These days the business world seems to be rocked on a daily basis by a new cybersecurity threat to be dodged. But while world-class security technology can help, there’s one big risk factor that can’t ever be controlled with software: people.
“People are often the weakest link in the defence against cybercriminals,” says Palo Alto Networks Australia and New Zealand vice president Ian Raper.
In fact, criminals are increasingly targeting human vulnerability to get results rather than trying to hack into well-fortified computer systems. Emails that trick company employees into making unjustified payments to attackers has spiked from 1% of all malware emails in 2015 to 42% by the end of 2016, according to research conducted by Proofpoint.
Now the 2017 Telstra Cyber Security Report reports 30% of Australian businesses are on the receiving end of business email compromise incidents each month, while 33% are copping phishing attacks.
And the techniques are evolving.
“We have found locally that the [business email compromise] approach is transitioning from an actor purporting to be a CEO or CFO and requesting a wire transfer, to an actor purporting to be a businesses’ existing supplier and requesting a wire transfer for an invoice payment,” says Proofpoint Australia managing director Tim Bentley.
“It can take several months before the business even realises it has been wiring money to a fraudulent account.”
Email cyberattacks are continuing to be popular with attackers, the research found, because they garner instant responses. In fact, 25% of clicks on malicious links happen within 10 minutes of the email being sent, with 50% clicking within the hour. And nearly 90% of the clicks occur within the first 24 hours.
Palo Alto Networks Australia and New Zealand vice president Ian Raper says people are “the weakest link in the defence against cybercriminals” and preventative training is the key.
“The focus of employee training should shift from reaction to prevention. Proven to be ineffective for organisations, pure compliance-driven approaches are usually not interesting or personal enough to capture employees’ imaginations.”
To make the training more stimulating for staff, Raper says, businesses should think outside the usual Powerpoint slides.
“Organisations could consider gamification. Gamification will make training more exciting and engaging for employees, increasing awareness of cybersecurity practices, including how to respond to attacks correctly,” he says.
Gamification allows businesses to give out incentives and prizes for exemplary behaviour, which Raper says leads to “a more cyber-secure working environment”.
Businesses and staff have to be aware that the damage of an electronic breach goes beyond just the money directly lost from the incident. Palo Alto says the reputational hit and customer losses are harder to measure but no less devastating.
Human defence also extends to the organisational level. Co-operation between private and public sectors is imperative for effectively combatting cybercriminals.
Prime minister Malcolm Turnbull, as a part of this effort, hosted a roundtable with tech industry heavyweights in Canberra last month. There is talk of creating a cybersecurity industry committee for the private sector to have a direct line to the prime minister on such matters.
“Cyberspace is the new frontier of espionage. It is the new frontier of warfare. It’s a new frontier of threats to Australian governments, to families and businesses,” the prime minster said at the event.
“We have great agencies, as you know. We do work, we have always worked closely but we need to be more cohesive.”
The need for organisational culture and individual behaviour to change was perhaps best summarised by University of Oxford’s David Upton, former US join chiefs of staff James Winnefield Jr and former special assistant to the chairman of the join chief of staff Christopher Kirchhoff, who co-authored an article in the Harvard Business Review in 2015.
“Technology alone can not defend a network. Reducing human errors is at least as important, if not more,” they said.
“Building and nurturing a culture of high reliability will require the personal attention of CEOs and their boards as well as substantial investments in training and oversight.”