“Service NSW confirms 180,000 customers' personal details exposed in cyber security breach”
“A cyber-crime is reported every ten minutes in Australia”
“NAB flags cyber-attacks during the pandemic have intensified”
Concerning headlines? Yes. Surprising? No.
In an era of amplified cyber risk, we’re inundated by an onslaught of cybercrime-related headlines almost daily. We wake up to news of another organisation suffering a ransomware attack, or another data breach, or another hacking attempt. And if it isn’t a new cyber-attack, it’s the ripple effect of one that occurred a while ago (think Blackbaud) or the discovery of a greater number of compromised records from a previously reported data breach, or a cyber lawsuit. All in all, an endlessly expanding roster of security failures that implies we are (supposedly) losing the war against cybercrime.
Then there are updates from security experts, agencies, and others. Be it from the FBI, Microsoft, the Australian Cyber Security Centre, or WHO, there appears to be a rising chorus of cyber alerts from around the world, all collectively chanting the same warning “cyber-attacks are on the rise”.
The psychological tolls of heightened cybercrime
The problem arises when, overwhelmed with the sheer volume of cyber alerts, professionals cease to be affected, and in an act of apathetic indifference or even cyber nihilism, begin dismissing them, “tuning out” if you will.
“With data breaches making headlines every day, we have created a social immunity to them,” says cybersecurity expert Troy Hunt in an article on “breach fatigue”.
Multiple terms exist for this phenomenon, depending on who is affected. Most point to a reduction in motivation among professionals to enhance cyber resilience levels.
There’s “cyber fatigue”, which Cisco defines as 'virtually giving up on proactively defending against malicious actors', reporting that almost half (42%) of Infosec professionals, suffer from it – a finding that’s understandably of concern for business leaders. KPMG also uses this term to describe the effect of “media saturation” on senior management, warning that the cascade of recent security breaches is “eroding boardroom vigilance despite the potential effect on brand confidence and income.” In addition, reports have surfaced citing a “data breach fatigue” among the general public, with researchers observing that “the public is gradually losing interest in reacting to” data breaches. In another study, the US National Institute of Standards and Technology (NIST) saw an impact of “relentless cybersecurity warnings” among users from back in 2016, stating that “security fatigue” is stopping people from keeping themselves safe, resulting in “many ignoring warnings they have received.” The study’s respondents “were fatalistic about what they could do to avoid being attacked and many were resigned to being caught out at some point.”
These attitudes can have dangerous implications, especially as cybercrime-related alerts become more frequent amid a period of increased cyber-risks. Now, more than ever, cybersecurity needs to be taken seriously, and businesses should proactively take measures to enhance cyber resilience levels. But this won’t be possible if business owners, for example, reading that even companies with cutting-edge cyber defences are becoming victims of cybercrime, conclude that no amount of preparation matters, and slash cybersecurity budgets. Or if any professional, numb to “yet another data breach”, ignores another reminder to update passwords frequently. Or if an InfoSec leader, overwhelmed by how insidious & targeted email-based cybercrime is becoming, doesn’t explore other email security solutions to reduce risks.
Amid the backdrop of an ongoing health crisis, and with more professionals working remotely, it’s easy to buckle under the psychological pressure of heightened cyber risk. But here’s where we need to remember and remind our teams that where we’re seeing a rise in cyber-attacks, we’re also being presented with opportunities to thwart them.
Recognising the “opportunities” to mitigate risks
NAB recently reported being targeted nearly 3M cyber threats per day, including phishing emails designed to steal customer & employee data, but what its headline failed to mention was that the bank also successfully blocked 197M cyber-attacks in the first quarter of this year, 41,000 of which were attempts to steal customer data. Similarly, Google has reported not only receiving, but blocking 18 million COVID-19 scams and phishing emails every single day.
It’s a matter of perspective, and understanding that every report, every instance of cybercrime that we come across, while indicating a more treacherous threat environment, also includes lessons on adapting and navigating that environment – be it the importance of implementing multi-factor authentication, or patching networks, or defending inboxes from insidious phishing emails with layered security. Each effort to boost cyber resilience, as small as it may be (like checking for suspicious links before clicking on an email), is playing a big role in preventing catastrophic damage, including financial losses. Just ask Elon Musk, whose multi-billion dollar empire was saved from a “serious cyber-attack” thanks to one employee speaking up.
Commenting on the current cybersecurity climate, Alastair MacGibbon, Australia’s former national cyber security adviser warned businesses that IT security practices “would come under a tough test” as more companies shift to remote working: “Overwhelmingly COVID-19 will present challenges for the way we work and live, but we must also look for opportunities. It will test us and our ability to secure remote workforces, and that is an exciting challenge.”
I couldn’t agree with him more. Every time we come across an instance of cybercrime, we should look for “opportunities.” In every report, and in every alert, as a means to educating ourselves about which vulnerabilities were exploited, and how the cyber-attack could have been thwarted. Instead of getting overwhelmed by the uptick in cyber threats in the current environment, we can rise to the challenge and renew our efforts to be vigilant and proactive when it comes to cybersecurity, as we pivot to new ways of working, and new environments that lead to increased risk.
I know it’s easier said than done, but the consequences of not doing so can be severe. When it comes to cyber-attacks today, it’s no longer a question of “if” but “when”. That doesn’t mean you can’t mitigate the risks and prevent your business from being a sitting duck. Instead, review your existing cybersecurity measures and enhance them where needed. In the context of email security, for example, we know that nine out of 10 businesses are being impacted by phishing, even when most have an email security solution in place. We can’t assume that’s as good as it gets, especially with email-based cybercrime evolving in speed and sophistication every day. Don’t accept that risk. No one vendor can stop all threats, so don’t leave your business exposed. If you are using Microsoft 365 or G Suite, you should also have third-party solutions in place to mitigate your risk. For example, using a third-party cloud email solution like MailGuard 365 to complement Microsoft 365.
Let’s continue making the right choice
Thankfully, many professionals are recognising and responding to these opportunities. If the pandemic has led to a spike in cybercrime, it also has, according a survey by Microsoft, led to business leaders actively rethinking their cybersecurity strategies: 58% of business leaders have reported budget increases for security, while human security expertise is at a premium, with more than 80% of companies adding security professionals in response to COVID-19.
Current “insights from security leaders echo many of the best practices that Microsoft has been sharing with customers and working around the clock to help them implement. The bottom line is that the pandemic is clearly accelerating the digital transformation of cyber-security,” says Andrew Conway, General Manager, Microsoft Security.
This is a cyber silver lining that has emerged from the pandemic. We need to continue down this path and remind our teams, especially on days where we feel inundated with an onslaught of depressing cyber news, that if there are greater cyber risks, there is also greater cyber awareness around how to mitigate those risks. Take the opportunity to continue to iterate and refine your plans.
Tomorrow when you wake up, it’s likely that you’ll find out about another “devastating cybersecurity threat” or a ransomware attack disrupting a well-known organisation. You have a choice: You can dismiss it, thinking that this isn’t anything new, or that there are too many & sophisticated threats, and no action needs to be taken.
Or you can look at the “opportunity” it provides, an opportunity for you to explore what your team could be doing to mitigate the risks of the cyber threat in question. So that when it strikes, your business is ready.
I hope you make the right choice.
Do you have any other tips or advice for professionals who may be suffering from data breach fatigue? Leave your comments below.