Last month, the Australian Information Commissioner Angelene Falk publicly bemoaned the “human factor” for causing a spike in data breaches.
However, according to one of Australia and New Zealand’s leading cyber security players, blaming employees working from home falls short of addressing the whole story.
Speaking to ARN, Gergana Winzer, industry director cyber security for Unisys Asia Pacific, said the region’s weakest links are small- to medium-sized enterprises (SMEs) – which are in turn the most underserved by both governments and the cyber industry as a whole.
"What really is missing for me is understanding that the biggest part of the economy is made of small medium enterprises,” she explained. “They are part of the bigger picture -- perhaps 90 per cent of the economy -- and they are indeed the weakest link.
"If you are running a small-to-medium organisation where you have barely few people, you can't have them spending so much time to get educated on cyber. You have to come up with policies and procedures and technologies that work.”
While Winzer admits things such as multi-factor authentication and regular password changing are critical, organisations are still left with vulnerable gaps that are easily exploitable by hackers, especially when working in unsecured home or public environments.
As such, Winzer argues that tools, combined with education are the key, but many of these are outside the budgets of many SMEs.
“My personal belief is that the industry has to make this affordable for the SMEs. Some vendors are able to supply this as software-as-a-service (SaaS),” she said. "How can we provide services to SMEs to empower them, but at the same time to make it affordable for them?"
"It's possible: when you think about how much expensive it was to have a laptop 15 years ago and how easy it is today. It used to be expensive to have a mobile phone and now today everyone does. So it's the same with [cyber] technology but it is just a question of like putting them on a scale."
One such measure is zero-trust frameworks, devices that refuse access unless the network and person are authenticated appropriately.
“Then the risk decreases dramatically and the idea of the surface of the attack surface becomes lower and smaller,” she explained.
"If someone accesses my network and you have zero-trust technology, the organisation can hide their critical assets so that even if someone comes with a malicious purpose through the VPN or through that Wi-Fi, they cannot detect my particular machine and my applications.
"Even if somebody was to really get to me through a phishing email, and I've clicked on it, even then there is a technology that can stop that particular attack within 11 seconds.”
While it is hard securing a Wi-Fi connection, it is much easier for organisations themselves to provide employees with their own secured devices.
To help bring these to the wider Australian business community, Winzer called for the government, security vendors and managed security service providers (MSSPs) to come together both more affordable tools and incentives to adopt them.
“The government has to push a little bit more stringent regulations when it comes down to the SMEs,” she said. "There has to be some sort of incentive to make sure that they can afford to become cyber secure.
"But also, there has to be the cooperation from MSSP providers and the different type of vendors, especially if their audience is all of a sudden incentivised and regulated by default to be more cyber secure? That's why I think it has to be a collaborative effort.”
According to the Office of the Australian Information Commissioner's (OAIC’s) latest report for the six months between July to December 2020, 539 Notifiable Data Breaches (NDB) were reported, of those 33 were targeted at the Australian government itself.
Because of this, Winzer added now was the time for a “wake up call”.
"Not everyone is a cyber security expert, so we as an industry should be giving employees tools so that they don't even have to think about it, and so it becomes a seamless experience,” she said.
"We need to wake up and basically my call to action is for the technology industry to come together and do things together and change the way we go cyber security, not just for SMEs but enterprises. It's about making it very human-centric, so it eventually becomes a no-brainer."