In modern business across all industries, large amounts of data are moving in and out of the organisation at any time. Emails to suppliers and clients, staff uploading and downloading files, web data being recorded and personal data about employees being saved. It is a treasure trove for a would-be cybercriminal.
Given the quantity of moving data and each employee’s busy schedule, it makes sense that 82% of data breaches involve a human element. So this month, we thought it might be helpful to run through some common errors leading to cyber security vulnerability.
Why do individual errors occur?
One of the main reasons for these human errors is that people are busy. They have competing priorities, and even if they see something odd, they don’t always flag it.
Let’s look at an example from our friendly Wattle Business team.
Financial Controller Frank is home sick with a cold, and Millennial Receptionist Melissa has received a reminder email from their internet provider to pay an overdue invoice. The bank account doesn’t match the one on Wattle’s system, but Melissa is distracted trying to juggle several changes to the appointment schedule and figures that Frank must not have had a chance to update it yet.
Unfortunately, it was a scam email, and the money went straight to the cybercriminals. The best practice here would have been to make a quick phone call to confirm the new bank account details.
It is still relatively common for people to assume that cybersecurity is IT’s responsibility and that someone else notices and takes care of it if a cyber incident occurs. Even at a management level, there can be a misconception by some firms that they have been there, done that, and bought the t-shirt. They have invested in cyber software, ticked the compliance box, and moved on. However, cybersecurity is an ongoing challenge. Because hackers are continuously evolving the way they attack, your cybersecurity strategy and internal staff training must keep evolving to keep pace.
Cybersecurity falls under what we call a shared responsibility model. The executive team allocates the budget and helps determine the company’s risk tolerance. The IT team and/or your Managed Service Providers install anti-virus protection and ensure up-to-date software and patches are applied. However, to ensure your data is protected, it’s crucial to embed a culture of cybersecurity within your organisation. Every team member is responsible for using safe information-sharing practices, flagging anything that doesn’t seem quite right, and using a critical eye when it comes to suspicious-looking emails or links.
Minimising and Mitigating Errors
A vital first step is to consider your organisation’s primary areas of vulnerability, the probability of attack and whether a breach would have a high or low impact on the company. You can then look at how to minimise the risk and what controls should be implemented. Security controls can be divided into three categories;
1. Physical controls
As the name suggests, physical control is a concrete measure such as a perimeter fence around your office, a badge reader or surveillance cameras.
2. Technical controls
Technical or logical controls are implemented directly via the computer system or network. Examples include firewalls, encryption, or authentication mechanisms.
3. Administrative controls
An administrative control is a guideline or procedure that governs the people within the organisation. For example, in the case of Wattle Business Services, they could have avoided a cyber breach if they had a process specifying that team members could not change a company’s bank account details in the system until they had made a phone call to validate the new information.
Some top tips for minimising risk
Is your company doing what it can to avoid these human errors? Here are our top tips to help minimise your risk.
1. Have 2FA and use it
2. Hold regular cyber education sessions with your team
3. Follow best practices or risk being liable
4. Flag anything odd
5. Verify bank details over the phone
6. Know what phoney alerts look like
For more information or advice, check out our Resources page. Alternatively, you can get in touch at 02 6361 1116 or support@coltoncomputers.com.au.
