Cyber security is well and truly in the spotlight in 2017, or should I say “people security”. The Snowden revelations of yesteryear focussed the public’s attention on their personal privacy while a very real threat has been growing in organised crime that exploits personal information and basic human psychology. This month it emerged that two of the world’s most tech-savvy companies, Facebook and Google, were scammed for $100m (£77m) which should be enough to bring security out of the shadows and to the forefront of business discussions.
We are also seeing more high profile cyber-attacks being reported – 70% of medium-large businesses reported attacks in the last year alone; 72% of which originated with a phishing email, according to the Department of Culture, Media & Sport: Cyber Security Report, May 2017.
Today most companies take endpoint security software seriously, but spending more money on tools isn’t necessarily going to help close this gap in defences. The human factor is a hard problem to crack – 47% of incidents involve a malicious attack, often reliant on staff negligence or ignorance. Furthermore, according to the PWC Information security breaches report 2015, commissioned by UK Government, 25% of security breaches concerned a negligent contractor or supplier. *
However, the biggest potential for improvement in security lies with an organisation’s people. With some fresh thinking and strong leadership, people can become the greatest defence. The onus is on the employer to engage with staff in an effective way where the importance of cyber security is clearly communicated and behaviour changes as a result.
Small businesses may be complacent in believing they are low risk because they aren’t as high profile as T-Mobile or Target. But being a smaller company doesn’t mean your data isn’t valuable and shouldn’t be managed properly. Any data is valuable in some way to a company, making it ripe for hackers to exploit – and corporations are recognising the risk that suppliers handling their data present.
Why do cyber criminals choose to target individuals?
Psychology is the overwhelming reason why cyber-attacks such as phishing are still successful today. Humans are surprisingly obedient when instructed to take action. If asked to click on a link or share bank details, in the right context people feel compelled to obey.
Find that hard to believe? Through the years, experiments in human psychology have consistently proven that when instructed to take an action, humans will obediently comply with requests.
How do cyber-attacks against businesses work?
An astonishing 75% of cyber-attacks are preventable. There are several forms of attacks that directly target people; malware, ransomware, phishing, are all designed to gain access to data or systems for a number of reasons. From hacktivists to hackers seeking to gain financial reward or simply prove that they can ‘break in’, cyber attackers are driven by many motives.
The most common, simplistic phishing scams can be the most effective. For example, a criminal may impersonate a supplier, and request a false invoice to be paid. The email address of the sender could look genuine and content of the message may look legitimate, but include an attachment infected with malware or direct victims to a web page hosting that automatically installs malware to their device when clicked. After a few simple emails, the criminal might walk away with tens of thousands of pounds. Email phishing attempts have become ever more sophisticated in who they target and harder to detect in terms of who they target and how personalised they have become. They can be costly for businesses from both a monetary and reputational damage perspective.
How can businesses better protect themselves?
Most organisations acknowledge that they need to be better prepared and invest in cyber security, but the common first port of call is to focus on their technology and processes. But the biggest business asset, it’s people, often gets overlooked. People are your best defence. 90% of businesses say cyber security is a high priority for management, but less than half of staff have attended training in the last 12 months (Department of Culture, Media & Sport: Cyber Security Report, May 2017). How can staff be vigilant against the latest types of attacks if they are not prepared and not equipped with the knowledge to do so?
A tick box approach to training is clearly not sufficient. Neither is overwhelming staff with technical information effective at ensuring long term retention. The trick is to improve engagement using methods grounded in behavioural science to change behaviour. Simply imparting information from the company to the employee doesn’t ensure that the information has been taken on board or that it will be acted upon.
New security behaviour platforms provide a method for companies to address security related behaviour through analysing patterns in how employees operate online and determine where vulnerabilities lie. Through understanding this behaviour and points of vulnerability, training can then be developed to ensure people better protect themselves and they are best prepared to face cyber threats specific to their industry.
If a company’s employees learn how to improve their behaviour online both at work and at home, they will be more secure and therefore so will the business.
Only by developing a culture that is cyber aware and cyber ready will businesses of all sizes be able reduce cyber risk.
By Oz Alashe, MBE, CEO at CybSafe
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/