Think about every time you send a work email. Browse a website in the office. Access cloud server files from home. Handle confidential client information. Open a text from an unknown number. None of these interactions has much to do with the IT department, but they’re all potential avenues for cyberattack.
If you think your tech literacy protects you, let these number sink in: Verizon found that roughly 4% of employees click on phishing links, and recent research revealed that 44% of employees have put their companies at risk of cyberattack.
The days of digital naivety are over. Cybersecurity isn’t IT’s sole responsibility anymore, if for no other reason than it’s impossible for the majority of IT departments to monitor every digital interaction from every employee in real time, especially while working from home.
“Everyone has a role to play,” says Sean Duca, Regional Chief Security Officer at Palo Alto Networks. “Cyber is a vector for good and bad things to happen. It’s up to all of us to ensure that we do what we can to protect ourselves, our families, and the companies we work in.”
Cyber ignorance is the major problem. Cybercrime attacks cost Australian businesses $276,000 per year (on average), and these attacks are usually preventable. They’re either common phishing scams, weak passwords, malware in email attachments, employees sending confidential info over insecure wireless connections, ignoring anti-virus software updates, or downloading free programs that lurk in the system, sending private information back to hackers. All of which can be mitigated by cyber education, training and compliance management.
Small businesses are particularly vulnerable to this sort of thing—they make up about 43% of all cybercrime targets in Australia—because they either don’t have the resources to fight cyber-attacks, or they lack the tech literacy to defend themselves. Then there’s the sheer weight of attacks going on all the time. At best estimate, one in every 728 emails sent in Australia contains contains some kind of malware. It’s simply not feasible for IT departments to block them all.
The good news is that, when it comes to cybersecurity, prevention is much cheaper than crisis management. In the US, the average cost of a cyber beach is 3.86 million, and it takes (on average) about 280 days to identify and contain each attack. That’s time and money that could be much, much better spent.
And cyber training is effective, too. Accenture found that 70 per cent of employees who received cyber training felt it improved their ability to recognise and react to threats. “This research shows that no matter how much they spend, businesses that fail to educate their staff about cybersecurity put themselves at greater risk of being hacked,” says Rick Hemsley, Accenture’s Managing Director. “Ultimately, an organization’s security is only as strong as its weakest link, which in many cases could be its own workforce.”
Duca agrees, but adds that the future relies on everyone, the entire global market, shifting their mindset on cyber. Demand for cyber experts will always outstrip supply, unless we can efficiently turn everyone into a cyber expert. “Automation is going to be a key element in the future of cybersecurity because human operators should not be required - and expected - to do everything. Instead, they need to harness skill sets that cannot be automated and focus on higher-order tasks such as problem-solving, communication and collaboration,” he says.
So what should small businesses, or any businesses for that matter, to do safeguard against cyber threats? Business Victoria has some useful practical steps (keep up-to-date virus scanners running at all times, improve your network security, store sensitive information on external hard drives or USBs etc) but it ultimately comes down to human error.
The 2019 Insider Data Breach Survey showed that, while all types of cyber threats are increasing, employee negligence is rising fastest of all, about 28% per organisation, in fact. “The data shows there’s a disconnect between IT leaders and employees on how each group views sensitive data,” the report says. “This perception gap, combined with rapid growth in unstructured data…have the potential to negatively impact an organization’s security program.”
In other words, don’t leave security to the IT department. We’re all cyber defenders now.