Forget all the motherhood statements about how humans are the most important part of the cyber security puzzle.
For former Australian Signals Directorate and infosec chief turned ANZ bank CISO, Lynwen Connick, a good start to real behavioural change would be the cyber industry just dialling down the FUD.
In a tangible sign that institutions at the forefront of the digital economy are seriously worried about public lethargy towards daily warnings of cyber doom, Connick this week unleashed a stern warning that keeping cyber relevant for everyday people is still a major battle yet to be won.
“Cyber defence fails to ensure security is built into non-security products and experts are often guilty of using complex language which scares people about the dangers of being online without providing simple ways to help people do the right thing,” Connick said on ANZ’s official Blue Notes blog.
“Cyber security can be perceived as being too hard to manage and a drain on people’s time. There can be a general perception cyber incidents only happen to ‘someone else, not me’ or are someone else’s responsibility – which leads to complacency.”
Her observations come as the government, platforms and major vendors including Cisco and cyber stakeholders continue to quarrel publicly over the effects of new legislation aimed at giving intelligence agencies and police legal means to circumvent encryption.
While those laws are primarily aimed at maintaining covert access to encrypted communications from terrorists and serious criminals, the potential erosion of security in consumer applications has wide-ranging implications for banks that have largely adopted a mobile transactional footing.
While Connick steered well clear of that public firefight, the ANZ CISO is giving plenty of stick to the notion cyber is so specialised that non-technical business lines can essentially abrogate responsibility.
“It doesn’t necessarily require any in-depth understanding about how a cyber attack would occur or how malicious software could be embedded in the system – that’s not what people need. It’s about knowing it could happen to anyone and what needs to be done to prevent it,” Connick argues.
“It’s not so much specific skills everyone needs to have - it’s about understanding the personal and business impact of security - and the simple steps everyone can all take to improve it. It’s about explaining the issues in ways people can understand.”
Connick does rate simple and clear consumer messaging, especially around phishing, like the Reverse the Threat safety campaign rolled out by the Australian Cyber Security Centre’s ‘Stay Smart Online’ arm.
It takes a good-humoured poke at the perpetual doom industry by hijacking the Black Sabbath End of the End tour meme that played in 2017 by creating a fake online ad replete with phishy tricks.
We’re not sure Messrs Osborne or Iomi officially approved the government campaign that lists tour dates as Feb 30 to 31, but hey, what’s not to like about the next security conference appearance by either Connick or ACSC chief Alastair MacGibbon being preceded by the opening riffs of Paranoid.