Building the cyber defences needed to ward off attacks
Cyberattacks are increasingly widespread and the potential damage is growing.
Attacks last year, from phishing scams to ransomware and malware attacks, targeted Australian businesses of all sizes.
Forrester estimates that 9 in 10 data breaches this year will include some sort of human element that allows information to be stolen. Looking at the scale of the issue, we at SoSafe found that 1 in 2 businesses experienced a successful cyberattack in the past three years – and 64 percent assess their risk of falling for another one as high. Being involved in an incident is increasingly the norm rather than the exception.
In response to the recent Medibank cyber attack, where nearly 10 million confidential records were stolen, Clare O'Neil, who serves as Minister for Cyber Security promised that Australia would be "putting layers of protection around Australians and Australian businesses."
More layers of protection are needed because of near-constant innovation from hackers and bad actors. An attempted cyber-attack today frequently looks nothing like it did five, two or even last year.
New technology can be used to devastating effect.
The same AI-based tools and LLM-models that promise to revolutionise customer service and product development are also being used to make spurious requests for information seem ever more trustworthy. Tools like WormGPT and FraudGPT are spreading through hidden message boards and passed around corners of the Dark Web.
Generative AI means spoofing emails designed to trick people into giving up sensitive information can be created up to 40% faster than previous methods.
And what's generated is fooling people. We were able to make (in simulated attacks) messages that 78% opened, while 65% revealed personal information and 21% clicked on malicious links or attachments.
Scammers can now incorporate industry and company-specific information and create grammatically sound, well-formatted messages. The tell-tale signs of a phishing attempt—the strange fonts, the bizarre syntax, the unfamiliar file types—may be absent in these new attacks. Criminals are like viruses, constantly evolving when their attacks are thwarted.
Technology has a role to play in keeping the hordes at bay – but it cannot act alone. Professional hackers, working together, given enough time, will overrun every technical defence put in place by the IT department. Reinforcements – the "layers of protection" promised by the government – must come from the people on the frontlines, employees. This is the "human factor" in cyber defence, which will allow companies to turn the tide. Employees need to be seen as assets in the fight rather than something that is 'allowing' intrusions to happen.
Education is vital to managing human risk. The first stage is awareness of the problem: bad actors exist and are incentivised to steal valuable information and resources from a company. Compliance frameworks have long understood that importance, confronting security leaders with a series of requirements tackling the human layer. But checking the compliance box is not enough because these frameworks only focus on quickly transmitting information, not changing behaviour. Too often, security training essentially stops here – but it's not enough to tick compliance boxes. People have not been given the tools to be an active part of a company's defence.
Cybersecurity training can be a dull affair – endless slides that require a user to click every 20 or 30 seconds to 'ensure participation' and mindless quizzes to 'pass' modules. This cannot continue.
Instead, programmes need to identify and prioritise human risks specific to a particular company and then create a corrective action plan to address these issues, creating and spreading behaviours that will allow people to understand and respond to threats. These programs need to consider behaviour in its entirety, including cultural influences, motivational factors and attitudes, context, and emotional responses. There needs to be a focus on the principles behind safe and secure ways to interact with digital information and use communication tools, which will be valid even if the format or underlying technology shifts.
Training should be engaging. Yes, it needs to cover relevant information, but it needs to ensure people learn to apply their knowledge, build good security habits, and understand why these things are important.
Good news: We can leverage long-proven psychological approaches. This means offering a multi-channel experience offering people contextual learning opportunities wherever they are. These programs create bite-size chunks over huge blocks of text, employing tactics like gamification, continuous and spaced repetition, interactive components, contextual nudging, and storytelling – all while focusing on positive reinforcement instead of learning through fear.
The best way to appreciate the transformation that needs to happen is through one of the most basic, common analogies: give a man a fish, he'll eat for a day; teach him to fish, he'll never go hungry. Here, a fish is a strictly technological approach, which may stop one threat but doesn't solve the more significant issue. Only through empowering front-line staff through a holistic human risk management program will companies be able to build resilience and sustainably mitigate cyber risk, ensuring they are set for the long term.