecosystem, the chances of us becoming a target are reduced. Let’s not forget though, we are only ¼ second away from anywhere in the world online!

This illusion may make us even more ill-prepared when disaster strikes. The truth is that we are aligned with the rest of the world when it comes to phishing attacks, which includes our susceptibility, phishing as the primary data breaching method and damage impact of attacks.

business communication computer connection

Photo by Pixabay on

Turning awareness into habits

Security mindsets are not natural for people, which is why an alarming percentage of employees still fall for a highly effective phishing scam just months after they were trained to watch for it.

Once people are aware of phishing dangers, it is time to build safe email/internet browsing behaviour into habits. We need to harness our intuition and be able to quickly and effortlessly handle most of the phishing attempts.

Habit formation is a powerful means to behavioural change. Scientists have found that habits are formed and operated separately from the part of the brain responsible for memory (Duhigg, 2012). Studies confirmed that we make unconscious choices without having to remember anything about decision making.

Our brains are constantly looking for new ways to form automatic routines. For example, riding a bike or driving a car requires over a dozen separate actions, but we do them daily without a second thought.

How can we leverage habits to avoid phishing attacks with our intuitive mind? By repetition. When we repeat an action enough times, a process known as ‘chunking’ will take place where the brain converts a series of conscious actions into an automatic routine.

The habit process:

1. Cue. A trigger that tells your brain to go into automatic mode and which routine to use.

2. Routine. A physical, mental, or emotional behaviour that follows the cue.

3. Reward. Positive feedback to tell your brain that the routine works well and is worth remembering.

How to form the habit of defending against phishing

Let’s look at the case of checking emails and how we could tweak a routine to protect ourselves.

For more details on phishing and user awareness, contact Emily Wang or the Cybersecurity Advisory Practice .


Downs, J. S., Holbrook, M., & Cranor, L. F. (n.d.). Behavioral Response to Phishing Risk. Retrieved from

Duhigg, C. (2012). The power of habit :why we do what we do in life and business. New York: Random House.