YOU are the weakest link: where are we going wrong with cyber security in Australia?

There is no doubt that the threat of cyber crime is on the rise, and the Australian Cyber Security Centres 2016 Threat Report seems to indicate that whilst the complexity, extent and impact of the attacks is evolving, the underlying nature is not that different to previous years. Spear phishing, ransomware, web-seeding and malware are still the tools of choice for attackers.

The report highlights a range of instances where government agencies have assisted organisations to respond to cyber threats and incidents. Whilst some indicate that the threat report doesn’t contain anything new, this in itself is interesting in as much as what that says about cyber attacks in Australia.

The report says the ‘initial foothold’ is typically gained by phishing emails with a malicious file or link and, once inside the business perimeter, the attacker will embed themselves before getting down to the real dirty work of exfiltration.

If you have been around the security industry for a while, none of this will be of any real news to you. Whilst the software applications, extent of reach, damage done and costs of remediation continue to spiral ever upward, it does beg the question – what are we missing?

I agree that the report provides an important contribution to Australia’s cyber security posture, but also note that the response thus far has been by the technical community – and this is indicative of our continued iron grip on thinking of cyber attacks as a technical problem which must have a technical solution.  Greater security and access controls, and activity monitoring are the backbone of IT security systems – but what about the greatest weakness?  What about that infallible constant throughout our security history – the human element?


Who would have thought the words uttered by host Cornelia Frances to strike terror into the heart of game show contestants in 2001 and 2002 would apply to modern day cyber warfare. Whether unintentional or malicious, people are inherently the weak link in the cyber security chain.  The most secure ring-fencing cannot protect against human nature.

At its most basic premise, those who have access are targeted by those who would exploit that access.  All the money spent on firewalls, encryption and other proactive security measures can be nullified by the actions of an insider who opens the door to an attack. The types of attacks described in the ACSC report are all aimed at you – you are the weakest link.

Combined with social engineering, these types of attacks are potent weapons of the cyber battleground.  A recent example of a staff member receiving both an email (containing false information) backed by a supporting telephone call made for a healthy pay day for the attackers.  The employee simply overlooked the fact that they received the call and didn’t initiate it.  Regardless, the ‘verification’ of the information proceeded and the door was opened for a significant funds transfer. This scenario is not uncommon.

Without a robust ‘Insider Threat’ plan that engenders a cultural change toward cyber security, we are destined to continually leave the door open for attackers.  The heart of such a program relies on understanding:

  • the electronic landscape of your organisation;
  • the threat to your organisation;
  • the response and understanding of the threat by your people.

Cyber security is not just an IT problem – it is also a people problem. It is not about blame – it is about empowering staff with the knowledge and framework to identify a potential threat and take action. But most importantly it needs understanding and support from the top of an organisation, to take control away from the hackers and embed it into the hierarchy.

Stan Gallo


One thought on “YOU are the weakest link: where are we going wrong with cyber security in Australia?

  1. Emeritus Professor Bill Caelli

    - Edit


    It really is time to stop blaming the victim – the non-expert IT system user!
    By 1983 the “Orange Book”, USA’s Trusted Computer Systems Evaluation Criteria, gave us the specification for an Internet connected world of today with its definition of what became known as “B2” systems – simply, those that provide “mandatory access control (MAC)” for the server/client system that simply defines a task/process “profile” that is fully administered and controlled – no “admin user” privileges and so on as in the obsolete mainframe era “discretionary access control (DAC)” systems we are now using. This all became standardised under the internationally accepted “Common Criteria” (International Standard IS15408), an arrangement in which Australia participates.

    Today, we have RedHat 7 with SELinux activated which meets this environment of today!! YES – with REAL cybersecurity in the base IT structures, computer hardware and operating system, those simple phishing emails with associated programs just will not get activated.

    Time to blame the ICT industry itself but, more importantly, a total disinterest by government and legislators worldwide to do anything about cybersecurity at the manufacturer/supplier levels – easier to blame the poor old, non-expert user! A TOTALLY UNBALANCED APPROACH!
    IMAGINE – buying a car that did not meet or exceed the normal Australian Motor Vehicle Standards Act! and remember – cybersecurity has never been market led – as seen by many KPMG reports over the years and as often stated by the father of cybersecurity, the late Dr Willis Ware of RAND Corp in the USA. Safety and security MUST be government led, e.g. smoke alarms in houses, seat belts in cars, fire extinguishers in offices, and on an on.

    Time to look closely at the ICT industry itself and the role of government in mandating cybersecurity at manufacture and delivery time.
    NO – cybersecurity starts at procurement time – not later – not by blaming the user!

Leave a Reply to Emeritus Professor Bill Caelli Cancel reply