Businesses in Australia and New Zealand are rushing to introduce formal cyber security awareness programs amongst staff, new figures find, even as those who already have them warn that they are largely ineffective in changing the behaviour of naïve individuals who bend the rules to get their job done.
The shift to embrace cybersecurity awareness was flagged in the BDO Australia-AusCERT Cyber Security Survey 2016, which found that 47.4 percent of respondents had already introduced cyber security awareness programs and that a further 34 percent of respondents planned to do so within the next 12 to 24 months.
Such programs were the most widely-cited initiative planned for short-term implementation, highlighting the perceived importance of user education in strengthening organisations’ overall security defences. Yet they may be for naught, based on another new study of IT-security professionals that warned users continue to create security issues by failing to respect the boundaries of their accounts or engaging in risky behaviour despite their training.
Just 10 percent of the 317 IT-security professionals in another survey – conducted by Dimensional Research on behalf of behavioural-firewall vendor Preempt – said they feel that end-user security training is very effective, despite being provided by 95 percent of the surveyed companies. And while 81 percent said their end users are willing to contribute to security, just a quarter of users were actually willing to put in extra effort to learn about it.
This ongoing gap has fuelled an ongoing perception of internal risk that found security professionals far more concerned – by a ratio of nearly 7 to 1 – about employees that accidentally compromise security than malicious insiders that intend to harm the business.
Specific concerns included the installation of malware by careless employees (cited by 73 percent of respondents), stolen or compromised credentials (66 percent), stolen data (65 percent), and abuse of administrator privileges (63 percent).
Some 91 percent of respondents said that users had access to systems that they shouldn’t, while 70 percent said they can’t effectively monitor the activities of privileged users and 64 percent said they have the right skills but are so overworked that they can’t respond to such issues.
“Internal threats are emerging as equally as important as external threats,” Dimensional Research founder and principal Diane Hagglund said in a statement. “An employee cutting corners to get their job done more efficiently is viewed as potentially just as dangerous as a malicious external hacker. Yet these views aren’t reflected in the allocation of security budgets, which is traditionally focused on perimeter security.”
User training was far from the only user-related initiatives on the boil amongst ANZ businesses, according to the BDO report. Regular cybersecurity risk assessments (28.4 percent), third-party and vendor risk assessments (27.6 percent), data loss prevention (22.8 percent), identity and access management (20.1 percent), and privileged account management (14.2 percent) were all flagged as ongoing efforts to improve the management of user-related risk and data protection.
“As users become more independent and IT savvy, their reliance on system administrators drops,” the report’s authors warn. “An increased number of business users now demand administrative access to allow them to customise their devices and install their applications. This increases the risk exposure for the organisations as criminals will have full access to systems and data of compromised accounts.”
These concerns highlight the increasing risk from users compromised by carefully-engineered social attacks, which Intel Security has predicted will get increasingly well-crafted and effective in 2017 as outside actors leverage technologies such as machine learning to fine-tune their methods.
This lent serious weight to increasingly-successful, insider-focused threats such as business email compromise, Intel Security director of threat research Eric Peterson wrote in the company’s 2017 Threats Predictions paper.
“When expertly applied, machine learning has the potential to solve important, complex, tangible business problems,” he explained. “As we have seen with modern malware toolkits such as Trillium, Zeus, and Angler, malware authors can inflict far more damage with the assistance of toolkits than they could with their own individual skillsets.”
This will drive increasingly well-crafted attacks through 2017, he predicted, even to the point where purveyors offer ‘target acquisition as a service’ offerings that leverage increasingly accessible machine-learning algorithms to “accelerate and sharpen” social-engineering attacks.
“Machine learning tools are force multipliers for those of us in security roles [and] we would be negligent to assume that cybercriminals are not also adopting these powerful tools…. With the BEC attack model as an example and the availability of machine learning tools to perform complex data analysis, we can begin to see the confluence of machine learning and criminal activity.”