Secure your business

Cyber security: Are your people the problem?

Highlights

Cybercrime begins at the frontline. Here’s how to minimise risk:

  • Focus your attention on your staff
  • Upskill your team
  • Ensure everyone has a grasp of what not to click
  • Continue the training to keep pace with new threats

Chief information officers typically take a high-tech approach to cyber security, unwisely ignoring a crucial, familiar presence: staff.

Australia has a remarkably high cyber-attack rate. From 2014 to 2015, the frequency almost tripled that of the rest of the world, according to a PwC survey, which revealed that despite strong investment, “Australian businesses still face significant cyber challenges”.

Cyber security: Are your people the problem?

Complicating matters, organisations are struggling to accept that cybercrime is a people problem, as much as a technology one, PwC cyber czar Steve Ingram says. Heavy investment in technology is futile, he adds, if staff error amounts to sabotage, no matter how accidental.

Ingram’s own-goal take is echoed by the Australian Cyber Security Centre (ACSC), which found in a 2015 report that the “trusted insider” was of most concern to respondents. No less than 60 per cent worried about the threat of internal incompetence. Cited factors contributing to security incidents included staff errors or omissions, misconfigured systems, and poor security culture.

Alas, the ACSC also says, more and more investment is going into technical controls while the risks arising from people get overlooked.

Get staff on side

The chief information security officer (CISO) at security firm Blue Coat ANZ, Damien Manuel, suggests that some of the issue lies with the aggressive gatekeeper-style approach that CISOs have traditionally taken – without bothering to explain the hows and whys to staff.

“No employee wants to be the source of damage to a business or responsible for a data breach that hits the headlines,” Manuel says. “But unfortunately, many employees see CISOs and their teams as disciplinarians who issue arbitrary rules – or worse, as an obstacle to be bypassed in order to ‘get work done’.

“Outright banning of cloud-based technology won’t work, so CISOs must make a case for good security practices that appeal to busy employees who don’t necessarily understand IT, and that balance security with employee productivity.”

Security consultant Corch X, founder and managing director of Shogun Cybersecurity, echoes Manuel’s point about poor understanding. “A successful cyber security strategy has to recognise that the people in an organisation have vulnerabilities, just like IT does, and that, like IT, people need frequent security updates – training and awareness programs – to be resilient in the face of constantly evolving threats.

“It’s not enough to make people sit through a web-based training course when they sign up with the company – it takes continuous effort to maintain current cyber security skills,” says Corch, whose experience spans federal government, banking and finance.

Like a server that never gets patched once deployed, an employee without regular training in spotting and responding to cutting-edge threats becomes easier to exploit over time, he says. Despite huge security budgets, organisations struggle to lift their game because they overlook how falliable people can be – information security is still seen by executives as purely an IT problem with purely IT solutions, he adds.

“Moreover, the IT solutions they favour are overwhelmingly focused on perimeter defences and the idea that hackers can be kept out with firewalls and fancy algorithms,” Corch says, “not enough attention is paid to training staff how to recognise and respond to a cyber incident”.

The failure of the purely technical approach to cyber security is demonstrated by today’s threat landscape, Corch says, citing phishing, malware and “browser exploits” including malicious JavaScript execution.

“What do all these threats have in common? They infiltrate secure networks by leveraging the very services that businesses have come to depend on every day, email and web browsing. They succeed because they understand a fundamental principle of cyber security: people are easier to exploit than computers.”

What do all these threats have in common? They succeed because they understand a fundamental principle of cyber security: people are easier to exploit than computers.

Corch X, Founder and Managing Director, Shogun Cybersecurity

Train staff, report trouble

Corch’s advice: train staff to avoid clicking links they do not recognise or trust. In fact, they should refrain from opening emails from untrusted senders at all. Across your organisation, use browser plug-ins, or web content filters to disable JavaScript by default. Skip installing Flash unless you have a specific business need. A versatile plug-in such as Flashblock can be used to block by Flash default but allow click to play for users that need it.

Another option is simulated phishing programs that mimic real phishing attacks and train users to spot and dodge phishing ploys. The fake phish programs indicate employees’ baseline susceptibility and their room for improvement through training.

It’s crucial to avoid taking a carefree attitude to in-house browsing because the tendency to sink more investment into technical solutions only gets you so far.

“It doesn’t matter how much you spend on technology if your suppliers are doing the same or if your people don’t understand their role in cyber,” Ingram says in the PwC report.

If, despite your best efforts, your people stuff up and you are hit by hackers, make life easier for everyone by reporting the breach to the main contact point for cyber security issues dogging big Australian businesses: CERT Australia, the ACSC says. Or get in touch with the Australian Cybercrime Online Reporting Network (ACORN), which aims to make it easier for people to recognise, report and avoid common kinds of cybercrime.

“Reporting helps develop a better understanding of the cybercrime affecting Australia,” the ACSC says. “By understanding the enablers, we can make it harder and less rewarding to commit cybercrime, therefore making Australia a safer place to do business.”

Related News

People working in a modern office
Liberate your workforce
Liberate your workforce
Innovating through a multi-channel journey

This year marks a decade since the launch of the first Apple iPhone, sparking a fundamental shift in people’s perceptions of mobile working and the tasks they expect to be able...

two young professionals working in front of a laptop
Liberate your workforce
Liberate your workforce
Stop, listen and collaborate

The time is right to audit the enterprise collaboration tools your employees actually use and discover what they need, so you can nurture an effective digital workplace with ev...

small fishes swimming around
Reach global markets
Reach global markets
Diverse and digital: All eyes on Indonesia

New technologies and cloud computing are making expansion into Indonesia easier than ever. Find out how to get a slice of this booming economy. Indonesia is one of the most di...

Man in a paddock with cows
Create transformative innovation
Create transformative innovation
IoT helping you to solve business challenges rapidly

Be they simple or state-of-the-art, there are many ways sensors are bringing the Internet of Things (IoT) to life. From driverless cars to vats of dairy milk, the applications ...