Complicating matters, organisations are struggling to accept that cybercrime is a people problem, as much as a technology one, PwC cyber czar Steve Ingram says. Heavy investment in technology is futile, he adds, if staff error amounts to sabotage, no matter how accidental.
Ingram’s own-goal take is echoed by the Australian Cyber Security Centre (ACSC), which found in a 2015 report that the “trusted insider” was of most concern to respondents. No less than 60 per cent worried about the threat of internal incompetence. Cited factors contributing to security incidents included staff errors or omissions, misconfigured systems, and poor security culture.
Alas, the ACSC also says, more and more investment is going into technical controls while the risks arising from people get overlooked.
Get staff on side
The chief information security officer (CISO) at security firm Blue Coat ANZ, Damien Manuel, suggests that some of the issue lies with the aggressive gatekeeper-style approach that CISOs have traditionally taken – without bothering to explain the hows and whys to staff.
“No employee wants to be the source of damage to a business or responsible for a data breach that hits the headlines,” Manuel says. “But unfortunately, many employees see CISOs and their teams as disciplinarians who issue arbitrary rules – or worse, as an obstacle to be bypassed in order to ‘get work done’.
“Outright banning of cloud-based technology won’t work, so CISOs must make a case for good security practices that appeal to busy employees who don’t necessarily understand IT, and that balance security with employee productivity.”
Security consultant Corch X, founder and managing director of Shogun Cybersecurity, echoes Manuel’s point about poor understanding. “A successful cyber security strategy has to recognise that the people in an organisation have vulnerabilities, just like IT does, and that, like IT, people need frequent security updates – training and awareness programs – to be resilient in the face of constantly evolving threats.
“It’s not enough to make people sit through a web-based training course when they sign up with the company – it takes continuous effort to maintain current cyber security skills,” says Corch, whose experience spans federal government, banking and finance.
Like a server that never gets patched once deployed, an employee without regular training in spotting and responding to cutting-edge threats becomes easier to exploit over time, he says. Despite huge security budgets, organisations struggle to lift their game because they overlook how falliable people can be – information security is still seen by executives as purely an IT problem with purely IT solutions, he adds.
“Moreover, the IT solutions they favour are overwhelmingly focused on perimeter defences and the idea that hackers can be kept out with firewalls and fancy algorithms,” Corch says, “not enough attention is paid to training staff how to recognise and respond to a cyber incident”.
“What do all these threats have in common? They infiltrate secure networks by leveraging the very services that businesses have come to depend on every day, email and web browsing. They succeed because they understand a fundamental principle of cyber security: people are easier to exploit than computers.”
What do all these threats have in common? They succeed because they understand a fundamental principle of cyber security: people are easier to exploit than computers.– Corch X, founder and managing director, Shogun Cybersecurity
Train staff, report trouble
Another option is simulated phishing programs that mimic real phishing attacks and train users to spot and dodge phishing ploys. The fake phish programs indicate employees’ baseline susceptibility and their room for improvement through training.
It’s crucial to avoid taking a carefree attitude to in-house browsing because the tendency to sink more investment into technical solutions only gets you so far.
“It doesn’t matter how much you spend on technology if your suppliers are doing the same or if your people don’t understand their role in cyber,” Ingram says in the PwC report.
If, despite your best efforts, your people stuff up and you are hit by hackers, make life easier for everyone by reporting the breach to the main contact point for cyber security issues dogging big Australian businesses: CERT Australia, the ACSC says. Or get in touch with the Australian Cybercrime Online Reporting Network (ACORN), which aims to make it easier for people to recognise, report and avoid common kinds of cybercrime.
“Reporting helps develop a better understanding of the cybercrime affecting Australia,” the ACSC says. “By understanding the enablers, we can make it harder and less rewarding to commit cybercrime, therefore making Australia a safer place to do business.”