Cyber insecurity presents an imminent threat to all businesses and has the potential to halt company operations and cost billions in recovery. This year alone, companies have witnessed a myriad of cybercrime cases, ranging from ordinary hacks of local businesses to the Colonial Pipeline cyberattack that shut down half the oil supply to the American east coast in May. Cyber-risk has quadrupled since 2002 and tripled since 2013 (The Economist, 2021). Ransomware costs businesses more than $75 billion per year. Furthermore, with the transition to remote operations during COVID-19, cyber threats to businesses have been soaring high, with approximately a 600% surge in cybercrime during the pandemic (PurpleSec, 2021).
However, protecting our data from cyber-attacks is nothing new– everyone knows hackers are always on the lookout for our personal information. In which case, it comes as a surprise that most victim companies adopt a reactive approach to cyber-attacks rather than proactive, when cyber security for a business may be as simple as installing a two-factor authentication for work emails. Often, such routine steps may be enough to protect a company’s valuable data. In the case of Colonial Pipeline, the company had skipped out on even basic precautions before the attack. The hurdle to cross for any business then is realizing that just because something has been working fine all along, it need not in the future.
Psychological assessments aptly indicate that human behaviour is at the crux of cyber-attacks. Hackers attack more than the laptops and firewalls of a company. They attack individual biases and cognitive vulnerabilities to gain access to secured data (Michel, 2017). It is the exploitation of our cognitive weaknesses rather than complex technology that makes these attacks harder to combat. In 2015, it was estimated that the security industry would have sold more than $60 billion worth of security products, which in practical terms, had no possibility of ever living up to the overly assuring claims made by sellers (Crosby, 2015). Yet, companies continue to squander funds towards such hopeless defence mechanisms. This year alone, US companies spent an average of $2.4 million on cyber defence (PurpleSec, 2021). Several psychological factors come into play when defending one’s business from cyberattacks. One commonly witnesses social influence leading to behavioural changes in response to cyber threats. Often, a herd mentality amongst companies in similar industries promptly emerges after an attack. The basic instinct to suddenly back up your data after hearing that your friend lost all their files to a virus attack can be applied to businesses as well.
However, despite the conspicuous threat brought forth by cyberattacks, coupled with the universal understanding amongst companies that such threats exist, there has generally been a lukewarm response from companies to strengthen their cyber security. While companies continue to spend millions on defence software, they make no provisions to nip the problem in the bud. Long term and robust cyber security emerge from a company-wide security culture. A 2019 survey of 509 small and medium-sized business leaders conducted by Keeper Security, a password management organisation, provides insight into the paradox of this cyber security culture. Their study showed that 66% of business leaders thought that a cyber-attack on their organization was unlikely, while 60% reported that they did not have a cyberattack prevention plan in place. 18% even ranked cyber security as their lowest priority. However, in 2018, 67% of such small and medium-sized businesses had been victims of cyberattacks, while 57% had witnessed a data breach (Vizard, 2019). In such a case, improving cyber security becomes an issue of changing one’s mindset rather than having adequate resources and funds to protect one’s data.
Developing a company culture that fosters security has far greater potential to improve the condition than implementing stringent IT policies. What makes cybercrime pernicious is often simple tactics of deception and manipulation rather than an intricate breach of security. A common phenomenon experienced by several employees is social engineering, which refers to “the psychological manipulation of people into performing actions or divulging confidential information” (PurpleSec, 2021). In 2016, an employee at Mattel received a seemingly innocuous email from CEO Christopher Sinclair asking to transfer $3 million to a Chinese vendor, which he promptly did. Unfortunately, the employee had become a victim of the famous “fake CEO scam”, which costs businesses millions every year. In 2021, statistics showed that new employees were the most susceptible to such socially engineered attacks, with 60% of IT professionals citing recent hires as being at high risk (PurpleSec, 2021).
Source: The Coffeelicious
The harsh reality is that the implications of cyber insecurity extend far beyond the operations of an individual company. Fear of cyber-attacks can potentially prevent the digitisation of various industries that would, as a result, impede a revolution that could increase standards of living across the globe. An important example to consider is the internet of things (IoT). A ground-breaking innovation such as IoT has achieved milestones in ensuring better healthcare through improved monitoring and proactive treatments for individual patients. However, with the growing risks of cybercrime, potential advancements can be significantly hampered as consumers become more reluctant to share their personal information.
The Health Service Executive ransomware attack on the hospitals in Ireland resulted in a nationwide shutdown of IT operations in hospitals, wherein critical patients were unable to receive medical attention until the staff had no choice but to adopt pen and paper to process their treatments.
Source: Cyber Crime Magazine
One of the major deterrents in advancing cyber security is the secrecy and shame associated with cyber-attacks. While firms are reluctant to admit a fault in their system, their employees are inclined to hide personal instances of cyber-attack experienced at the workplace. A common misconception is that removing a virus removes the malware altogether from the device. In most cases, the malware gets embedded into the software, reappearing months or even years later, with glaringly worse consequences.
To combat this culture of secrecy surrounding cyber-attacks, companies should aim to imbibe a work culture of transparency and security. A study by Das et al. targeted 50,000 Facebook users to understand how social influence encourages individuals from undertaking cyber security measures (Michel, 2017). They concluded that people were more likely to adopt security norms if there was higher observability of such adoption. For instance, if an individual knew that several of his Facebook friends had secured their devices using the suggested security measures, they were more likely to do so as well. A similar manoeuvre in the workplace may go a long way in crossing this hurdle of cyber insecurity plaguing businesses around the globe.
Author: Jahnavi Jaipuriyar, SYBA
References
Crosby, S. (2015, August 28). The Psychology of Insecurity. Tech Crunch. Retrieved December 5, 2021, from https://techcrunch.com/2015/08/27/the-psychology-of-insecurity/?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_sig=AQAAAFC8n_cBVQG6dfAl1Zbr8eoINToLVnOkPBXKPr5lH7uhdqxpO5ib7Q0lj9meuF2kbDZwuESSm25CCXQ3aEK77jllhCmXZcC3wqjmmhmXmA7OZF2
The Economist. (2021, June 19). Broadbandits– The new age of cyber-attacks could have huge economic costs. The Economist. Retrieved December 5, 2021, from https://www.economist.com/leaders/2021/06/19/to-stop-the-ransomware-pandemic-start-with-the-basics
Michel, A. (2017, October 31). Psyber Security: Thwarting Hackers with Behavioral Science – Association for Psychological Science. Association for Psychological Science. Retrieved December 5, 2021, from https://www.psychologicalscience.org/observer/psyber-security-thwarting-hackers-with-behavioral-science
PurpleSec. (2021). 2021 Cyber Security Statistics: The Ultimate List Of Stats, Data & Trends. PurpleSec. Retrieved December 5, 2021, from https://purplesec.us/resources/cyber-security-statistics/
Sheils, M. (2021, September 5). HSE cyber-attack: Irish health service still recovering months after hack. BBC. https://www.bbc.com/news/world-europe-58413448Vizard, M. (2019, September 30). Herd mentality dominates cybersecurity thinking among potential SMB prey. Barracuda. Retrieved December 5, 2021, from https://blog.barracuda.com/2019/09/30/herd-mentality-dominates-cybersecurity-thinking-among-potential-smb-prey/
ThinkBizz 