When assessing their organisation's security posture, CIOs are often inclined to add to their IT teams or seek a bigger security budget. However, what many have yet to grasp is that security is fundamentally a cultural issue, not a technology one.

As the saying goes, “culture eats strategy for breakfast," and this certainly applies to IT security. An organisation might have a documented security strategy, the best technological mechanisms in place, and rigid training processes, but none of these are going to be effective unless the organisation instils a security mindset in all employees.

As PwC’s Australia and Asia Pacific cyber leader, Steve Ingram, told CIO Magazine, “It doesn’t matter how much you spend on technology… if your people don’t understand their role in cyber [security].”

The human element

One study has revealed that 19 out of 20 cyber breaches would not have happened if it weren't for human error.

There's one thing that almost all successful cyber attacks all have in common: human error.

Human error comes in various forms. It may be a weak password, failing to update software, downloading malware from an infected attachment, or falling for common phishing tricks.

IBM conducted a study looking into the cyber breaches of its customers across over 130 different countries. In it they found that in 95% of cases, "Human error was a major contributing cause" of a breach.

European defence and security consultancy, QinetiQ, warns that a lack of security culture is the reason so many organisations are being exposed to cyber attacks. QinetiQ explains that employees are the main vulnerabilities to a secure organisation, citing human error, lack of staff awareness, and weaknesses in vetting individuals as common causal factors in security incidents.

This trend is having a significant impact closer to home too. In a recent study from Microsoft, the Asia Pacific region had 1.7 times higher-than-average encounter rates for ransomware in 2020, accounting for 7% of the total worldwide number of reported ransomware incidents. Another report showed Asia Pacific had higher cyber attack rates than the global average in the first half of 2020. And, between April and May 2021, the APAC region saw a 53% increase in cyber attacks.

(Read more about why Australian businesses are a target for ransomware attacks)

These are concerning trends for any organisation operating in APAC. And, as Australia is revealed as the third most targeted country in the world for cyber attacks in the first six months of 2021, it doesn’t look like the pressure will be off CIOs anytime soon.

A different focus

As threats continue to mount, understanding and managing cyber security risks has become a critical issue for IT and business leaders alike. Australian organisations are responding by boosting their security budgets – Gartner predicts that Australian organisation spending on information security and risk management technology and services in 2021 will reach $5.1 billion in an expected 7.3% year-on-year growth.

Yet, although this figure lags behind the global expected growth of 12.4%, technology can only do so much to protect a business against a breach, particularly when attackers are making the most of employee negligence. Without proper staff education and behavioural change, any technology investment is made in vain.

For CIOs, this means taking a holistic approach to security and having a clear understanding of the complex interaction between human behaviour, technology, and organisational process.

Most employees interact with information and technology that is critical to the functioning of the organisation, but if they’re not aware of how to protect these assets, the organisation is at risk.

It is the IT department’s responsibility to give employees the right skills and awareness, and to influence the behaviour that protects the organisation. Employees need to understand what to protect, why they should want to protect it, and how IT can help them do so. Rather than security being an add-on, or a department off to the side, it needs to be embedded into everything employees do. It’s about securing the human, not the device.

Senior consultant on human performance at QinetiQ, Simon Bowyer, explains it well:

“To educate and influence the behaviour of employees is to restrict the easiest attack route into a business. When employees have a natural inclination towards security by virtue of an integrated company ethos, they are motivated to remain alert to risks and unusual behaviours.
If firms are to stand a chance against cyber threats, [they] must design their security strategy taking into account human behaviour and propensity of employees to act in a security conscious fashion. Firms must work towards a vision, where employees recognise the importance of cyber security best practice and how even actions that we all take for granted, like checking a Facebook page at lunchtime, could provide cyber-criminals with an avenue into a business.”

How to minimise incidents of human error

Cyber attackers look for opportunities and vulnerabilities so they can easily get into an organisation's systems, and humans are, of course, the biggest vulnerability a business has. It may be impossible to completely eliminate human error, but there are ways that businesses can minimise these opportunities.

Privileged access management (PAM)

Privileged access management (PAM), also known as 'privileged account management', 'privileged identity management' (PIM), or just 'privilege management', is a cyber security strategy businesses can use to greatly reduce their attack surface. In essence, it restricts a user's access into areas of the network that they don't need to access.

Many analysts consider using a PAM strategy as "one of the most important security projects for reducing cyber risk and achieving high security ROI." It also helps to mitigate damages should an attack occur and reduces the potential attack surface.

Passwords

Weak or repeated use of the same passwords are the bane of any IT specialist's role. Hackers can easily run thousands of password combinations in seconds using sophisticated software. And those programs are only getting better.    

How fast can a hacker brute force your password? Graph sourced from: https://www.komando.com/security-privacy/check-your-password-strength/783192/
"The best advice here is to shift your thinking from passwords to pass-phrases" - Edward Snowden talks password security on Last Week Tonight with John Oliver, 2015.

Ensuring your organisation understand the importance of password security and best practices, as well as implementing password management programs will help mitigate this very common aspect of human error that leads to network vulnerabilities.

Culture change

One of the more effective, yet perhaps harder to implement methods of mitigating human error is to change the organisation's culture around how it talks about cyber security. Encourage employees to ask questions and opening up discussion about security is one important area that businesses can start to make this change.

Friendly, ongoing reminders about security best practices may also be a good step forward, provided they are presented using non-technical and accessible language. Less technically-minded employees may feel left out of many of these conversations and may present the bigger risk, so engaging the whole organisation is important. You may want to talk to your marketing teams to help you with these communications too.  

Going beyond tech

A data breach can be the biggest kind of crisis a CIO will have to face, and it’s one that’s become a reality for more and more IT leaders, particularly in Australia. But technology alone won’t deliver sufficient security.

CIOs must address the issue at the heart of the organisation and create a natural environment for secure employee behaviour. This is more than a box ticking exercise; it’s about engaging staff in a way that resonates with them to ensure that they convert learning into tangible action and new behaviour. In the process, a CIO’s biggest security threat becomes his or her biggest security asset.

What to read next:

The cloud: Today’s security risk and answer all in one
Ransomware explained: What is it and why are Australian businesses a target?
10 types of malware that can take down business systems in seconds