The Human Factor: Strengthening Cyber Security through Awareness Training

This post highlights the critical impact of human error in cyber security incidents and emphasises the need for businesses to prioritise strong cyber security practices to mitigate ‘people risk’.

These practices include Cyber Security Awareness Training (which is a gap for many organisations), as well as implementing multi-factor authentication and other protection layers to reduce risk and strengthen overall security.

An uninformed, unaware and untrained employee is like an open door for a cyber criminal. By implementing an awareness training program and putting basic security measures in place, this door can be closed and locked.

The Cost of Human Error

According to the 2022 Data Breaches Investigations Report by Verizon, a staggering 82% of data breaches involve a human element.

This statistic emphasises the significant contribution employees play in exposing confidential information or inadvertently enabling a breach – skill-based errors are the primary cause of data breaches.

Notably, the most expensive data breach events are business email compromise (BEC) scams and phishing attacks, costing ~$5.01 and ~$4.61 per record stolen respectively, as highlighted in the 2021 IBM Cost of a Data Breach Report.

BEC and phishing data breach events take considerably longer to resolve when compared to other cyber incidents. An average BEC scam takes 238 days to identify and 79 days to resolve, whereas an average phishing attack takes 213 days to identify and 80 days to resolve.

Such a prolonged period of exposure and vulnerability underscores the need to address this risk.

How Could this Impact My Business

Once a cyber criminal has gained access to your system (via a business email compromise scam or phishing attack, for example) there are three main ways they can impact your business:

1. Social engineering fraud: the criminal gains information about your payment systems, then deceives an employee into transferring money into their bank account.
2. Ransomware lockout: the criminal locks you out of your system or encrypts your data, demanding a ransom payment in return for access.
3. Data theft: the criminal steals your data, which may include confidential, sensitive and / or personal data on your customers or employees. They may request a payment from you or sell your data to other criminals.

As a result of publicity surrounding the Optus, Medibank and Latitude Financial data breaches, the third item above – Data theft – is the most commonly understood type of cyber crime.

It is worth noting, however, that the first two items – Social engineering fraud and Ransomware lockout – are likely to have the greatest impact on a small or medium sized business.

Enhancing Cyber Security through Awareness

There are many actions you can take to reduce the risk of a cyber security incident in your business – and improving organisational awareness and employee education is one of the most effective.

Think about your workforce as a protective layer. Now consider the level of protection your employees will bring if they are aware of common threat types and know how to identify and report a threat. What level of protection do your employees provide if they are not aware? What action might an employee take if they receive a phishing email that appears to be from Australia Post, Telstra, Amazon or a bank?

We want our employees to be empowered to identify and respond effectively to a potential threat.

Consider the following steps to enhance your cyber security through your people:

1. Awareness Training and Education: Conduct regular awareness training sessions that cover a broad range of cyber security topics including the latest cyber threats, phishing techniques, password management and safe online practices. Plan specific training modules for employees who handle sensitive data or business finances.
2. Threat Reporting Culture: Establish clear protocols to promptly report and respond to a security threat or incident. Encourage employees to report suspicious activity or potential breaches – this leads to a culture of vigilance and proactive incident management.
3. Multi-Factor Authentication (MFA): Implement MFA across all systems and applications to add an extra layer of security. This approach significantly reduces the risk of unauthorised access, even if an employee falls victim to a phishing attack.
4. Regular Security Updates and Patches: Keep all software and systems up to date with the latest security patches. Regularly update antivirus software, firewalls, and other security tools to protect against emerging threats.
5. Compliance with Regulations and Frameworks: Familiarise your organisation with cyber security and privacy regulations or frameworks relevant to your business, such as the Essential 8, Privacy Act, Privacy Principles, ISO 27001, and ISO 27701. Adhering to these frameworks will demonstrate your commitment to protecting sensitive data and establish a strong foundation for cyber security practices.

Final thoughts

The data on cyber security incidents speaks for itself – human error is a significant risk if not addressed. We recommend businesses of all sizes implement education and awareness training for their teams, and put basic security measures in place to mitigate the threat of a cyber attack.

Synergy Compliance understands the unique challenges faced by Australian small and medium-sized businesses to improve their cyber security posture. We offer a range of services to support our clients meet this objective, including organisational Cyber Security Awareness Training, Privacy Awareness Training, Risk Assessments, Policy development and Incident Response Planning.