Top-level executives are fully aware of the harm cybersecurity breaches can inflict on an organisation, and that having the right safeguards in place is vital. Safeguards include technical assessments, penetration testing, and reporting alongside compliance with applicable regulations, standards and reporting frameworks. These are integral components of the preventative measures organisations should take, yet failing to consider how human impacts on such technical and operational measures means any existing safeguards remain vulnerable.
The latest statistics and trends on data breach notifications from Ireland’s Data Protection Commission (DPC) show that, out of the 6,069 notifications made to the DPC in 2019, 83% are classed as ‘unauthorised disclosures’ by employees. These disclosures include emails and texts sent to an incorrect recipient, processing errors, and disclosures through online customer portals.
Furthermore, 61% of Irish organisations have suffered cybercrime such as fraud in the last two years, with an average estimated loss of €3.1 million. We have seen the impact of high profile data breaches on numerous occasions involving Ashley Madison, Wannacry, Yahoo and Facebook. Yet if we look beyond the figures, common to all types of security, breaches is the human element that underpins an organisation’s cyberculture.
Recognise cyber complexities
Recognising the complex nature of cyber threats is the first step to understanding how the human element has an impact. As well as internal breaches caused by human error, one must also consider negligent or malicious employee behaviour. Negligent breaches occur when employees are not fully aware of the expected cyber practices, the benefits of safeguards, or attempt to circumvent policies due to the sophisticated technical measures in place. Malicious cyber behaviour, on the other hand, often stems from a disgruntled employee who plans to leak sensitive data to harm the company or access information for personal financial gain.
Cyber threat considerations also extend to third-party suppliers that work closely with an organisation and may have data access privileges. Add to this the ever-present problem of how all employees respond to external threats such as hacking, phishing or ransomware and we can begin to see how human behaviour can impact on an organisation’s ability to contain cyber threats.
Develop safe behaviour patterns
Employing safe cyber behaviour policies is vital. Safe behaviour is particularly important as organisations increasingly use the cloud to facilitate more flexible working practices and in the current climate most employees are working from home. Education on the use of social media platforms is another consideration, and organisations must emphasise the difference between safe and unsafe cyber behaviour in terms of how to control information in the public domain.
Rather than merely implementing technical measures such as firewalls or rules that list unsafe cyber practices, organisations should adopt strategies that highlight the practical aspects of cyber behaviour. If employees understand the impact their behaviour has on job security, reputation and trust, they will be more likely to understand and adopt safe cyber behaviour practices.
Understand cybercrime drivers
While developing safe behaviour patterns may not necessarily deter internal or external cybercrime threats intent on financial or reputational damage, it raises employee awareness of malicious cyber behaviour. Such malicious threats can stem from a moral class action initiative or, as we have seen with ransomware incidents, for financial gain.
Whatever the motive or format, all threats inflict financial and reputational damage in different ways. Understanding what makes an organisation’s data desirable to a cyber threat is part of the process in formulating a robust cyber strategy and policies. Building a psychological storyboard of potential motives can focus on testing areas such as strengthening customer password technology or supplementing employee role-based training in a particular area.
Address cultural differences
Policies that are implemented must be closely aligned with the culture of the company. While cyber behaviour commonalities exist across all sectors, the social make-up of the workforce should be a consideration when developing policies and training needs. Creating a cyber behaviour policy and training programme for a retail company will look different from one designed for a public-sector organisation, for example.
With a younger workforce in general, retail companies may wish to emphasise negligent breaches, particularly around web browsing and social media platforms. A younger workforce can also be at increased risk of phishing emails that focus on entertainment to encourage infectious click-throughs. In contrast, the profile of public sector workers suggests susceptibility to phishing emails that masquerade as official communication.
Focus on data hotspots
Linked to the social make-up of the workforce, companies should also consider relevant cyber hotspots. Departments that focus on email communication can be more at risk of accidental data breaches, whereas the finance function can be at a higher risk of business email compromise threats. The careful assessment of human risk and behaviour in these areas can help strengthen more cyber-vulnerable areas of the business and bolster general policies, training and awareness-raising activities. It is also important to refresh risk assessments and training programmes to reflect any changes in the business, such as working from home and ensure that systems have the integrity to keep pace with cyber threats that constantly mutate and evolve.
Adopting a preventive approach to cyber threats – one that moves away from implementing technical and operational risk controls in isolation and takes human factors into account – must begin at board level. Leadership from the top not only has the power to enforce cybersecurity awareness more effectively, but it also encourages crucial buy-in from all employees. However, care must be taken to ensure that the measures employed will protect the privacy of employees and customers alike. As we have seen with the General Data Protection Regulation (GDPR), laws on data privacy are not only here to stay but, as our data lives become increasingly connected, the law will become more stringent.
Nor should an organisation underestimate the disruption to productivity arising from data breaches. The possibility of data infringements lying undetected for many weeks or months, followed by months of regulatory investigation and follow-up assessments, can stretch human and financial resources to the limit.
To minimise such disruption, boards must consider human behaviour elements when developing a cyber strategy and programmes. Doing so will give their organisations the best chance of reducing the financial, legal and reputational consequences of potential security breaches in the future.
Sarah Hipkin Director, Data Protection
This article first appeared in Accountancy Ireland magazine April 2020.