Government, in concert with the private sector, must provide education and resources that enable all citizens to protect their identities and data, writes Patrick Butler.

The Federal Government has set an audacious goal. It wants Australia to be the world’s most cyber secure nation by 2030. Importantly, it recognises that attaining this goal needs more than just policy framework, business compliance and legislation. It will take governments, businesses and the community working together.

While cybercrime might have a strongly technical element, social engineering – the manipulation of human behaviour to achieve a goal – has become the most critical weapon in the threat actor’s armoury. By coercing and convincing people to hand over valuable information, criminals can log in systems, steal money and access valuable data. 

AI making manipulation easier

It has been said that people are the weakest link when it comes to cybersecurity. But this is not true. It stems from a perception that people make mistakes and are easily fooled into clicking suspicious links, downloading content from untrusted sources along or using the same weak password across many different sites.

But today’s cybercriminals are extremely well-skilled at manipulating behaviour. And the emergence of generative AI tools enables cyber criminals to craft more convincing messages. This means everyone is at risk of being convinced to make a mistake that could lead to the misuse or theft of important information. 

Rather than being our weakest link, people are our first line of defence against cybercriminals. And supporting people – from our youngest students through to our most senior citizens – can make a significant difference to our nation’s cyber defence capability. Government, in concert with the private sector, can provide education and resources that enable all citizens to protect their identities and data. 

Combatting the scam text message

A good example of how this works is with scam text messages. The mobile network operators in Australia have blocked close to a billion scam text messages over the last couple of years. And education programs run by our banks, telecommunications companies, utilities and other businesses have resulted in greater awareness of how to identify the messages that get past the carriers. Partnering with government, they have protected millions of people from scammers. 

The theft and misuse of user credentials remains the most effective tool used by cybercriminals. Every significant security report has found that credential theft is often the starting point for the majority of cyberattacks. After all, why break through a wall when you can simply open the door. But this becomes much harder for criminals if multifactor authentication (MFA) is used. MFA means that a stolen or compromised password, on its own, is not enough information for a threat actor to access systems and data.   

When people walk down the street, they often have a ‘sixth sense’ about whether they are walking towards a potentially risky situation. This is because thousands or years of evolution have trained us to recognise and protect ourselves from potential hazards. When something doesn’t look or feel quite right, we assume a protective mindset.  

Effective security awareness training and the development of a cyber-aware culture helps people to recognise and act appropriately when they see something that could be an indication that a criminal is trying to manipulate them or trick them into revealing sensitive information.

Targeted risk-based approach

While traditional cybersecurity training has been focussed on compliance, an effective security awareness program takes a risk-based approach that is designed for specific users or groups of users. 

For example, the risks faced by the accounts team are different to those encountered by the human resources or technology teams. Instead of adopting a ‘one size fits all’ approach, by creating training and awareness programs that meet specific needs, people can be empowered to identify and react to potential threats.  

The public and private sector can work together to support cybersecurity education programs.

While large enterprises are often able to fund their own cybersecurity awareness and education programs, the government can use its resources to reach small to medium businesses and provide them with resources.

This sector, as well as being crucial to the Australian economy, can be the most challenging to access. And government agencies can use their regular contact with citizens to raise awareness of new scams and attacks to ensure the broader public is prepared.  

The Federal Government’s objective to make Australia the world’s most cyber-secure nation cannot be achieved by taking a technology-led approach.

Successful defence against cyberattack relies on having people who are equipped with the right tools, such as MFA, and training to help them identify and react to potential threats.

Rather than being seen as a weakness, people can become our most powerful tool against cybercriminals.   

*Patrick Butler is Managing Partner for Managed Services at Tesserent

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.  

Sign up to the Government News newsletter