What is the state of cybersecurity training in Australia?

by Brett Henebery28 Apr 2017
Cyberespionage is now the most common type of attack seen in manufacturing, the public sector and now education, Verizon 2017 Data Breach Investigations Report has warned. 

Much of this is due to the high proliferation of propriety research, prototypes and confidential personal data, which are hot-ticket items for cybercriminals.

Nearly 2,000 breaches were analysed in this year’s report and more than 300 were espionage-related many of which started life as phishing emails.

In addition, organised criminal groups escalated their use of ransomware to extort money from victims: this year’s report sees a 50 percent increase in ransomware attacks compared to last year. 

Chris Tappin, Senior Consultant – Computer Forensics Expert at Verizon Enterprise Solutions, told L&D Professional that the biggest call to action to come out of the report was for organisations to take a proactive rather than reactive approach to information security.

“With 88% of breaches falling into only nine patterns of attack, investing a small amount of time upfront can either lessen the severity of an incident or allow your organisation to avoid it entirely,” Tappin said.

“Much like a burglar casing every house in a given street, cybercriminals too usually are looking for an easy target.  To borrow a phrase: ‘Your organisation doesn’t have to be better at Information Security than the cyber criminals, you just have to be more secure than the other targets.’”

Tappin said the level and quality of internal Information Security training across Australian organisations is “hugely varied”. 

“To give an example, in Australia in the past year, we saw two scenarios: one was client contacts pointing out the video screens or banners in their lift lobbies or offices that are used to display online safety tips,” he said.

These can include regular reminders regarding Information Security, as well as news of specific threats (for example during the recent spate of ‘Australia Post parcel delivery’ phishing emails).

“The other scenario involved a member of the team responsible for training users being aware that Verizon were investigating financial loss at their organisation as a result of a generic phishing campaign.  Whilst Verizon were still investigating, this member of staff themselves fell victim to a different phishing email.”

So how can organisations ensure their learners are mitigating cybersecurity risks?

Tappin says learners should be provided with training around keeping their accounts and devices secure. This include safety tips (such as phishing awareness) as well as how to report when they have been targeted. 

“Only 20% of users in the DBIR 2017 data reported phishing emails,” Tappin explained.

“This number is higher than the number of people who clicked the links in phishing emails (7.3%), but improved training will increase the level of reporting whilst reducing the number of people who fall victim to phishing.”

As well as training, Tappin says organisations should also consider ways to limit the damage that a compromised machine or account can do in their environment.

“The ‘principle of least privilege’ has been around since the 1970s, and states that ‘every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job’,” he said. 

“For example, several of today’s threats rely on fooling a user into executing a downloaded program or run macros from within Microsoft Office documents.  These and many other abilities can be restricted by IT departments and granted on an ad hoc basis only to users that require them for business reasons.” 

Tappin said that more generally, steps should be taken to segment resources so that when a user or computer is compromised its influence is restricted to as small an area as possible. 

“Verizon has investigated incidents in which every computer in a global organisation was part of the same network, enabling Point of Sale malware to spread across their business locations around the world,” he said.

Related stories:
Why you should be providing security training for your learners
New game trains learners to fight cyber threats
Why digital skills lead to a more productive workforce