Cyber security: The cost of the human factor

Electricity transmission tower

The rate of technology adoption in business continues to grow. With more of our systems and information online than ever before, it would be reasonable to assume that there's an exponentially higher risk of cyber attack.

However, one of the biggest risks to an organisation's cyber security, and the most difficult to manage, is not the technology itself, but the human factor when interacting with technology. More specifically, it is human error and attitude, including indifference, lack of awareness or a false sense of security, that are the most concerning.

According to a US study, 63% of small business owners did not believe they were at risk of a cyber attack, yet 50-70% of all ransomware attacks are aimed at small to medium-sized businesses.

Closer to home, the Australian Cyber Security Centre (ACSC), the lead government agency for cyber security in Australia, reported that business email compromise was one of the top cybercrime categories in FY2020–21, with the average loss per "successful" event increasing to more than AU$50,600 – over one-and-a-half times higher than the previous financial year. Human error is the key threat vector when it comes to business email compromise.

In combating the very real threat of a cyber attack, below we explore four ways to minimise human error and change attitudes towards cyber risks.

1. Educate and train your workforce.

Underestimating the risks and consequences of a cyber incident can have significant impacts for an organisation. It is important to educate all employees on the importance of cyber safety, including how to detect suspicious communications and appropriate risk management actions. This can both reduce the likelihood of human error and change attitudes towards cyber risks.

2. Improve communication lines.

Many workplace cyber incidents involving human error can be traced back to absent or insufficient communication. Communicating clearly and frequently about the latest threats and risks, as well as protocols and processes for identifying and responding to incidents, can assist in avoiding a cyber incident. Additionally, it is important to remove barriers to reporting such as clunky processes, or implementing measures to improve psychological safety, to ensure incidents are reported and responded to quickly to minimise exposure.

3. Implement cyber security practices at an individual level.

Organisations can take steps to make it more difficult for hackers to exploit human error. To start, develop safety procedures to prevent or minimise exploitations, such as minimum password standards with alphanumeric requirements and mandated monthly or quarterly password changes; two-factor authentication; regular software updates with the latest security patches; the installation of a VPN, and secure communication platforms.

4. Evaluate your cyber security understanding and outsource if needed.

The ACSC reports that 60% of small to medium businesses rate their understanding of cyber security as "average" or "below average", highlighting significant risks to organisations.

Rapid advancements in technology mean cyber security is becoming an increasingly complex field, and so too are the criminals exploiting system vulnerabilities. Outsourcing to technology and security experts, as well as guarding yourself with cybersecurity insurance, is a proactive way to protect your business today and into the future.

For assistance with reviewing your organisation’s frameworks for minimising and responding to cyber attacks, contact our team of experienced legal experts.

All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.