Secure your business

Cyber security: Are your people the problem?

Highlights

Cybercrime begins at the frontline. Here’s how to minimise risk:

  • Focus your attention on your staff
  • Upskill your team
  • Ensure everyone has a grasp of what not to click
  • Continue the training to keep pace with new threats

Chief information officers typically take a high-tech approach to cyber security, unwisely ignoring a crucial, familiar presence: staff.

Australia has a remarkably high cyber-attack rate. From 2014 to 2015, the frequency almost tripled that of the rest of the world, according to a PwC survey, which revealed that despite strong investment, “Australian businesses still face significant cyber challenges”.

Cyber security: Are your people the problem?

Complicating matters, organisations are struggling to accept that cybercrime is a people problem, as much as a technology one, PwC cyber czar Steve Ingram says. Heavy investment in technology is futile, he adds, if staff error amounts to sabotage, no matter how accidental.

Ingram’s own-goal take is echoed by the Australian Cyber Security Centre (ACSC), which found in a 2015 report that the “trusted insider” was of most concern to respondents. No less than 60 per cent worried about the threat of internal incompetence. Cited factors contributing to security incidents included staff errors or omissions, misconfigured systems, and poor security culture.

Alas, the ACSC also says, more and more investment is going into technical controls while the risks arising from people get overlooked.

Get staff on side

The chief information security officer (CISO) at security firm Blue Coat ANZ, Damien Manuel, suggests that some of the issue lies with the aggressive gatekeeper-style approach that CISOs have traditionally taken – without bothering to explain the hows and whys to staff.

“No employee wants to be the source of damage to a business or responsible for a data breach that hits the headlines,” Manuel says. “But unfortunately, many employees see CISOs and their teams as disciplinarians who issue arbitrary rules – or worse, as an obstacle to be bypassed in order to ‘get work done’.

“Outright banning of cloud-based technology won’t work, so CISOs must make a case for good security practices that appeal to busy employees who don’t necessarily understand IT, and that balance security with employee productivity.”

Security consultant Corch X, founder and managing director of Shogun Cybersecurity, echoes Manuel’s point about poor understanding. “A successful cyber security strategy has to recognise that the people in an organisation have vulnerabilities, just like IT does, and that, like IT, people need frequent security updates – training and awareness programs – to be resilient in the face of constantly evolving threats.

“It’s not enough to make people sit through a web-based training course when they sign up with the company – it takes continuous effort to maintain current cyber security skills,” says Corch, whose experience spans federal government, banking and finance.

Like a server that never gets patched once deployed, an employee without regular training in spotting and responding to cutting-edge threats becomes easier to exploit over time, he says. Despite huge security budgets, organisations struggle to lift their game because they overlook how falliable people can be – information security is still seen by executives as purely an IT problem with purely IT solutions, he adds.

“Moreover, the IT solutions they favour are overwhelmingly focused on perimeter defences and the idea that hackers can be kept out with firewalls and fancy algorithms,” Corch says, “not enough attention is paid to training staff how to recognise and respond to a cyber incident”.

The failure of the purely technical approach to cyber security is demonstrated by today’s threat landscape, Corch says, citing phishing, malware and “browser exploits” including malicious JavaScript execution.

“What do all these threats have in common? They infiltrate secure networks by leveraging the very services that businesses have come to depend on every day, email and web browsing. They succeed because they understand a fundamental principle of cyber security: people are easier to exploit than computers.”

What do all these threats have in common? They succeed because they understand a fundamental principle of cyber security: people are easier to exploit than computers.

Corch X, Founder and Managing Director, Shogun Cybersecurity

Train staff, report trouble

Corch’s advice: train staff to avoid clicking links they do not recognise or trust. In fact, they should refrain from opening emails from untrusted senders at all. Across your organisation, use browser plug-ins, or web content filters to disable JavaScript by default. Skip installing Flash unless you have a specific business need. A versatile plug-in such as Flashblock can be used to block by Flash default but allow click to play for users that need it.

Another option is simulated phishing programs that mimic real phishing attacks and train users to spot and dodge phishing ploys. The fake phish programs indicate employees’ baseline susceptibility and their room for improvement through training.

It’s crucial to avoid taking a carefree attitude to in-house browsing because the tendency to sink more investment into technical solutions only gets you so far.

“It doesn’t matter how much you spend on technology if your suppliers are doing the same or if your people don’t understand their role in cyber,” Ingram says in the PwC report.

If, despite your best efforts, your people stuff up and you are hit by hackers, make life easier for everyone by reporting the breach to the main contact point for cyber security issues dogging big Australian businesses: CERT Australia, the ACSC says. Or get in touch with the Australian Cybercrime Online Reporting Network (ACORN), which aims to make it easier for people to recognise, report and avoid common kinds of cybercrime.

“Reporting helps develop a better understanding of the cybercrime affecting Australia,” the ACSC says. “By understanding the enablers, we can make it harder and less rewarding to commit cybercrime, therefore making Australia a safer place to do business.”

Related News

Smiling men at work
Liberate your workforce
Liberate your workforce
2018: The year of employee engagement

New technologies and techniques are changing the way HR professionals maintain employee engagement. Traditional methods of office communication such as phone, email and confere...

Hangers in a wardrobe
Optimise your IT
Optimise your IT
Change rooms change it up: SD-WAN for retailers

What do SD-WAN and a change room have in common? VeloCloud’s Vice-President, Asia-Pacific, Joseph Chung explains how you can use SD-WAN to boost customer experience. How much ...

crossroads in a city with pedestrians
Reach global markets
Reach global markets
Q&A with Paul Abfalter: Building Asia’s digital network

We sat down with Paul Abfalter, Business Development Strategist and Regional Director for Telstra, to discuss the factors affecting digitalisation in the Asia Pacific region. I...

Woman with glasses working on a computer in a server room
Create transformative innovation
Create transformative innovation
Preparing for the unexpected with Stephen Elop

From the printing press to the Internet of Things, exciting disruptions often come with profound unintended consequences for business and society. Tune into our podcast with St...