It's become something of a cliche to say that people are the weak link in cybersecurity.
But a new survey by Aura Information Security confirms that, well, we are, and it adds new dimensions to the problem, including IT bosses who think they are better communicators than they are, and your kids.
Analysing the results, Kordia chief information security officer Hilary Walton starts with the obvious: human frailty continues to undermine the best-laid defences.
"The top four cyber-attack vectors were phishing, credential-harvesting, scams and fraud, and ransomware," she says - all forms of cyber-attack that usually rely on people casually clicking on suspicious links or email attachments, or handing over login details to strangers without thinking.
On a similar theme, the survey for Aura also found that: one-third of employees admit to reusing the same passwords across both work and personal devices and accounts - a classic blunder that means if any single service you use is compromised, then cyber-crims have sweeping access to many of your accounts. (If you're not already, you should be using password management software to automatically generate and fill in passwords, so you only have to remember one master password).
Meanwhile, lockdowns have amplified another problem: work or BOYD devices being shared with people outside your office. The survey found some 15 per cent of parents let their children use their work device - not a great idea when "running rampant" cybercriminals are already exploiting the pandemic exodus to home offices, where security is often weaker.
It also found that around a third of us don't bother to install a smartphone or computer software update as soon as it's available - a big problem when security patches are one of the main reasons for interim iPhone, Android, Windows and MacOS updates.
Then Walton moves to a result that might reveal why so many of us continually make such blunders.
The survey found while 62 per cent of New Zealand businesses say they carry out security training exercises with their staff, only 37 per cent of Kiwis say they have received training on good cybersecurity practices.
This seems to be the guts of things.
Bosses are overestimating their staff's cyber smarts - or at least the effectiveness of their communication.
"A lot fo the time, it's just not being internalised," Walton says. She compares it to Covid-19 messages around masks and scanning that are repeated, and broadly understood, but just don't sink in or translate into everyday behaviour.
"Education shouldn't just consist of a one-off cybersecurity lesson which is quickly forgotten, but constant reminders and check-ins to ensure best practice is being followed. Reducing human errors will significantly strengthen your cyber defence."
The Herald can look close to home for such an effort. An internal education effort to encourage staff across the NZME stable to report suspicious emails took out Best Security Awareness Campaign at the iSANZ or Information Security Awards NZ.
NZME's campaign raised awareness of phishing by using humour, video, posters and a reporting button shaped as a fish and hook. It targeted more than 1000 staff across the Herald, provincial newspapers, OneRoof, NewstalkZB, Radio Hauraki, ZM, The Hits and other NZME properties, and saw an 80 per cent lift in the reporting of suspicious emails.
Lastly, don't look down your nose at staff who don't know a Chrome extension from their elbow. You have to create an environment where people feel free to come forward with questions about the likes of dodgy email attachments.
Aura Information Security commissioned Perceptive to undertake a quantitative research project focused on cybersecurity. An online survey of 362 business IT decision-makers from organisations was conducted during September 2020. To qualify, respondents had to be a decision-maker regarding IT or information security within their company; hold a management position or higher; and work in an organisation with 20 or more employees.
Four tips for better security now
1. Run a password manager workshop to show your team how easy it is to use unique passwords across applications.
2. Chances are you started using work collaboration tools a whole lot more during lockdown. Make good use of these by communicating your organisation's key security messages on a regular basis. Simple 'tip of the day' type messages can work well.
3. Teach your team how to easily update smartphone apps in one hit. This is important because all apps encounter vulnerabilities, such as the one WhatsApp announced earlier this year which was exploited by remote attackers.
4. Explain how to spot 'phishy' emails. Run a mini workshop or make use of the many great resources available online, for example Kordia's CyberWise module.
Source / Kordia