For too long the cyber security world has viewed people as the weakest link and biggest point of vulnerability when it comes to risk. However, during the COVID-19 pandemic we have seen a shift in this mentality — a shift that sees people as the greatest asset or opportunity to provide the first line of defence, supported by enterprises.
At Interac, this has allowed us to build a cyber security program that puts humans at the centre, so that we can continue to keep security at the forefront of our thinking within the organization. This can be a cultural mindset change, and sometimes culture can be the hardest thing to influence in an organization.
Phishing scams remain the most common tactic that fraudsters use to target organizations and individuals. According to digital security firm RSA, 66 per cent of all phishing attacks are directed at Canada.1 Furthermore, Statistics Canada revealed that 42 per cent of Canadians experienced at least one type of cyber security incident since the beginning of the pandemic, including phishing attacks, malware, fraud and hacked accounts.2
People-centric security is not just limited to the end user. It extends to people who configure and secure our environments, as misconfiguration continues to be a common way that vulnerabilities online can be exploited. It also includes the individuals and teams that develop our code to ensure security is part of the life cycle of the systems and applications we implement. This is increasingly important for organizations, given the ever-growing shift to the Cloud and SaaS (Software as a Service) based applications, especially post-COVID-19.
COVID-19 has created a new environment of haste, unfamiliarity, and vulnerability. Consumers are being inundated with new information online. Our latest Interac Cyber Security Study revealed that although 84 per cent of Canadians believe it’s more important now than ever before to understand cyber security risks, fewer than half (44 per cent) are confident they can protect themselves.
It is getting harder and harder to tell the fake from the real online. This raises concerns around consumer behaviour and mindset when it comes to consumers exposing themselves to cyber security risks. Our research concluded that “minimal online activity” (24 per cent) and a “lack of time” (29 per cent) are the leading rationales in Canadians’ lack of cyber security savviness.
Guiding consumer behaviour to protect against cyber security threats
We need to better educate and protect consumers because cyber security threats have become more sophisticated, and we cannot leave consumers unarmed against attackers. However, just as hackers are becoming more advanced in their approaches, so too are the methods we can use to guard against these threats, including back-end infrastructure online. At Interac we realize you can’t rely on end users and employees alone. Organizations have a vital role to play in reducing the volume of potential threats that could come into an environment, and we can help set up consumers and employees for success in avoiding cyber security risks.
The analogy between COVID-19 and the steps Canadians are taking to better prepare and protect themselves from the unknown is similar to the steps they can take to guard against cyber security threats. What can we take from this shift in real-life consumer behaviour and apply to online activity? Before entering a store, consumers are equipped with extra protection from hand sanitizer to face masks. Similar steps of caution should be taken before venturing online or opening unknown emails; consumers should stop, scrutinize and speak up.
The role of a Chief Information Security Officer (CISO) within an organization has expanded in recent years, and this shift has only been accelerated as a result of COVID-19. Organizations must take a risk-based approach to cyber security, determining the best defence mechanisms and how they can introduce them while still allowing consumers to keep transacting easily online. Part of arming or protecting against attacks is understanding how people react to cyber threats — for example, by analyzing which types of phishing scam attempts were most successful.
Cyber security helps Canadian businesses build the digital economy
We know we can not completely eliminate cyber threats, but we can control how we prepare. We need to equip employees so that they can act as a vital first line of defence.
A major aspect of preventing a cyber event is recognition that an attack might happen. From here, you can work your way backwards to ensure that if a cyber attack occurs, your company and employees or customers would be equipped to deal with the attack and would be able to spot the warning signs from an early stage.
When it comes to cyber security, businesses must take a two-pronged approach. First, they must focus on education to prevent the risk of attacks happening in the first place by best arming consumers before going online. Second, they must recognize and accept the reality of human error. People can and will make mistakes. Preparing for those mistakes — so they’ll have minimal impact on the consumer and the business — is critical from an operational and reputational standpoint.
Part of this is shifting people’s thinking about how they perceive security in their day-to-day activities. While it is generally seen as an IT function, security should be everybody’s responsibility. They ought to be conscious of how they interact with data, rather than being complacent and clicking too quickly on a link.
As the pandemic continues, now is the time to protect and prepare consumers as they embark further into an accelerated digital economy. Doing so effectively means adopting a people-centred approach that empowers and supports consumers and employees in their important role as the first line of defence against cyber security attacks.
The Cyber Security Survey is based on a survey of 993 Canadians across the country, conducted September 3 to September 8, 2020.
1 RSA’s Quarterly Fraud Report for Q1, August 2020
2 Statistics Canada’s Canadian Perspectives Survey Series, October 14, 2020