Intelligent CISO Issue 61 | Page 49

It can be a nightmare scenario when internal mistakes meet opportunistic external actors .

C

Cybersecurity has been leading the news in Australia in recent months . Seemingly every sector has been hit by an attack , from government departments to banks , telcos , healthcare providers and retailers . According to the ACSC , businesses of all sizes have seen a 14 % increase in cybercrime reports .
Companies no longer doubt it ’ s not a case of if they will be attacked but when and how .
With the largest recent breaches , we ’ ve seen personally identifiable information ( PII ) from employees and customers hacked for sale online or as ransom with a hefty price tag .
FEATURE
comes down to an innocent mistake from a worker . It ’ s also difficult to assess the cyber literacy of an entire workplace and deploy the specialist training that these vulnerabilities require .
It can be a nightmare scenario when internal mistakes meet opportunistic external actors .
If trusted employees are the biggest threat to data security , does that mean we can never be safe ?
It ’ s becoming more apparent that while we can ’ t deter hacking attempts , we can make it harder for cybercriminals to get in and for data to get out .
Daniel Benad , Group Vice President and Regional GM , ANZ and Oceania , Rimini Street

It can be a nightmare scenario when internal mistakes meet opportunistic external actors .

Optus ’ information was accessed through an application programming interface ( API ) which was mistakenly left open , potentially for weeks or months . Woolworths ’ MyDeal leak and the Medibank breach were both accessed with compromised user credentials . Harcourts , a real estate agency in Melbourne , was breached via a staff member using a personal device to access the database .
Although the method of entry differs between each attack , the commonality is the human element .
Verizon ’ s 2022 Data Breach Investigations Report found 82 % of data breaches include some sort of human component . Whether this be through sharing devices , using unsecure devices , clicking on suspicious links and , in some rare cases , staff intentionally targeting their own organisation for malicious purposes .
The human part can be difficult for security teams to analyse , especially if it
Human error should be expected and it ’ s something companies need to be prepared for , making comprehensive and continuous cybersecurity education a priority for all organisations .
Businesses need to figure out the holes in its systems , the ones a staff member could mistakenly expose . It can be as simple as working out which apps are the clunkiest , or least user-friendly and only work on certain devices , which inadvertently encourages staff to use their less-secure personal devices .
Many applications , including systems crucial to keep a business running , just aren ’ t built with security the utmost priority . They are great at serving their specific purposes , but chances are maximum security isn ’ t core to their design .
Furthermore , acquiring knowledge of the threatscape and learning from others is key to mitigating possible breaches .
Sharing knowledge of threats is a key way to counter them . If your threat analysis only covers a business ’ specific set of circumstances , chances are it ’ s only the tip of the iceberg . If you don ’ t have the skillsets in-house to do this which , amid an increase in high-profile attacks making cybersecurity skills in high-demand , is understandable – outsourcing to specialist companies becomes a strategic investment without overburdening existing budgets . www . intelligentciso . com
49