Four cybersecurity misconceptions placing your business at risk
Common cyber misconceptions may be preventing your organisation from maintaining a safe online environment, says UNSW Canberra Cyber Director Nigel Phair
Cybercrime is on the rise. In 2019, cyberattacks occurred every 14 seconds, up from every 40 seconds in 2017. As COVID-19 drives up internet use more than ever before – up 50 per cent compared to this time last year – it is likely that cybercrime will grow in step.
According to a report from leading information security advisory, Herjavec Group, cybercriminal activity is one of the greatest threats companies will experience in the next two decades.
Accenture’s 2019 Cost of Cybercrime Study calculated that these attacks cost for an organisation increased from US$11.7 million (A$16.02 million) in 2017 to a new high of US$13.0 million (A$17.8 million) – a rise of 12 per cent. This can impact organisations from start-ups to multinationals, and even governments.
Despite this, many professionals remain in the dark about what cybersecurity is, and how to implement it. According to a survey by antivirus software provider, McAfee, 57 per cent of Australian cybersecurity managers have trouble finding staff to join their cybersecurity teams.
“Business [today] is intrinsically linked to the internet, so it’s crucial for businesses to understand threats in the online environment," says Nigel Phair, Director of UNSW Canberra Cyber, a global leader in cybersecurity research and education. Alongside his work in Canberra, Mr Phair provides thought leadership and policy advice on the impact of cybercrime to multinational organisations and governments globally.
He is also the program director for the new virtual learning program: Cyber Security Essentials for Leaders, developed in conjunction with the Australian Graduate School of Management (AGSM). The program will help organisations protect themselves from different types of cyberattacks.
According to Mr Phair, there are four main cybersecurity misconceptions that hold back business leaders from maintaining a safe online environment.
1. Not all businesses are at risk of a cyberattack
Since virtually all businesses have at least one digital component—whether a website, email system or computerised database – all are vulnerable to cyberattacks. “Since all businesses have an online aspect, it seemed appropriate that people learn this integral part of a successful business,” Mr Phair explains.
For Mr Phair and his colleagues, one fundamental aspect of the Cyber Security Essentials for Leaders short course will be to help business leaders identify risks to their business.
“First, we talk about protecting the business value and ensuring the survivability and ongoing measure of the business,” he says. “They’ll also learn to use a risk management framework to make decisions about their cybersecurity protocol and how to action it,” he says.
2. Viruses are the biggest cyber threat
Although ransomware and spyware attacks tend to attract the most media attention, they are not the most common cyber threat – in fact, according to a study by cybersecurity solutions provider FireEye, 86 per cent of email attacks are free from malicious software, or malware as it is commonly known.
The two biggest cyber threats are currently phishing attacks and compromised emails.
“Protecting against these ubiquitous threats requires company leaders to quickly recognise them and relay this information to their team"Nigel Phair, Director, UNSW Canberra Cyber
In a phishing attack, cybercriminals attempt to collect confidential data using deceptive emails and websites. An email compromise is a similar, but more targeted, form of email attack, during which criminals pose as a prominent company member to convince an employee to provide money or information.
These attacks are incredibly common. One 2019 survey found that 88 per cent of organisations experienced a phishing attack that year, while 86 per cent dealt with an email compromise attack.
“Protecting against these ubiquitous threats requires company leaders to quickly recognise them and relay this information to their team,” says Mr Phair. “The business’ ability to pass on knowledge is crucial.”
3. Antivirus software and firewalls are the only lines of cyber defence
Software plays an important role in keeping digital assets secure, but people – not programs – are a company’s first line of cyber defence.
Email attacks depend on human fallibility, so well-informed employees are a key component of cybersecurity strategy.
“Cyberattacks are not so much a technical problem as a people problem,” Mr Phair reflects. “Everyone in an organisation could be susceptible to a cyberattack, and it’s everyone’s responsibility to protect the digital assets of their organisation. Regular training is a crucial element of any organisation’s cybersecurity strategy.”
Incidents like Uber’s 2018 data leak also highlight the human error aspect of cybersecurity. The breach occurred when two hackers accessed data stored in a third-party cloud service and could have been prevented through access monitoring using readily available software. It was a blind spot in Uber’s cybersecurity strategy that allowed the incident to happen.
To avoid such oversights, Mr Phair recommends a careful assessment of the data an organisation holds. “You then need to use risk management concepts to work out what data needs to be protected, understand where it is housed, who has access, and the login regime,” he explains. For this approach to be effective, trained individuals must constantly monitor and maintain online security, communicating any potential leads to business leaders.
4. Cyber threats do not vary much
Although phishing and other email threats are the most common form of cybercrime, it's important to bear in mind that the risks an organisation faces can vary significantly depending on industry, size, structure, and the kind of data they hold. These threats are constantly evolving.
“[Besides phishing,] other risks include attacks on unpatched software, payment systems, and supply chains,” Mr Phair notes. “Leaders need a clear understanding of all these factors as they predict threats and employ a cybersecurity strategy. Elements of this strategy might include staff training, firewalls, or antivirus software,” he adds. “There’s no blanket route to overcoming cyber threats.”
Social media accounts have also recently emerged as a point of vulnerability. A recent cyberattack on Twitter allowed hackers to access the accounts of 130 celebrities, politicians, and businesspeople – including Kim Kardashian, Barack Obama, and Jeff Bezos.
Through the new Cybersecurity Essentials for Leaders course, Mr Phair says he hopes to equip professionals with the skills they need to make tailored cybersecurity decisions that will keep their organisations safe.
Nigel Phair is the Director of UNSW Canberra Cyber and an influential analyst on the intersection of technology, crime and society. He is also the program director for a new virtual learning program: Cyber Security Essentials for Leaders, developed in conjunction with the AGSM @ UNSW Business School. The program will help organisations protect themselves from different types of cyberattacks. To learn more about AGSM @ UNSW Business School, click here. This post was originally published on Business Because.