Secure your business

Cyber security: Are your people the problem?


Cybercrime begins at the frontline. Here’s how to minimise risk:

  • Focus your attention on your staff
  • Upskill your team
  • Ensure everyone has a grasp of what not to click
  • Continue the training to keep pace with new threats

Chief information officers typically take a high-tech approach to cyber security, unwisely ignoring a crucial, familiar presence: staff.

Australia has a remarkably high cyber-attack rate. From 2014 to 2015, the frequency almost tripled that of the rest of the world, according to a PwC survey, which revealed that despite strong investment, “Australian businesses still face significant cyber challenges”.

Cyber security: Are your people the problem?

Complicating matters, organisations are struggling to accept that cybercrime is a people problem, as much as a technology one, PwC cyber czar Steve Ingram says. Heavy investment in technology is futile, he adds, if staff error amounts to sabotage, no matter how accidental.

Ingram’s own-goal take is echoed by the Australian Cyber Security Centre (ACSC), which found in a 2015 report that the “trusted insider” was of most concern to respondents. No less than 60 per cent worried about the threat of internal incompetence. Cited factors contributing to security incidents included staff errors or omissions, misconfigured systems, and poor security culture.

Alas, the ACSC also says, more and more investment is going into technical controls while the risks arising from people get overlooked.

Get staff on side

The chief information security officer (CISO) at security firm Blue Coat ANZ, Damien Manuel, suggests that some of the issue lies with the aggressive gatekeeper-style approach that CISOs have traditionally taken – without bothering to explain the hows and whys to staff.

“No employee wants to be the source of damage to a business or responsible for a data breach that hits the headlines,” Manuel says. “But unfortunately, many employees see CISOs and their teams as disciplinarians who issue arbitrary rules – or worse, as an obstacle to be bypassed in order to ‘get work done’.

“Outright banning of cloud-based technology won’t work, so CISOs must make a case for good security practices that appeal to busy employees who don’t necessarily understand IT, and that balance security with employee productivity.”

Security consultant Corch X, founder and managing director of Shogun Cybersecurity, echoes Manuel’s point about poor understanding. “A successful cyber security strategy has to recognise that the people in an organisation have vulnerabilities, just like IT does, and that, like IT, people need frequent security updates – training and awareness programs – to be resilient in the face of constantly evolving threats.

“It’s not enough to make people sit through a web-based training course when they sign up with the company – it takes continuous effort to maintain current cyber security skills,” says Corch, whose experience spans federal government, banking and finance.

Like a server that never gets patched once deployed, an employee without regular training in spotting and responding to cutting-edge threats becomes easier to exploit over time, he says. Despite huge security budgets, organisations struggle to lift their game because they overlook how falliable people can be – information security is still seen by executives as purely an IT problem with purely IT solutions, he adds.

“Moreover, the IT solutions they favour are overwhelmingly focused on perimeter defences and the idea that hackers can be kept out with firewalls and fancy algorithms,” Corch says, “not enough attention is paid to training staff how to recognise and respond to a cyber incident”.

The failure of the purely technical approach to cyber security is demonstrated by today’s threat landscape, Corch says, citing phishing, malware and “browser exploits” including malicious JavaScript execution.

“What do all these threats have in common? They infiltrate secure networks by leveraging the very services that businesses have come to depend on every day, email and web browsing. They succeed because they understand a fundamental principle of cyber security: people are easier to exploit than computers.”

What do all these threats have in common? They succeed because they understand a fundamental principle of cyber security: people are easier to exploit than computers.

Corch X, Founder and Managing Director, Shogun Cybersecurity

Train staff, report trouble

Corch’s advice: train staff to avoid clicking links they do not recognise or trust. In fact, they should refrain from opening emails from untrusted senders at all. Across your organisation, use browser plug-ins, or web content filters to disable JavaScript by default. Skip installing Flash unless you have a specific business need. A versatile plug-in such as Flashblock can be used to block by Flash default but allow click to play for users that need it.

Another option is simulated phishing programs that mimic real phishing attacks and train users to spot and dodge phishing ploys. The fake phish programs indicate employees’ baseline susceptibility and their room for improvement through training.

It’s crucial to avoid taking a carefree attitude to in-house browsing because the tendency to sink more investment into technical solutions only gets you so far.

“It doesn’t matter how much you spend on technology if your suppliers are doing the same or if your people don’t understand their role in cyber,” Ingram says in the PwC report.

If, despite your best efforts, your people stuff up and you are hit by hackers, make life easier for everyone by reporting the breach to the main contact point for cyber security issues dogging big Australian businesses: CERT Australia, the ACSC says. Or get in touch with the Australian Cybercrime Online Reporting Network (ACORN), which aims to make it easier for people to recognise, report and avoid common kinds of cybercrime.

“Reporting helps develop a better understanding of the cybercrime affecting Australia,” the ACSC says. “By understanding the enablers, we can make it harder and less rewarding to commit cybercrime, therefore making Australia a safer place to do business.”

Related News

How to prepare your network for the world of tomorrow
Reach global markets
Reach global markets
How to prepare your network for the world of tomorrow

We investigate the technologies you need to prepare your global network for a disruptive decade. We’re on the cusp of a global data explosion. In its Essential Guide to Network...

2018's top technology trends
Create transformative innovation
Create transformative innovation
2018's top technology trends

From the introduction of 5G and GDPR to the mainstream embrace of multi-cloud environments, we take a look at 2018’s biggest technology trends. 1.     Building Australia’s firs...

Next-gen collaboration: How to work with AI
Liberate your workforce
Liberate your workforce
Next-gen collaboration: How to work with AI

We take a look at how Australian businesses are using AI as the next step on their digital transformation journeys to enhance collaboration and productivity. Australian busines...

VicRoads Camera
Optimise your IT
Optimise your IT
VicRoads digital transformation in the cloud and beyond

How VicRoads managed its cloud migration, improving data compliance and streamlining its digital operations. Last year, VicRoads embarked on an ambitious project to revolution...