As Australia has embarked on its journey to adopt a digital omnipresence that has permeated nearly every aspect of our lifestyle – both work and personal, we of course, have had to meet the challenge of the invisible adversary – cyber criminals.
The actions of these cyber vermin manifest themselves in attacks upon our digital and cyber environments and the reactionary strategy was to block them, make it harder and more difficult, and to make our technology more resilient to this malfeasance.
The Australian Signals Directorate (ASD) in a display of leadership took upon the burden to establish a set recommended actions to guide Australian organisations and businesses towards a greater state of cyber resilience against the ever-growing cybercrime threat. The consequence of this was to see ASD’s 35 Risk Mitigation Strategies to mitigate the cybercrime threat. Acknowledging the difference of cyber defence maturity between organisations and resource capabilities, accepting that some organisations don’t require or were not capable of all of the recommended 35 actions, they articulated the strategies in an order of priority that would provide the greatest beneficial effect. Further, they determined that if organisations adopted their Top 4 mitigation strategies, they could reduce their vulnerability by as much as 90% or thereabouts.
As time marched on and “digital transformation” became ensconced into our daily vernacular, the evolving complexity of technology into our environments, the migration towards “cloud”, greater outsourcing and dependence on third party providers, and of course the increased sophistication and success of the cybercriminals, ASD took the step of changing their “Top 4” to the “Essential Eight” and 35 mitigating strategies grew to 37. This also reflects the continual evolution of technology application, defence and resilience against an ever-growing capable adversary.
Interestingly, and not surprisingly, all the of 37 Risk Mitigation Strategies advocated by ASD are technology solutions, which were absolutely on solid foundation when developed and released upon the Australian environment. However, when Australian organisations and businesses took upon themselves to accept this sage advice and pursue attainment of the Top 4, Essential Eight, and 35 strategies, they did indeed build a stronger and more robust cyber defence posture, target-hardening their environments to resist the endeavours of cybercriminals.
The consequence of this from the adversarial perspective is to:
· develop more sophisticated technological tools to defeat the defences;
· provide greater focus on those organisations of less resilience;
· focus on those parts of the business that are not so resilient – the human;
· or all of the above
An interesting study by Dr Michael McGuire of Surrey University in his study into the criminal economy of the Dark Web found that cybercriminals focus on where we are most vulnerable – where humans put fingers to keyboards.
A number of email gateway security providers have postulated that 96 to 99% of all cyber attacks launched today target the human in the first instance.
When one reviews the data of the Office of the Australian Information Commissioner (OAIC) the argument is crystalised. Since the introduction of the Notifiable Data Breach Scheme legislation 3 years ago (22 February, 2018), Australians are reporting approximately 1,000 data breaches per year. Interestingly, and amazingly consistent is the fact only 4-5% of all breaches reported are attributed to a failure of the IT environment. Approximately 35% are attributed to “physical” human breaches, non-digital data breaches. Then we have the malicious attacks where the human is defeated at the keyboard, clicking on the malicious link, downloading the malicious payload, surrendering credentials to a phishing attack.
In summary of all the data breaches reported, 5% are attributed to an IT failure and 95% attributed to a human failure.
Now one could debate and argue about the attribution of numbers and percentages but ask any cybersecurity professional, “What is the greatest vulnerability in your organisation?” and they will tell you, “Their people”.
So, does this not beg the question, “Why is the ‘Development of a Human Cyber Security Awareness/Culture Program’ not included in the ASD top 35 risk mitigation strategies?”
Is this because ASD only considers itself an advisor of only “technical” matters, or have they been so distracted on the technical side of the house they’ve completely overlooked the human element? My colleague Dr James Carlopio shared an interesting study he took part in many years ago. Hundreds of Post Graduate Doctorates were asked to develop a response to a business challenge. The responses were many and varied but what was clear is that the responses could be grouped into “clusters”. Some responded with a technical solution to the challenge, some were driven towards an administrative solution, some people and culture focussed, and there were others.
Researchers then looked further behind the reasoning for the development of these clusters and found that most of the responses were dependent upon the first studies undertaken by the respondent. Those that had an accounting background, focussed on the numbers, engineers focussed on the technical, those from humanities background looked at the human element. Thus, ASD comprising technically gifted people default to what they know, a technical solution.
Now please let me be crystal clear, this paper in no way, shape, nor manner advocates nothing less the utmost respect and appreciation for ASD, its amazing people and the brilliant work they undertake, however, it is time for a review of the 37 Risk Mitigation Strategies.
We have to acknowledge the vulnerability of our human workforce, our failure to properly take our people and our community on this journey of safety, security and preparedness. The time to act is now. It is time for the “Essential Eight” to become the “Necessary Nine”. It is time to not add the “human program” as number 36 but to make it number One, and move everything back one place.
It's time to stop this nonsensical notion that we can find a technical solution to remove the human from the equation. Quite frankly I doubt that’s even a world I’d care to live….