Contrary to popular belief, only a fraction of data breaches suffered by businesses result from the system being ‘hacked.’ According to Verizon’s 2022 Data Breach Investigation Report and the Office of the Australian Information Commissioner (OAIC), the majority of data breaches are a result of some form of human error.
Underlying factors of ‘human-related’ cyber breaches
Unfortunately, the number of ways that employees can inadvertently be involved in a successful cyber breach is extensive and can be attributed to (but not limited to) the following factors:
- Lack of adequate, ongoing, and measurable awareness training
- Lack of awareness of company policies, procedures, and practices around cyber security
- Skills or decision-based errors (ignorance, negligence, complacency)
- Poor password hygiene and practices
- Inadvertent disclosure or disposal of sensitive or personal information
- Loss of a digital asset (i.e. mobile device, laptop, phone, etc.)
- Misconfiguration of systems, applications, platforms, etc.
Any one of these factors can have a significant and damaging impact on an organisation’s brand, reputation, profits, and business operations.
The costs and potential impact of a data breach
According to IBM’s latest Cost of a Data Breach report, the average cost of a data breach now sits at an all-time high of USD $4.35M. While this is significant for an organisation of any size, aside from the financial costs associated with the breach, executives and boards also run the risk of being fined or prosecuted for non-compliance, lack of fiduciary care, or sued by disgruntled stakeholders.
More importantly, however, is the reputational damage caused by such violations, which is often immeasurable. A loss of trust by your customers, partners, suppliers, shareholders, and the overall market, will impact not only your future revenue but also your business value.
Regulatory attention and potential consequences
The Australian Securities and Investments Commission (ASIC) strongly recommends that businesses develop structured, measurable, organisation-wide training programs and strategies for all staff, contractors, and partners. These programs must enable the business to manage and monitor staff progress effectively, focusing on staff susceptibility and success criteria.
ASIC has stated, “Managing cyber security risks falls within the realm of general directors’ duties. Directors can no longer take their cyber security responsibilities lightly. Without appropriate controls and mechanisms firmly in place, the likelihood of a cyber incident is almost inevitable, thereby exposing them personally to legal liability.”
In March 2022, ASIC declared that it would be actively pursuing businesses that experience a data breach and did not have adequate controls and mechanisms in place to prevent such an event. This commitment to enforcement was recently demonstrated in ASIC’s prosecution of RI Advice in May 2022, where ASIC prosecuted the company and its directors under the Corporation Act for negligence.
Mitigating human error in your business
Reducing human error requires top-down leadership and a change in cyber security culture. Adopting a security-oriented culture, where cyber security is viewed in a similar way to health and safety, end-users will be more security conscious and proactive while being encouraged to identify and discuss security-related issues as they encounter them.
A significant proportion of mistakes made by humans occur because they are unaware of the appropriate course of action to take. For example, staff who are untrained in spotting sophisticated social engineering are likely to provide a threat actor with unauthorised access to your systems, while those that are not educated on the dangers of sophisticated phishing are highly susceptible to falling prey to phishing and other schemes.
With the ever-growing shift to remote work and the day-to-day distractions of modern life, staff cognitive loads are often overwhelmed. Without sustained and current security awareness training, staff will inevitably make mistakes, exposing directors, businesses, and stakeholders to unnecessary risk, costs, and liability.
Engage your employees
Let’s face it, not many of us enjoy workplace training. Employees are busy and will likely have limited attention spans. That’s why cyber security training has to be relevant, current and, most importantly – engaging. Short, easily digestible, and interactive training courses that utilise image and video content are proven to be far more effective than longer annual one-off training sessions.
Build and strengthen your “Human Firewall”
Our cyber security awareness and training solutions are custom designed towards your company’s specific requirements and will assist your staff to:
- Understand their role in protecting the business and its data.
- Develop an understanding of common cyber threats, how they work, and what the consequences are for businesses and individuals.
- Identify what resources and support are available to them to help them stay informed and up to date on current threats.
- Reduce exposure to cyber threats through improved knowledge and vigilance.
- Comply with data privacy and security regulations.
- Enhance cyber hygiene across the organization.
- Reduce financial losses due to data breaches.
- Protect the organisation’s reputation.
- Increase productivity and, importantly
- Increase employee confidence and morale in knowing what to do and what to look out for regarding cyber risk.
Are your employees cyber-aware?
To discuss your organisation’s specific cyber security training requirements, please contact us today.
To understand the components of an effective Cyber Security Awareness Program, read our recent blog article ‘How to develop an Effective Cyber Awareness Program’.