“Service NSW confirms 180,000 customers' personal details exposed in cyber security breach”
“A cyber-crime is reported every ten minutes in Australia”
“NAB flags cyber-attacks during the pandemic have intensified”
Concerning headlines? Yes. Surprising? No.
In an era of amplified cyber risk, we’re inundated by an onslaught of cybercrime-related headlines almost daily. We wake up to news of another organisation suffering a ransomware attack, or another data breach, or another hacking attempt. And if it isn’t a new cyber-attack, it’s the ripple effect of one that occurred a while ago (think Blackbaud) or the discovery of a greater number of compromised records from a previously reported data breach, or a cyber lawsuit. All in all, an endlessly expanding roster of security failures that implies we are (supposedly) losing the war against cybercrime.
Then there are updates from security experts, agencies, and others. Be it from the FBI, Microsoft, the Australian Cyber Security Centre, or WHO, there appears to be a rising chorus of cyber alerts from around the world, all collectively chanting the same warning “cyber-attacks are on the rise”.
The psychological tolls of heightened cybercrime
The problem arises when, overwhelmed with the sheer volume of cyber alerts, professionals cease to be affected, and in an act of apathetic indifference or even cyber nihilism, begin dismissing them, “tuning out” if you will.
“With data breaches making headlines every day, we have created a social immunity to them,” says cybersecurity expert Troy Hunt in an article on “breach fatigue”.
Multiple terms exist for this phenomenon, depending on who is affected. Most point to a reduction in motivation among professionals to enhance cyber resilience levels.
There’s “cyber fatigue”, which Cisco defines as 'virtually giving up on proactively defending against malicious actors', reporting that almost half (42%) of Infosec professionals, suffer from it – a finding that’s understandably of concern for business leaders. KPMG also uses this term to describe the effect of “media saturation” on senior management, warning that the cascade of recent security breaches is “eroding boardroom vigilance despite the potential effect on brand confidence and income.” In addition, reports have surfaced citing a “data breach fatigue” among the general public, with researchers observing that “the public is gradually losing interest in reacting to” data breaches. In another study, the US National Institute of Standards and Technology (NIST) saw an impact of “relentless cybersecurity warnings” among users from back in 2016, stating that “security fatigue” is stopping people from keeping themselves safe, resulting in “many ignoring warnings they have received.” The study’s respondents “were fatalistic about what they could do to avoid being attacked and many were resigned to being caught out at some point.”
These attitudes can have dangerous implications, especially as cybercrime-related alerts become more frequent amid a period of increased cyber-risks. Now, more than ever, cybersecurity needs to be taken seriously, and our customers should proactively take measures to enhance cyber resilience levels. But this won’t be possible if business owners, for example, reading that even companies with cutting-edge cyber defences are becoming victims of cybercrime, conclude that no amount of preparation matters, and slash cybersecurity budgets. Or if any professional, numb to “yet another data breach”, ignores another reminder to update passwords frequently. Or if an InfoSec leader, overwhelmed by how insidious & targeted email-based cybercrime is becoming, doesn’t explore other email security solutions to reduce risks.
Amid the backdrop of an ongoing health crisis, and with more professionals working remotely, it’s easy to buckle under the psychological pressure of heightened cyber risk. In this situation, our responsibility as expert advisors and cybersecurity consultants to businesses, becomes even more important.
Recognising the “opportunities” to mitigate risks
NAB recently reported being targeted nearly 3M cyber threats per day, including phishing emails designed to steal customer & employee data, but what its headline failed to mention was that the bank also successfully blocked 197M cyber-attacks in the first quarter of this year, 41,000 of which were attempts to steal customer data. Similarly, Google has reported not only receiving, but blocking 18 million COVID-19 scams and phishing emails every single day.
It’s a matter of perspective, and we need to remind customers that every report, every instance of cybercrime that they come across, while indicating a more treacherous threat environment, also includes lessons on adapting and navigating that environment – be it the importance of implementing multi-factor authentication, or patching networks, or defending inboxes from insidious phishing emails with layered security. Each effort to boost cyber resilience, as small as it may be (like checking for suspicious links before clicking on an email), is playing a big role in preventing catastrophic damage, including financial losses. Just ask Elon Musk, whose multi-billion dollar empire was saved from a “serious cyber-attack” thanks to one employee speaking up.
Commenting on the current cybersecurity climate, Alastair MacGibbon, Australia’s former national cyber security adviser warned businesses that IT security practices “would come under a tough test” as more companies shift to remote working: “Overwhelmingly COVID-19 will present challenges for the way we work and live, but we must also look for opportunities. It will test us and our ability to secure remote workforces, and that is an exciting challenge.”
I couldn’t agree with him more. Every time our customers come across an instance of cybercrime, they should look for “opportunities.” In every report, and in every alert, as a means to educating themselves about which vulnerabilities were exploited, and how the cyber-attack could have been thwarted. Instead of getting overwhelmed by the uptick in cyber threats in the current environment, businesses can rise to the challenge and renew their efforts to be vigilant and proactive when it comes to cybersecurity, as they pivot to new ways of working, and new environments that lead to increased risk.
I know it’s easier said than done, but the consequences of not doing so can be severe. When it comes to cyber-attacks today, it’s no longer a question of “if” but “when”. That doesn’t mean businesses can’t mitigate the risks and prevent their teams from being a sitting duck. Instead, we can proactively assist them in reviewing their cybersecurity measures. A multi-layered approach is fundamental to ensure our customers’ cybersecurity is up to scratch. We know that nine out of 10 businesses are being impacted by phishing, even when most have an email security solution in place. No one vendor can stop all threats, so it’s crucial to remind customers that if they are using Microsoft 365 or G Suite, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a third-party cloud email solution like MailGuard.
Let’s encourage clients to continue making the right choice
Thankfully, many professionals are recognising and responding to these opportunities. If the pandemic has led to a spike in cybercrime, it also has, according a survey by Microsoft, led to business leaders actively rethinking their cybersecurity strategies: 58% of business leaders have reported budget increases for security, while human security expertise is at a premium, with more than 80% of companies adding security professionals in response to COVID-19.
Current “insights from security leaders echo many of the best practices that Microsoft has been sharing with customers and working around the clock to help them implement. The bottom line is that the pandemic is clearly accelerating the digital transformation of cyber-security,” says Andrew Conway, General Manager, Microsoft Security.
This is a cyber silver lining that has emerged from the pandemic. We need to continue encouraging decision makers down this path and remind them, especially in instances where they may feel inundated with an onslaught of depressing cyber news, that if there are greater cyber risks, there is also greater cyber awareness about how to mitigate those risks. Let’s take the opportunity to continue to iterate and refine our customers’ cybersecurity strategies.
Tomorrow when they wake up, it’s likely that they will find out about another “devastating cybersecurity threat” or a ransomware attack disrupting a well-known organisation. They have a choice: They can dismiss it, thinking that this isn’t anything new, or that there are too many & sophisticated threats, and no action needs to be taken.
Or they can look at the “opportunity” it provides, an opportunity for them to explore what their business could be doing to mitigate the risks of the cyber threat in question. So that when it strikes, they are ready.
Let’s continue guiding businesses to make the right choice.
Do you have any other tips or advice for helping businesses and individuals who may be suffering from data breach fatigue? Leave your comments below.
Talk to us
MailGuard's partner blog is a forum to share information and we want it to be a dialogue. Reach out to us and tell us how we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.
Australian partners, please call us on 1300 30 65 10
US partners call 1888 848 2822
UK partners call 0 800 404 8993
We’re on Facebook, Twitter and LinkedIn.
