Imagine this scenario: 90 per cent of traffic accidents are caused by speeding, so to address the issue all cars must be roadworthy and have airbags installed. Seems straight forward these are important measures.
But if we’re saying that the major issue here is the behaviour of people, how do these initiatives address that?
And yet that is exactly what is happening with cyber security. There’s a massive push to implement technical solutions for problems that are largely related to the behaviour of people.
A 2019 report by the UK Information Commissioner’s Office found that 90 per cent of data breaches are via people.
Take a bit of unaware, unsuspicious, gullible, helpful and trusting, and lo and behold you have your standard person, ready to be tricked into letting an IT criminal onto your network. Now add to that the fact that we’re working from home a lot more on systems that are largely out of the control of IT departments and we’ve got the perfect storm, ready to be taken advantage of by strategic cyber-criminal groups.
Despite this, SME’s who make up most of the businesses in Australia and employ the most people, generally spend very little on cyber security, with half of SMEs spending less than $500 on cyber security in the last year.
Cybercrime is a popular and rapidly growing industry too. It’s well resourced, easy to get into, and you can work from home. There’s good money to be made, too. Not long ago it used to be a question of “if” you’d be breached. Now the unfortunate reality is about “how bad” and “how often”.
So how did we find ourselves in this mess? If you talk to people about cyber security, the general perception is that it’s a technical issue.
Most people think that technology like Firewalls and Antivirus will keep you safe at home; the government provides us with the “Essential 8”, a framework specifying basic technical controls to secure your network; government grants were provided to help companies part-fund enhancements to technical security infrastructure; and IT criminals are largely portrayed as hooded “hackers” artistically injecting code to crack into a network using their malicious technology.
So yes, on the face of it this clearly looks like a technical problem, and spending $500 on technical solutions isn’t going to get anyone very far. Even if a company did allocate some reasonable funds, they’re still spending money on getting the road worthy and airbags, and not watching the speed signs!
The core of the issue is that 90 per cent figure. It is compelling. Yes, there are three aspects to IT security: People, processes and technology. But If we don’t address all three areas then we have a weak point.
This is Risk Management 101. Identify the risks, determine their likelihood of occurring and impact, give them a rating, prioritise them, and then address them in order.
So how do we address this focus issue? How are we supposed to win the battle against cyber criminals when we have one hand tied behind our back? A great start would be if messaging from government started to support a more balanced perspective.
That could start with taking the technically focused “Essential 8”, and bolstering it with a people-centric section to become the “Essential 9”.
This new content could focus on the ABC’s of cyber security: Awareness, Behaviour & Culture. That is, make people aware of how they are being targeted, motivate them to change their behaviour, and embed cyber security awareness into the culture of the organisation.
It’s really not hard to train your staff and then keep them on their toes by drip feeding short snippets of engaging and relevant cyber security content!
This can then flow into industry compliance frameworks, government resources for business that highlight relative cyber security risks, and it can be a reoccurring topic when communicating with businesses and the public about cyber security risks.
A great example is the June increase in malicious activity against political and private sector organisations by a sophisticated state-based actor. In a breach it was reported an attacker gained access to systems by targeting people after failing to gain access through technical means. This provided the perfect opportunity to talk about cyber security awareness initiatives as opposed to the usual technical solutions narrative.
As companies start to embrace a culture of cyber security awareness they will naturally gravitate towards more technical controls, hopefully driven by a realisation of the cost benefits that come from breach reductions.
Remember the saying “culture eats strategy for breakfast”? Well cyber security culture will feast on IT criminal strategy if it’s done well, and the Government has a great opportunity to drive this change now.