It’s a human problem – not an IT one
The Cyberthreat Defense Report released by US firm CyberEdge earlier this year suggests that 82% of all cyberattacks involve the human element – whether that is sensitive information accidently made public, staff unwittingly clicking on a phishing link or a person allowing their network access credential to be compromised.
Perry Carpenter, KnowBe4 Inc, writing for Forbes
All the technology in the world is not going to help if an employee clicks on a link, shares their login credentials with a third party or is careless with storing sensitive information.
Business leaders should be considering how they might upskill or reskill employees to strengthen their data governance as scrutiny on privacy becomes tighter.
One of the lingering cultural issues, particularly among small and medium sized businesses, is the belief that their organisation isn’t big enough to be targeted for cybercrime.
Big data breaches are the ones in the headlines, but the latest OAIC information shows 91% of notifiable data breaches involve the personal information of 5,000 or fewer individuals worldwide.
The supply chain risks also need to be understood in a strong cybersecurity culture and to do that, it is important to think like a cyber-criminal.
Smaller organisations can be more easily accessible, and the gateway to bigger entities, such as the companies that might source or contract its products and services.
If a small operation supplies a national firm, who does it make more sense to target?
Attackers can gather details about systems, expose client relationships and gather confidential information about directors, partners and other stakeholders.
A business that proves to be a weak link in the value chain for an attacker to break in could be flagged as high risk and severely hinder future opportunities.
A security culture is an important application of risk management because it empowers people within a business to identify and deal with potential security risks.
A typical multi-stage risk analysis might consider:
Identifying existing risk areas, such as security processes for how data is accessed and shared, which includes who may have access to the network.
Assessing risk areas, weighing up how they could be addressed, identifying potential solutions and examining their impact on workflows and operations.
Once solutions are determined, explore how those changes might be implemented and communicated, both within the organisation and externally if necessary.
The temptation among leaders and executives is to think about cyberattacks and data breaches as a technology problem but a security culture touches every part of a business.