The recent successful cyber-attacks against Victorian regional hospitals highlights a growing concern in cyber security and technology circles. The human factor. News reports suggest that the cause of the data breach was a phishing email sent to a hospital staff member which when previewed or opened, caused ransomware to propagate throughout their systems.
This is not a stand-alone or rare case. According to data from the Notifiable Data Breaches Scheme, human error is the cause of 67% of data breaches, with some reports citing human error as the cause of over 90% of data breaches. Cyber security experts have been vocal for a long time in espousing the need for cyber awareness training for staff and encouraging an equal focus on information security risks as with other enterprise risks. However, there has been a lack of discussion about exactly HOW to tackle the issue of the human factor.
Cyber awareness training is not the silver bullet that many assume. It is often ineffective and viewed with the same distaste and boredom as the oft mind-numbing WHS induction videos. A tick-the-box compliance attitude emerges, which does little to aid in retention of information. When the culture of an organisation does not value cyber risk awareness, it is difficult to educate and engage staff on what is seen as a hinderance to their “real work”.
So, what do organisations do? They invest in technology controls and solutions. Multi-factor authentication, firewalls, encryption, data backups, monitoring and logging, endpoint protection…. the list goes on. All important controls to consider for implementation. Yet data breaches caused by human error still occur. Why? Because organisations largely fail to take into account the very essence of human nature.
Consider a footpath that diverges at a 90-degree angle, but there is a grassed area that fills the space of that right angle. Where are the majority of pedestrians going to walk? I can assure you that they will not be taking the longer route on the concrete footpath. There will be a well-worn dirt track through the middle of the grass. The fastest and easiest way to get where they need to get to. The same principle applies to security controls. When an end-user identifies an easier way to achieve their aims, then that is the route they will take. When security controls and technology solutions are implemented with minimal consideration for the workflows of the end-user, friction occurs. Where friction occurs, circumvention will inevitably be the result. Circumvention of security controls, of course, leads to data breaches.
There are steps that can be taken which will aid in addressing the human factor of cyber security more effectively.
- Prior to deployment of new technology solutions or security controls, organisations should gain input and test their proposed solution with the end users, both internally and externally to gauge its suitability. System and control design should always consider the human element and the end user.
- Invest in regular cyber security awareness training that has been customised for your organisation, not just a generic module on the financial implications of data breaches. Training should provide realistic scenarios that are enjoyable and engaging, such as a “choose-your-own story” with knowledge tests.
- Follow up cyber awareness training with an ongoing awareness campaign that exhibits to your staff what the benefits of good cyber hygiene are and how it contributes to the overall business strategy and purpose.
- Enlist the assistance of managers within the organisation that can act as “cyber-champions” and influence the culture of the company by making cyber security one of the values of the team.
- Encourage reporting of incidents through a rewards program. According to a Kaspersky report, almost 50% of cyber incidents are hidden by staff. This is often due to overly strict fear-inducing policies that punish those who report an error or incident. Instead, organisations should motivate employees to report incidents through positive reinforcement.
Research shows that over 50% of customers will pay more for a company’s services and products if they trust them. Essential to that trust are visible and transparent efforts towards the protection of sensitive data and it is clear that addressing the human factor is critical to those efforts. It is far easier to design technology and security solutions with consideration of human behaviour, than it is to change human behaviour itself.
About Author: Shannon Sedgwick
Shannon provides future-focused leadership to government and enterprise executives and boards to maximise the benefits of implementing new technologies, align that implementation with their strategic intent, and future-proof their organisations against cyber threats. Shannon is a director on the boards of multiple Not-For-Profits (NFP) and has a passion for issues affecting the disabled; indigenous; and veteran communities.