Fight cyber crime with culture not technology
I was caught up in a bank robbery 26 years ago. Not surprisingly, I remember everything about the event in vivid detail. What he was wearing, what he looked like, and the look on the bank teller’s face as the offender pointed a pistol across the counter. It was a local Challenge Bank branch on St Kilda Rd. I still think about it to this day. Lunch time, on a work day, an inner Melbourne branch. Yet is was basically empty, save for a couple of startled bank staff and a young 22 year old trying to open a new account. It all happened fast. He wasn’t a very good criminal, if you judge criminal success by A) getting away with it and B) getting away with A LOT.
Everyone knew he was there. Immediately. Everyone knew what he wanted. Immediately. Then he left. Immediately. He was in and out within two minutes, with a small wad of cash. I wasn’t so lucky. It took four hours after all the police interviews were completed. That gave me a lot of time to think. Mostly about how someone can walk in to a bank, point a gun and run out with cash. I mean this was 1991, not the 1830s. I started to pay attention to security. No guard, no pop up screens, almost empty. It was a soft target.
The more I think about business security in the modern age, the more I see the differences to the good ol’ days. Remember when security was last person out turns off the light, sets the alarm and shut the door? Petty cash was guarded by a rubber band and a cranky book keeper with far too much hairspray? When there was a breach, you knew about it. There was broken glass, a busted lock, or a petrified 22 year old customer with blonde hair.
Mostly, security was about perimeter defence. Businesses implemented fences, window bars, security doors, guard dogs and patrols. It was about keeping the criminals out. I’d argue today’s physical perimeter defence is often weaker. We don’t hold cash. There’s not as much for a petty thief to pinch.
Call it digital transformation, internet-of-things, ‘the cloud’ or online services, we are moving more and more of our valuable assets into shared and connected spaces. As we are doing this, we become a target for three different types of criminals: those who want to take our stuff, those who want to use our stuff for bad purposes and those that want to learn about us, then impersonate people we trust to defraud us of our money. And make no mistake, it is BIG BUSINESS. I’m not going to harass you with stats, but I’ll give you one quote:
Cyberattacks are the fastest growing crime and predicted to cost the world $6 TRILLION annually by 2021 and will be more profitable than the global trade of all major illegal drugs combined. Official 2019 Annual Cybercrime Report – Cybersecurity Ventures
The thing that is difficult for most businesses to understand is they don’t break in and cause havoc. They sneak in and lurk. Like cockroaches. And like cockroaches, a LOT of people have them and don’t realize it.
Can you stop them? Well, not really. But you can be a tougher target than ‘the next guy’. There is a lot of technical information about Cyber Security (which is unsurprisingly also big business). The majority of attacks that affect most businesses are actually a result of human behavior. This includes:
- Poor password strength (because passwords are inconvenient right?);
- Visiting sites they shouldn’t (there’s a reason that movie is available for free on that site);
- Installing software they shouldn’t (why is there so much free software?);
- Clicking links and opening attachments they shouldn’t (We’ve all done that one);
- Poor password management (saving passwords because we made them strong and can’t remember them);
- Poor patch management (I know a lot of you are saying patch what?);
- Outdated policies and procedures;
- Too much trust! (Would the CFO REALLY ask for that invoice to be urgently paid while he is on holidays?).
Why do you think you get so much spam mail? Simply because…. it works.
When I look at the security position of most businesses, they have strong protection from the things they can imagine. The perimeter. But criminals are a clever bunch. They know this too and have adapted their approach to target human behaviour, through various means.
The most significant thing you can do to improve your cyber security posture, is to develop a strong security culture. Begin by accepting the necessary balance between security and productivity and take a zero tolerance to security vulnerabilities. You’ll be much better protected than spending enormous sums of money on security products, where you remain the weakest link.
The HRIA is running a cyber security workshop at HIRE19, during which we’ll be talking about the types of attacks and how you can educate your staff to be less vulnerable. We’ll attempt to be as non-technical as we can be. The aim of the session is to improve the cyber security culture of the Association through awareness.
If security is important for you, and it should be, then I’d love to see you there.
Jason LeGuier. Hire industry technology expert.