Why are we still so bad at cybersecurity?
With many organisations still getting cybersecurity wrong, try these tips for improving workers’ cyber behaviour.
In brief
- Many organisations are still not getting the basics right when it comes to cybersecurity.
- The top behavioural reasons for poor cybersecurity are neglect, people feeling like they have done enough or not knowing what to do.
- Changes in behaviour need to be leader-led and human-centred, with techniques such as gamification and nudging helping to make people more proactive on cybersecurity.
Despite media reports of damaging cyber attacks, some companies are still not paying attention to the warnings and adequately protecting themselves.
A report from New Zealand’s National Cyber Security Centre (NCSC) categorised 40% of SMEs as ‘complacent’, with a third of this group admitting they were not prepared to prevent a cyber breach from occurring.
For some companies, even the basics, such as regularly updating application software and using multi-factor authentication (MFA), are not being done.
Factors driving behaviour
In the NCSC survey, forgetfulness was the top reason (25%) for not attending to the basics, followed closely by a feeling enough was already being done (24%). Lack of time (17%), feeling overwhelmed (16%) and not knowing what to do (14%) were not far behind.
Michael Jagusch, director of mission enablement at the NCSC, believes the biggest barrier for people is not knowing where to start.
“I think cybersecurity remains an area that people perceive as really complex. Within that perceived complexity, security can get pushed down the priority list,” Jagusch says.
“Also, some of these organisations don’t feel that it will happen to them. What we try and get across is that all organisations have things that could be of value to a cybercriminal, such as contact lists, client databases and invoice systems.
“We are seeing a bit of an ‘ambulance at the bottom of the cliff’ mentality, as opposed to defence at the top.”
Another reason people don’t take basic cyber precautions, according to Marthie Grobler, principal research scientist in CSIRO’s specialist arm of AI research and development, Data61 Business Unit, is that using cybersecurity processes such as MFA to log in might be considered a hassle and counter to productivity.
“Thirty seconds at a time for 20 times a day adds up, and it breaks people’s flow. People develop this perception around cybersecurity that it might be good, but it’s a pain to perform,” says Grobler.
Human-centred approach
To help organisations lift their cybersecurity game, Grobler and her team use human-centred cyber training to change the attitudes of individuals and make them more proactive.
For executives, Grobler’s team works with Australia’s Cyber Security Cooperative Research Centre to offer gamification simulation training. Executives create a cyber strategy for a fictional organisation and use a Monopoly-style board to channel resources into implementing the strategy. The organisation is then hit by a cyberattack and the executives must respond and make a statement to the media.
“It’s about convincing executives that they need to understand cybersecurity, because if they don’t, they could be on the front page of a newspaper,” Grobler says.
“You can’t do anything if you can’t convince the leadership of an organisation to change. If you work with the individuals themselves, it helps to ingrain behaviours.”
Training at the staff level is more complex in design and often requires an organisation-wide overhaul of training methods.
For large organisations such as banks and major retail groups, Grobler’s team can create staff personas to identify the security behaviours needed, the barriers to those behaviours and ways to improve them. Training techniques such as ‘nudging’, which is used in occupational health and safety, can influence people’s behaviour.
“We try to implement smaller behavioural changes to encourage people to do the right thing at the right time,” Grobler says. “For example, when you receive a suspected phishing email, you definitely should not click on it. Deleting this email is good, but better behaviour is to report the email. By providing a one-click ‘report’ button in an easy-to-see location, users are gently nudged towards smarter cybersecurity.
“You need to make it as easy as possible for the user to comply, otherwise they're going to find a way to not comply. It’s just human nature.”
Jagusch agrees, saying change needs to start at the top and be delivered in small, digestible steps.
“Leaders need to think of cybersecurity as much as they do HR and health and safety,” he says.
“We encourage leaders to bring cybersecurity into that broader decision-making framework and break down the challenges of managing security into meaningful steps.”
Cyber self-assessment tool
The National Cyber Security Centre (NCSC), offers an online self-assessment tool that organisations can use to determine the state of their current cybersecurity measures. The tool delivers a list of suggestions of where defences can be improved.
Michael Jagusch, director of mission enablement at the NCSC, says the relatively simple and well-known critical controls and Australia’s Essential Eight strategies are still the best lines of defence.
“Even in the sophisticated threat actor space, cybercriminals are using well-known tools and techniques,” he says. “Most attacks are the more routine kind that basic controls can prevent.”