It’s often said that hacking is a technology problem. While it is a technology problem, it’s also very much a human and business problem. Hacking, and data breaches, are a huge issue. Around 70 per cent of global organisations have experienced a breach, but at present, very few actually report that they have been compromised.
What’s important to remember, however, is that hackers don’t attack technology, they attack people. Most hacks, while based on a technological method, incorporate social engineering and other human factors in order to gain access to an organisation’s systems.
Common methods such as malware infections, phishing and drive by downloads, as well as many others, all require some human action before they are effective. What they have in common is that all these risk factors are human factors. While technology plays a role, it’s the human that is the enabler.
Mitigating the human factor
Because humans are the perimeter of any organisation, changing human behaviour is key to ensuring any organisation is secure. This must come through ongoing education and training, rather than relying on technological countermeasures to the exclusion of everything else.
The Australian Signals Directorate (ASD), for example, has published a list called the Essential Eight, which provides organisations with a framework for preventing data breaches and hacker access to corporate systems.
Of the top four aspects of the Essential Eight, three are technological countermeasures. The top four categories include application whitelisting, patching applications, patching operating systems, and restricting administrative privileges. It’s only this last category that has any impact on human behaviour, and that’s through putting controls on what an employee can do with their computer or device.
The other four categories of the Essential Eight are also predominantly technological countermeasures. They include disabling Microsoft Office macros, user application hardening, daily back-ups, and using multi-factor authentication.
Again, the majority of these are technological tools – so what about the human aspect?
It would make sense for the ASD to expand the Essential Eight – and each of the eight is an important security countermeasure – with an additional category: user awareness and training, making it the Essential Nine.
By educating staff about security, and what they should and should not do, the entire organisation becomes more secure. Security is never a solved problem, but with user education, staff are more aware of the threats their actions can pose to the organisation. They are also made more aware of what they can do every day to make their organisation safer and more resilient to attacks.
By making the Essential Eight, the Essential Nine, staff would be better educated, and organisations would in turn be better protected.
Australia’s mandatory data breach laws are set to come into effect in 2018. Under these laws, companies subject to the Privacy Act will have to report a data breach to the Office of the Information Commissioner, as well as the public. However, these laws are not perfect. Nowhere in the new laws are there provisions for organisations to conduct deep cyber security awareness and training, which is an important factor for companies that have experienced a data breach in order to prevent it happening again, as well as for companies wanting to guard against such a thing occurring to them.
Cyber security awareness and training should be part of the law, and should be part of the training that any organisation provides to employees when they start, and as they move along their career journey.
Because threats are constantly evolving, and because the human factor is essentially static (for example, picking up a USB that’s been left in the carpark, plugging it in to see what’s on it, and introducing rogue software onto their computer) training needs to be something that is ongoing. One-off training is less likely to work because it will quickly be forgotten. Persistent training and ongoing measurement are key to ensuring staff understand what their responsibilities are and that a cyber threat isn’t just something that happens to other people and other businesses, but something they need to take responsibility for, every day.
Awareness about cyber security also needs to start before people hit the workforce. It’s important that children are educated – at an appropriate age and level – about cyber security, just as they should be about other threats that exist on the internet.
Universities also have their part to play. An increase in the number of cyber security degrees through government incentives would also be a welcome development. Organisations such as the Australian Computer Society (ACS) are already moving in this area by offering certified professional qualifications for cyber security. These qualifications come with continuing professional development and education, as well as recognition of a qualification, and are a great development in making Australians and Australian businesses more aware of the threats posed by hackers and bad actors.
While technological protections, preventions and laws are critical to protecting Australia’s business and government infrastructure, the reality is that cyber security is, at its core, a business problem and a human problem. By increasing awareness and training, as well as expanding the advice we give to companies, such as through enhancing the Essential Eight, we can act to prevent the worst threats to business at their source – the human source.