12 Oct 2018
In an ideal world combating cyber crime in business would be a multi-disciplinary in-depth approach, with security built into technology and staff enabled - and empowered - to detect and respond to where technology can’t.
Cyber defence fails to ensure security is built into non-security products and experts are often guilty of using complex language which scares people about the dangers of being online without providing simple ways to help people do the right thing.
"With the right approach a business’ people can be its biggest asset in the battle against cybercrime.”
Cyber security can be perceived as being too hard to manage and a drain on people’s time. There can be a general perception cyber incidents only happen to ‘someone else, not me’ or are someone else’s responsibility - which leads to complacency.
With the right approach a business’ people can be its biggest asset in the battle against cyber crime. The problem is many still don’t understand how cyber security is relevant to them or what they need to do to reduce the threat.
The solution lies in changing behaviour.
In good hands
Cyber security must be made accessible and simple, providing people with actions seen as both easy and valuable.
The value part is well documented. The cost of cyber crime is forecast to total $US6 trillion a year worldwide by 2021. Australian businesses reported 81 data breaches per month in 2018 - a third of which were put down to human error.
The average total cost of a data breach to Australian organisations is $A2.51 million.
Ninety one per cent of targeted cyber attacks start with someone clicking on an email, a report from Trend Micro suggests.
People can be trained to recognise the signs. ANZ first started phishing simulation exercises in 2015 in what were labelled ‘Phishing Fire Drills’. Since introduction the process has reduced the number of staff clicking on suspicious emails by 75 per cent, to a level well under industry average.
This is consistent with industry findings. A recent report by Cofense showed click rates across industry between 2015 and 2017 fell from about 14 per cent to less than 10 per cent, with improvements in resiliency across all phishing types. Even resilience to business email compromise (BEC) improved by 2.5 times.
But phishing will always be a thing, no matter how constant or successful the drills. The real value is raising awareness more broadly of security issues - to get people talking about cyber security and thinking about the range of steps they can take to help improve it.
And of course layers of cyber defence are needed to ensure if a phishing email fools one person another security control will stop it from being successful.
Businesses need to build interest in cyber security so people see the relevance and understand simple things they can do to be safer online, and help protect their organisations from cyber threats.
Discussion about phishing can make it real for everyone and evolve to a more general conversation about the threat. This way businesses can help staff be one of the strongest links in their – and everyone’s – cyber security armoury.
It’s not so much specific skills everyone needs to have - it’s about understanding the personal and business impact of security - and the simple steps everyone can all take to improve it. It’s about explaining the issues in ways people can understand.
It doesn’t necessarily require any in-depth understanding about how a cyber attack would occur or how malicious software could be embedded in the system – that’s not what people need. It’s about knowing it could happen to anyone and what needs to be done to prevent it.
Cyber security is a team sport and there’s been some great recent examples of the public and private sector coming together to fight cyber crime, both locally for the recent Reverse the Threat movement in Australia and internationally for Cyber Security Awareness month.
ANZ’s own campaign encourages people to protect their virtual valuables in the same way they do physical valuables by making a PACT, providing four simple steps towards better cyber security. You can read more about PACT here.
Major global organisations have a responsibility to help educate both staff and customers about how they can help the fight against cyber crime.
Yet the ongoing message needs to be cyber security and keeping the internet safe for everyone is a shared responsibility. It’s everyone’s business.
Lynwen Connick is global Chief Information Security Officer at ANZ
This piece is an edited version of responses given by Connick to an expert panel at the SIBOS conference in Sydney in October.
The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.
12 Oct 2018
08 Oct 2018