Battling complacency in cybersecurity

Despite the use of cutting-edge technology and vastly improved employee training and awareness, organisations continue to face a major danger through complacency or an unwillingness to take security seriously.

By Tim Ferguson

Fri 7 Dec 2018 @ 17:05

Security awareness has never been higher among workers and the public at large. The stream of high-profile cyberattacks and data breaches has seen to that, as has the significant improvement in how cybersecurity training is delivered in companies, with new approaches such as computer-based training (CBT) and gamification proving engaging and effective.

Organisations are also making efforts to foster a culture of cybersecurity to ensure the general workforce can provide support to the security team by ensuring good practice is embedded into the way employees do their jobs.

But despite this, the risk of employees becoming unwitting accomplices to a cyberattack remains. This is particularly true given that ransomware attacks, which offered the biggest level of threat in 2017, appear to have given way to attacks in which cybercriminals focus their efforts on individuals.

Social engineering and phishing emails are becoming more sophisticated in the way they trigger human nature to act in the criminals’ interests. That may be by tricking office workers into thinking they are helping a senior manager by transferring funds (whale phishing), or fooling home buyers into approving fund movements to progress their house purchase (Friday afternoon fraud).

The success of these types of attacks can be reduced through tools that block phishing emails before they reach a user’s inbox, and through better security awareness. But the risk remains. And while many people will be aware of basic security hygiene, there will still be some who don’t understand the full implications of fundamental principles, like not using unsecured networks or sharing passwords.

Even at higher levels of organisations, there remains a complacency or lack of understanding when it comes to the threats faced.

Take the senior security manager with a healthcare technology provider who failed to report a cyberattack and breach of health records that took place earlier this year because he didn't want to deal with the extra work it would entail.

According to evidence given at an inquiry into the cyberattack on SingHealth, a junior member of staff at Integrated Health Systems informed the manager that an attacker had infiltrated the organisation’s patient database, but the manager elected not to report the incident to superiors. The decision, apparently taken because the manager wasn’t keen to put in the work to provide the answers that would inevitably be needed, then created a bottleneck in reporting the breach.

The cyberattack on SingHealth saw the personal data of 1.5 million patients stolen. Some 160,000 of those patients, including the country’s prime minister, saw their outpatient medication data extracted. This was no minor compromise.

Another eye-opening revelation recently was that Japan’s new cybersecurity minister doesn’t use computers and is unfamiliar with cybersecurity. While avoiding computers is certainly a way for the minister to avoid being hacked himself, it doesn’t inspire confidence in his ability to deal with his brief.

Yoshitaka Sakurada, whose portfolio of responsibilities also includes serving as minister for the 2020 Olympic Games in Tokyo, admitted to a lower house committee that he was not familiar with cybersecurity matters.

He went on to say his biggest job as a cabinet minister was to read out written replies prepared by bureaucrats without making mistakes. He understandably faced criticism from opposition politicians, with one saying his lack of knowledge could lead to losses for Japan’s economy.

While it could be argued that ministers without expertise in their area of responsibility aren’t unique to this case, the point is that complacency still exists around cybersecurity, even within senior management and government.

It’s not always the people within an organisation that you might expect – such as people who need to access the internet for most of their work or older generations who aren’t as technology savvy – who are creating risks,. Whether it’s through a lack of knowledge or a desire to act, senior employees can be just as culpable.

As these examples illustrate, ensuring employees aren’t the weakest link in cybersecurity continues to be an area that businesses and government must address. If they fail to do so, cybercriminals will continue to take advantage of complacency-related opportunities.