Cyber defence fails to ensure security is built into non-security products and experts are often guilty of using complex language which scares people about the dangers of being online without providing simple ways to help people do the right thing.
"With the right approach a business’ people can be its biggest asset in the battle against cybercrime.”
Cyber security can be perceived as being too hard to manage and a drain on people’s time. There can be a general perception cyber incidents only happen to ‘someone else, not me’ or are someone else’s responsibility - which leads to complacency.
With the right approach a business’ people can be its biggest asset in the battle against cyber crime. The problem is many still don’t understand how cyber security is relevant to them or what they need to do to reduce the threat.
The solution lies in changing behaviour.
In good hands
Cyber security must be made accessible and simple, providing people with actions seen as both easy and valuable.
The value part is well documented. The cost of cyber crime is forecast to total $US6 trillion a year worldwide by 2021. Australian businesses reported 81 data breaches per month in 2018 - a third of which were put down to human error.
The average total cost of a data breach to Australian organisations is $A2.51 million.
Ninety one per cent of targeted cyber attacks start with someone clicking on an email, a report from Trend Micro suggests.
People can be trained to recognise the signs. ANZ first started phishing simulation exercises in 2015 in what were labelled ‘Phishing Fire Drills’. Since introduction the process has reduced the number of staff clicking on suspicious emails by 75 per cent, to a level well under industry average.
This is consistent with industry findings. A recent report by Cofense showed click rates across industry between 2015 and 2017 fell from about 14 per cent to less than 10 per cent, with improvements in resiliency across all phishing types. Even resilience to business email compromise (BEC) improved by 2.5 times.
But phishing will always be a thing, no matter how constant or successful the drills. The real value is raising awareness more broadly of security issues - to get people talking about cyber security and thinking about the range of steps they can take to help improve it.
And of course layers of cyber defence are needed to ensure if a phishing email fools one person another security control will stop it from being successful.
Businesses need to build interest in cyber security so people see the relevance and understand simple things they can do to be safer online, and help protect their organisations from cyber threats.
Discussion about phishing can make it real for everyone and evolve to a more general conversation about the threat. This way businesses can help staff be one of the strongest links in their – and everyone’s – cyber security armoury.
It’s not so much specific skills everyone needs to have - it’s about understanding the personal and business impact of security - and the simple steps everyone can all take to improve it. It’s about explaining the issues in ways people can understand.
It doesn’t necessarily require any in-depth understanding about how a cyber attack would occur or how malicious software could be embedded in the system – that’s not what people need. It’s about knowing it could happen to anyone and what needs to be done to prevent it.