Barely a month passes without media reports of a major organisation falling prey to cyber-crime. Organisations that hit the headlines for cybersecurity failings often suffer an immediate halt of operations and then shred trust among customers and expose themselves to massive financial and legal risk.
Incidents in recent years range from the Marriott’s customer database being hacked, exposing the records of up to 500 million people, to a cyber-attack on the Australian Parliament requiring 4,000 users to reset their passwords, to an attack on the power grid in Ukraine leaving hundreds of thousands of homes and businesses in the dark.
Look past the lurid anecdotes and the data shows that the frequency, scale and severity of cyber-attacks are rising. Up to 68 per cent of businesses are estimated to experience attempted attacks annually, exposing 4.1 billion records in the first half of 2019.
Given the trend, it is unsurprising that investment in cyber-resilience and technology-hardening is growing. The global cyber-security market is expanding at 7 per cent a year, to sit at US$96.3 billion, and the Australian market is following a similar trend, up 6.5 per cent to A$3.8 billion.
But despite this investment, malicious actors remain a few steps ahead.
Attackers select the time and method of attack and only need to succeed once, while defenders must protect against all methods at all times. This risk is exacerbated by modern technical environments becoming more complex, integrated and dispersed, increasing points of vulnerability. Staff are expected to be more digitally engaged through more channels. And technology alone cannot thwart cyber-threats because the industry largely reacts to threats exposed through cyber-attacks.
Cyber-security has traditionally been IT’s problem, left to the Chief Information Officer or to a dedicated Chief Information Security Officer. But over half of business leaders consider cyber-attacks as the most significant threat facing their organisation in the near future, and the Australian prudential regulator has now officially designated information security as a board responsibility. Clearly a whole-of-organisation response is required.
It is clear the initial approach to cyber-security, focused on hardening technology, is approaching its effective limits. Further strengthening the walls of the fortress is not likely to keep out the invader when there are other, easier ways in, especially if staff accidentally leave the door open behind them.
Instead we need to think about cyber-security more broadly. Important as technology is, it only represents one of the three pillars on which cyber-security depends. The other pillars – people and processes – are often overlooked by organisations seeking to improve their defences, creating vulnerabilities that hackers are successfully exploiting.
Our experience working with organisations to strengthen their cyber-security has revealed that well-intentioned staff can be the biggest vulnerability, usually unintentionally.
Of the nearly 1,000 notifiable breaches reported to the Office of the Australian Information Commissioner in the year to March 2019, about 80 per cent involved a human vulnerability, usually a person inside the organisation who had unwittingly facilitated the attack.
The sources of human vulnerabilities vary greatly. They include phishing (in which a threat actor uses seemingly genuine contact details to lure a victim into revealing confidential information), malicious downloads, vulnerable physical security, incorrect use of devices (including personal devices), the decentralisation of information, malicious insiders and inadvertent human error. The common element across vulnerabilities is the person.
Human behaviour is crucial to all aspects of cyber-security. Consider the recent case in which the Victorian Auditor General tried to test physical security at state government offices by hiring specialist security consultants to go undercover and attempt to gain access. Though challenged in some instances, the testers managed to gain access, for which the Auditor General blamed human error and a weak security culture. “The weak security culture among government staff is a significant and present risk that must be urgently addressed,” the report concluded.
Another audit, this time on the security of patient data in hospitals, reached a similar conclusion on a culture of security awareness. This is not uncommon, with only an estimated 5 per cent of organisations’ folders and files properly protected.
The reluctance of many employees to take responsibility for cyber-security is reflected in the sentiments many people express. It is not uncommon to hear people say “We have nothing of value” or “It is the IT department’s job to protect us”. Some people seek to dodge security measures by finding work-arounds, and others throw their hands up and say they are not sure how they can help or simply remain ignorant of the threat.
Culture matters in instilling cyber-safe practices. Even at the cutting edge of artificial intelligence, ultimately it is humans that are establishing the parameters and making the big decisions. This gives people the autonomy to have impact, but also leaves them vulnerable to being the weak link in the security chain. Culture is a lever to fortify cyber-security in the long-term and so needs to be entrenched rather than treated as a useful aid for a short-term transition.
So what can leaders in an organisation do? It is important to recognise that improving cyber-security cannot be assigned to the CIO; all line managers have a responsibility for the cyber culture of their staff, therefore the CEO (or equivalent) has the ultimate responsibility. Boards also have a responsibility to ensure that organisations are taking appropriate cyber-security measures as part of their responsibility for managing risk.
Once attention to the issue is being paid at appropriately senior levels, organisations need to find ways to strengthen their cyber-security culture. Many organisations are undertaking a targeted cultural resilience program to improve the ability to prevent and respond to cyber-threats.
We suggest a four-step strategy.
First, it is vital to understand the current cyber-culture and maturity through a targeted assessment and diagnosis. This must be tailored to reflect the business context, employee demographics, organisational structure and distribution, as well as business strategy, vision and mission, and shared beliefs. This needs to be complemented by deep knowledge of best practice, benchmarking, and current targets and vulnerabilities, in combination with proven capability in digital strategy, culture, organisational performance, leadership and risk.
A tailored cultural assessment can quantify the behaviour (observable actions), attitude (approach to a situation) and knowledge (cyber-security understanding) among staff, identifying gaps in the current cyber-security culture. This assessment can be repeated over time to track progress, captured in a dashboard for easy reference and comprehension.
The assessment highlights areas of focus and identifies targets for pragmatic interventions to have greatest impact. For the fictitious organisation above, we see low results across the data cohort and those with a tenure over five years, so would target these groups with cultural interventions, such as additional training or a proactive communication campaign. This will complement organisation-wide changes to help enhance resilience, including hardening of technology systems.
Second, in combination with the cultural assessment, identify underlying mindsets through focus groups and use this to identify and prioritise emerging interventions to address the diagnosed cultural gaps. These interventions need to target the seven cultural levers.
Third, implement and test interventions. To be effective and achieve staff buy-in, interventions need to reflect the organisation’s context and should involve collaboration. Through iterative testing, organisations can assess what is working and what is not, refining as they go. Interventions may include role-modelling leadership behaviours, building a relevant and consumable knowledge base, recognising good practice, and developing new staff-centred policies, procedures and guidelines.
Fourth, scale-up solutions. Informed by earlier testing, optimised interventions can now be rolled out throughout an organisation. The nature of cyber-security threats means that participation and compliance needs to reach 100 per cent of the organisation, because just a single exception can create a vulnerability that can undermine security. New employees need to be inducted into the cyber-security culture, and undertake timely training.
Over time the nature of cyber-security threats will evolve. While robust technical defences are important, they will not be enough to ensure an organisation’s security. Instead, organisations need to equip their staff with the skills and imbue them in a culture that will protect their security, whatever new threats emerge.
Organisations that fail to engage with the challenge risk being the next cyber-security headline.
Get in touch to discuss how Nous can help your organisation build a cyber-risk-aware culture.
Published on 18 February 2020.