In brief
If the last decade of zombie movies and TV shows has taught us anything, and it has, it's: (a) check every bathroom stall before sitting down, and (b) it only takes one idiot to leave a door open for a world of hurt to rush in. Cybercrime is one of the top three threats in the world, aside from natural disasters and extreme weather events. Although some cyber attacks are so sophisticated that they cannot be prevented, 21 per cent of all data breaches can be attributed to error, internal misuse or social engineering.1 This makes cyber security everyone's business. Having good workplace safety culture is now accepted as a critical part of most businesses – ensuring a good culture of cyber awareness is just as important.
Why a culture of cyber awareness benefits everyone
- Insider risk More than a quarter of all data breaches globally originate inside an organisation – either as a result of error (misdelivery, misplacing assets, misconfigurations, publishing errors and disposal errors) or misuse (privilege abuse or collusion with outsiders).2
In Australia, the story is even worse. The OAIC's first quarterly report on data breaches found that human error was the primary cause of approximately half of data breaches reported in the first six weeks of the new Notifiable Data Breaches Scheme taking effect. Given the proliferation of data breaches and the difficulties organisations face in protecting against highly sophisticated cyber attacks by external actors, reducing the incidence of insider risk will go a long way to reducing the overall risk profile of your organisation. - Rise and sophistication of social attacks Phishing is one kind of 'social attack' that is becoming an increasingly prevalent risk to businesses of all sizes across all industries.3
- In 2017, 38 per cent of survey respondents reported detection of phishing attacks, making it the top vector of cyber security incidents. Respondents from Australia aligned with the global result. 4
- Phishing attacks predominantly occur by email (96 per cent).5
- In 2017, there were 1192 reported incidents of phishing attacks. Of those, 236 were confirmed data breaches.6
These attacks require a level of human interaction to infect a device or system. This means your employees are the first and last line of defence when it comes to protecting against these kinds of attacks. While it was reported that 78 per cent of people didn't click on a phishing email all year in 2017, that means that 22 per cent did, and it only takes one click to let the zombies in.7 The key lesson here? Educate your employees on malware: how to identify it and what to do if they spot it.
Even basic awareness training, on recognising suspicious email and not clicking links or opening attachments from unknown sources, can go a long way.8
- Time to detection Having systems in place to detect breaches quickly is critical to an effective cyber security strategy. It is now accepted that when it comes to cyber attacks, it is a question of not if but when, as organisations move towards an 'expectation of breach mentality'.9 Hackers have the ability to obtain significant amounts of valuable data between the initial breach and when an organisation detects it. The increasing prevalence of cyber attacks has pointed towards detection methods as a necessary 'last line of defence' against these attacks.10
- It affects your bottom line Data breaches have the ability to cause significant financial harm. The increasing prevalence of data breaches means organisations that are able to demonstrate they respect privacy are able to utilise that as a competitive advantage.11 Privacy-mature organisations experience shorter delays in their sales cycle due to customer data privacy issues.12 Further, these organisations can mitigate the potential negative financial effects that flow from data breaches. Adopting transparent privacy practices and giving customers control over the use and sharing of their data are two important ways that organisations can protect themselves from this type of financial harm.13
- Your ability to respond The way a data breach is handled is often a greater indicator of reputational impact than the size of the breach itself. Detecting and responding to threats in a timely fashion has been identified as the number one security challenge globally.14 The best way to handle a breach is to have an effective response team comprising senior management, IT, public and investor relations, legal and risk/compliance. It is also crucial to consider how that team will be activated, and to identify the roles, responsibilities and reporting lines of individual team members.
- You're more likely to get a better deal on cyber insurance Organisations can insure against the threat of cyber attacks. But the implementation of robust risk management practices is a vital first step.15 Insurers won't be interested in insuring companies that don't have senior-level accountability. And senior-level accountability is not enough – security is everyone's business.
Six rules for surviving the (cyber) zombie apocalypse
- Be vigilant, organise before they rise. Awareness, education and training are critical to detecting and responding to data breaches efficiently and effectively – you're only as strong as your weakest link. Organisations need to ensure all employees understand the nature of cyber security threats, and their possible impact, whether it's a phishing email, sharing passwords or using an insecure network.16 If you create awareness, you create a greater level of accountability.
- Zombie-proof your house. Plan for a data breach. Many companies have response plans but they don't operationalise them. A recent study by Telstra and GlobalData found that while 76 per cent of organisations had an incident response plan in place, an estimated 55 per cent of incident alerts went unanswered.17 Prompt deployment of response measures is essential to minimise the risk that a security breach will lead to loss by, or damage to, your organisation or its customers.
- Keep track of your kids. A solid understanding of what your critical assets are is vital to any strategy to protect against cyber threats, particularly when 'protecting everything equally is not an option'.18 It is essential to identify ahead of time those assets that might eg 'impact confidentiality, integrity and/or availability and support business missions and functions'.19 Critical assets can include financial data; products; marketing databases; and intellectual property interests, such as confidential or trade-sensitive information, copyright works, or patents. Knowing your crown jewels allows you to ensure your protection systems and response plans are optimised for your organisation.
- Organise your first line of defence. A team of security professionals with distinct roles is likely to handle a breach more effectively. Security should be the responsibility of a few people full time, rather than of many people part time. Digitally resilient and mature businesses have decided that security matters enough to create a leadership position in the c-suite dedicated to the task. They also have a reporting cadence to the board on this.
- Be careful who you trust. Don't forget insider risk and outgoing employees. Identify and block transfers of data by employees, and especially those who are terminated or resigning. Make sure that access privileges are provided on a 'need to know' basis; and have exit programs in place when employees leave the organisation, to ensure access to systems is closed upon their exit. Security training and warning banners – highlighting that if employees view sensitive information without a legitimate business need, there is a potential for corrective action – help reinforce this protection.
- The zombies may be gone but the threat lives on. Cyber threats are 'diversifying and expanding',20 becoming 'more sophisticated and targeted than ever before'.21 This means organisations need to prepare to continue to face new and unique threats – maintaining the status quo is no longer sufficient.22 As organisations develop strategies to respond to these threats, hackers will continue to evolve.
The unavoidable truth about creating cultural change is that it takes vigilance, time and direction from the top. The Shaun of the Dead approach ('have a nice cup of tea/nice cold pint and wait for this all to blow over') won't cut it. Cyber awareness doesn't come overnight – don't leave it until it's too late.
Footnotes
- Verizon, 2018 Data Breach Investigations Report, 8.
- Verizon, 2018 Data Breach Investigations Report, 5, 23.
- PWC – The Global State of Information Security Survey 2017 Report.
- PWC – The Global State of Information Security Survey 2017 Report.
- Verizon, 2018 Data Breach Investigations Report.
- Verizon, 2018 Data Breach Investigations Report.
- Verizon, 2018 Data Breach Investigations Report.
- Please see our article Spotlight: (almost) everything you need to know about ransomware.
- Telstra Security Report (2018).
- https://techcrunch.com/2014/09/06/why-breach-detection-ss-your-new-must-have-cyber-security-tool/.
- Cisco – Annual Cybersecurity Report (2018).
- Cisco – Annual Cybersecurity Report (2018).
- Kelly D Martin, Abhishek Borah, and Robert W Palmatier, 'Research: a strong privacy policy can save your company millions' (15 February 2018).
- Telstra Security Report (2018).
- https://www.ebminsurance.com.au/cyber-liability/.
- https://www.itgovernance.co.uk/blog/creating-a-cyber-security-culture-within-the-workplace/.
- Telstra Security Report (2018).
- https://www.mckinsey.com/business-functions/risk/our-insights/protecting-your-critical-digital-assets-not-all-systems-and-data-are-created-equal.
- Robin M Ruefle, 'Critical Asset Identification' (Carnegie Mellon University, Insider Threat Blog, 12 April 2017.
- https://insight.telstra.com.au/secure-your-business/articles/inside-the-telstra-security-report-2018.
- https://techcrunch.com/2014/09/06/why-breach-detection-ss-your-new-must-have-cyber-security-tool/.
- Cisco – Annual Cybersecurity Report (2018).
Other articles in this edition of Pulse
- Code breakers – Australian Government flags forced decryption reforms
- Backing up the backups – a practical guide to cyber insurance
- APRA proposes cross-industry framework for management of information security
- The walking dread – fostering cyber awareness in the age of killer viruses
- Coming clean – OAIC releases first quarterly report on data breach notifications
- One click from meltdown – cyber attacks on critical infrastructure