3 ways data helps tackle phishing and other cyber security threats
Industry-research partnerships can generate valuable data and provide practical solutions that can help organisations effectively manage cybersecurity risks, says Bianca Wirth, Director – Cyber Security at KPMG
In 2019, the Australian Competition and Consumer Commission’s Targeting Scams report found that scam emails caused the highest losses across all scam categories, which cost businesses $132 million. But the impact of the COVID-19 pandemic has meant individuals are more vulnerable to phishing attacks. Throughout 2020, several Australian organisations were impacted by malicious cyber-attacks.
Specifically, a recent report by the Office of the Australian Information Commissioner (OAIC) found that 61 per cent of notifiable data breaches made in the first half of last year were from malicious or criminal attacks. Phishing and compromised or stolen credentials, followed by a ransomware attack and then brute force attacks, contributed to an increase of 47 per cent in data breaches.
Of all the industries, the health sector continued to report the largest number of scams at 22 per cent, followed by the finance sector (15 per cent), education (8 per cent), insurance (7 per cent) and legal, accounting and management services (5 per cent). Both the health and finance sectors’ leading causes of data breaches were malicious or criminal attacks.
In response, Prime Minister Scott Morrison announced Australia’s largest-ever investment in cybersecurity – $1.35 billion in existing defence funding to be spent over the next decade. But experts warned such measures would be of limited use unless businesses take action to educate themselves and improve cybersecurity from within before it’s too late.
But as many organisations continue to embrace flexible working, employees who work outside a secure office and technology environment could be vulnerable to phishing attacks and other cybersecurity threats. While Australians are being urged to strengthen their cyber defences and be alert to online dangers through a new national cybersecurity campaign, it may not be enough to protect users from unwittingly clicking on phishing emails.
In this context, one of the critical benefits of industry-research partnerships is the ability to utilise data to illustrate the broader importance of cybersecurity within an organisation, to improve security risk management across the board, said Bianca Wirth, Director – Cyber & National Security Strategy & Governance Lead at KPMG Australia.
Ms Wirth, who has been previously involved in an industry-research partnership, recently spoke to UNSW Business School’s Yenni Tim, Senior Lecturer in the School of Information Systems and Technology Management, about the latest trends in phishing and cybersecurity as well as why it’s important for businesses to partner with universities.
1. Data illustrates the importance of cybersecurity to all
Effective communication mitigates cybersecurity risks, but it is unlikely that an organisation can successfully deliver messaging and engage with its employees without data to back this. As such, organisations can use data to help identify and understand what the challenges are and even look at how evidence-based solutions can be implemented from a broader industry perspective, explained Ms Wirth.
“What solutions could we come up with that will help automate and make this simpler, so it could be used by not just one organisation, but multiple organisations?” she said. Here, data enables organisations “to get that message out further inside the organisation and help build support for the change that we want to achieve through security, risk, management and changing culture and improving those aspects through that messaging,” reiterated Ms Wirth.
2. Researchers provide a fresh perspective
With an industry-university partnership, researchers also bring a unique set of skills. “From an industry perspective, there’s a real benefit there in terms of [the] many skills and experiences... that in-depth knowledge that you can’t hire into organisations,” said Ms Wirth.
Such partnerships provide mutual benefits: “universities get the research, organisations get the amazing skills and experience out of it – a win-win situation for both,” she added.
“Researchers can bring in-depth knowledge on specific topics or techniques, as well as expertise in formulating the right problem to solve; practitioners can offer rich domain expertise and ensure relevance and applicability of the research,” said Ms Wirth. Dr Tim said cyber security education in organisations is often almost entirely top-down, with the education or awareness team shouldering the responsibility for making sure everyone else learns about cyber. “But more effective and sustainable learning and behavioural change require empowerment and co-ownership,” she said.
“The importance of cyber security and the organisational progress towards cyber resilience should be visible to everyone and championed by everyone. Having meaningful interpretations of data and making them readily available for the right audience can play a role in this,” she said.
3. Data provides real solutions to everyday problems
In a previous industry-research partnership with the School of Information Systems & Technology Management at UNSW Business School, industry partners worked together with academics to examine how data analytics can tackle one of the biggest cybersecurity challenges today: phishing.
“Phishing is one of the major issues that organisations face today because it’s a human-based issue. It’s human-based security, essentially, and it can be human error that triggers a phishing attack on your organisation,” explained Ms Wirth.
“What we wanted to do was understand, is there a better way, or a different way to approach the problem of phishing? You’re dealing with people’s personalities, and you’re dealing with the psychology that malicious actors inflict on people when they send out phishing emails or phishing texts,” she said.
“We wanted to take an innovative approach to look at phishing to understand how else we can do this? What’s another way to help complement the technology and increase people’s knowledge and awareness?”
Data analytics can be used to understand how resilient people are to phishing or how susceptible they are to phishing. “I think it was really interesting that we were able to use machine learning to identify if this is going to work: can we tell why people are clicking on phishing emails?” said Ms Wirth.
“It was really beneficial to try that out and determine how we could use that method potentially in the future.”
Because data analytics can help identify behavioural patterns, visualisations can be built to guide day-to-day decisions, explained Dr Tim. “Visualisations, when used appropriately, can also help provide visibility and transparency at the organisational level – which means everyone in an organisation will be able to engage in cybersecurity issues,” she said.
Bianca Wirth is Director – Cyber & National Security Strategy & Governance Lead at KPMG Australia. Dr Yenni Tim is a Senior Lecturer School of Information Systems and Technology Management at UNSW Business School. For more information, contact Dr Tim directly.