PwC focuses on cyber attacks
Behaviourally inspired measures to lower the risk of cyber attacks in your organisation.
Cyber attacks: The invisible threat
PwC is seeing an escalation in the sophistication and impact of cyber attacks across the globe. This, coupled with the fact that organisations need to protect themselves against a plethora of attacks while attackers only require a single vulnerability in an organisation's defences to be successful, is a scary prospect for business leaders charged with the security and sustainability of large organisations.
In PwC's 22nd Annual Global CEO Survey, released in January 2019, cyber threats were identified as the fifth largest threat to global growth, following over-regulation, policy uncertainty, the availability of skills and trade conflicts.1 As companies increasingly embrace digitisation, automation and artificial intelligence, the risk of cyber crime continues to grow.2
The sixth South African edition of PwC's Global Economic Crime and Fraud Survey3, released in 2018, highlighted that 26% of South African organisations expect cyber crime to be the most disruptive type of economic crime over the next two years.
Given the scale of the risk, it is no surprise that an emerging cyber crime insurance industry is growing rapidly too. A 2015 report by PwC suggested this industry could be worth up to USD7.5 billion globally by 2020.4
In South Africa, the cost to members of the public who fell victim to cyber crime in 2017 reached R2.2 billion per annum, according to the South African Banking Risk Information Centre.5 This included incidents of identity theft, online fraud and scareware.
The motive for cyber attacks can broadly be classified in three types:
* Financial gain: Typically carried out by organised crime syndicates or perpetrators seeking financial gain. This will include EFT fraud, ransomware and other forms of attacks. Also included in this category is the theft of intellectual property, personal information and other forms of information that can be monetised.
* Economic, political and/or military advantage: Attackers in this category are essentially governments or nation states and, to some extent, competitors seeking strategic advantage. Targets of interest from a nation state perspective would be trade secrets, sensitive business information, emerging technologies and critical infrastructure, and information that could be used for political advantage. Competitors target strategic business information, intellectual property, sensitive customer or supplier information, among other things.
* Activism: This is often referred to as 'hacktivism' in the cyber world and refers to activists making use of technology to further a political agenda, ideology or to influence social change. Organisations and governments can become targets of hacktivists overnight. As an example, sponsors of the 2014 FIFA World Cup in Brazil were targeted by hacktivists. This was motivated by the fact that many Brazilians did not support the government's decision to host the event. The aim of such hacktivist campaigns is often to make a statement or cause reputational damage.
The proliferation of cyber security insurance mirrors the growing popularity of political risk insurance, with the latter providing insurance in the event of malicious damage to property, or injury and death of personnel, as a result of terrorism, political violence or war. A cyber attack can similarly bring day-to-day business operations to a grinding halt and cause long-term reputational damage. Cyber security insurance, even if costly, is a necessary consideration for companies embracing the fourth industrial revolution.
Organisations need close structural loopholes; higher digital walls alone will not solve the problem. They also need to look inside their walls to lower the risks of cyber attacks, as cyber criminals often target employees and customers who exhibit predictable patterns of behaviour. These modes of attack are referred to as social engineering techniques and coerce or entice users to perform certain actions.
Driving down the risk of a cyber attack, whether financially or politically motivated, not only minimises the risk of significant loss in customer trust and financial losses, but also means companies can lower the cost of cyber security insurance, which is a growing driver of operational cost.
Here is a scenario of how attackers can trick employees into installing malware on their devices: You face another pressured day at the office and receive an e-mail from your company's risk team stating that you have failed to respond to a mandatory staff compliance check. Action is required immediately to avoid disciplinary procedures. A surge of fear and a sense of urgency rushes through you. You click on the link in the e-mail and malware begins to download in the background. You've been hacked. The e-mail was not from your company.
This example could happen to any of us. The methods used by attackers leverage insights into basic human psychology. Your employer, taking on an authoritative position, seems to send you an e-mail. The e-mail deliberately creates a sense of urgency and triggers a powerful lever, fear.
These tactics are understandable through the lens of behavioural economics, a study of decision-making that deciphers behaviour based on our cognitive makeup and rejects the classic economic view of people being rational, self-interested and driven by precise consideration of the relative costs and benefits of their choices.
These are the top three behavioural traps that cyber criminals use, and the behavioural measures organisations can adopt to protect themselves and their employees:
1. Tapping into the power of fear and loss aversion
The tendency to avoid pain and loss is at the core of our genetic makeup, and fear is one of the most powerful levers motivating us to act. It is a perfect tool for cyber criminals.
Whether in the form of an e-mail from our employer informing us that we may be in breach of company policy, or a call from the bank informing us that our online bank account has been compromised and requiring us to share confidential information, such criminal attacks force us to act or to unfortunately face a dangerous and painful outcome.
Since fear and loss-aversion commonly prompt a panicked reaction that leads us into the arms of cyber criminals, organisations can counteract this by reminding their employees to 'stop and think' whenever they receive an e-mail or a call that triggers feelings of fear and panic. Slowing down employees to allow them time to validate the e-mail address of the sender, checking for typos, or for other signals of a scam, can significantly lower the risk of a successful cyber attack.
Furthermore, encouraging employees to check with their colleagues whether they received a similar e-mail or call can also help them not to act on an automatic gut reaction, instead prompting further interrogation of the situation.
Behavioural science suggests salient and frequent reminders, utilising social norming techniques, can help companies instil a sense of calm and scepticism in employees to protect them against cyber criminals' fear-mongering.
2. Leveraging the influence of authorities and social persuasion
The social engineering techniques used by cyber criminals attempt to leverage our willingness to submit to authority and our tendency to trust others' opinion, a phenomenon termed herding. Thus, cyber criminals' efforts to contact employees will generally evoke a superior authority, be it an executive at the company or a government institution. Because we have learned to trust authorities from a young age, we are less likely to question the validity of the request for information if it seems to be coming from a place or person of authority.
In addition to our tendency to submit to authority, we also tend to take behavioural cues from our peers. Looking to others for guidance can be helpful. For example, in a Tanzanian case study led by the Busara Center for Behavioral Economics, participants increased their savings rates by 11% when prompted by the total savings levels of peers who saved more than they did.
However, social persuasion can also cause harm. When cyber criminals pretend they were referred by a colleague or friend, they employ herding tactics to work against the employee's best interests. This method is also used by attackers on social media platforms who gain the trust of people you are connected to by getting you to add them as a contact. In so doing, they automatically become trusted by people you know, allowing them to extend their reach.
To mitigate the risk of cyber attacks, companies can use social persuasion to their benefit by enlisting behaviour champions who visibly exhibit helpful behaviours, such as in relation to having good password habits, or in how best to respond to suspicious e-mails and calls. This form of social proofing can get more employees to follow the champions' leads.
In addition, internal communication initiatives can highlight how the majority of staff follow cyber security best practices. For example, a campaign highlighting that "90% of your colleagues do not click on e-mail attachments sent from unknown sources" can prove an effective method to promote the right behaviours by leveraging the principles of herding.
3. Driving scarcity and urgency
Many of us have encountered phishing e-mails, which attempt to fool us into clicking on a link or opening an attachment that will install malicious software onto our computer, as highlighted in the example above. Such e-mails may illicit a sense of scarcity or urgency, prompting the recipient to act quickly.
While only some of us become victims of phishing e-mails, the fact that criminals can send out thousands of e-mails at once, at no cost to them, remains a productive means for them to gain access to computers. It is often possible to spot a scam e-mail, riddled with bad grammar and spelling mistakes, but the 'in a rush' factor means we might not notice or pay attention to the fact that there are typos or other suspicious mistakes in the e-mail.
We often make poor choices when we are in a hurry. Thus, companies should encourage their employees to consider the possible intentions of any request with a level head. One way to encourage this is to make the risk of scam e-mails more salient.
Organisations are attempting to train users in recognising attacks by conducting phishing and other simulations for employees. These simulations are effectively a cyber 'fire drill'. Based on the work PwC is doing in this area, the company sees simulations targeting three distinct layers of the organisation: Board and executive training, technical IT teams and general users.
Although all the simulations targeted at the different levels of responsibility are aimed at improving awareness and decision-making when dealing with cyber attacks, there are significant differences in terms of the decisions required by each of the groups. During phishing simulations, companies send out e-mails to their employees, presented as normal firm communication, except for a few details that can tip off employees that the e-mail is not legitimate.
Globally, PwC has run simulations for clients, with either board members or executives as a start, and thereafter proceeded to perform simulations aimed at IT teams and end-users, or covering specific aspects required by the organisation. End-user simulations are continuous and take various forms. Phishing simulations are conducted routinely.
In these simulations, when employees click on the link in the e-mail, a message pops up informing them that they have been compromised. Through these exercises, companies can effectively demonstrate to their employees how easy it is for cyber criminals to exploit vulnerabilities, as well as which clues to look out for to avoid falling into this trap.
Reporting channels should also be established for users to report incidents and obtain assistance. This may seem simple, but we find this to be a common gap where users are either not informed or simply don't have an avenue to report suspicious activity. In one instance, a hacker wanted to make an ethical disclosure to a company whose systems were vulnerable and at risk of being compromised. Due to the lack of internal processes to deal with this, he tried to speak to someone within the organisation, but without success and eventually released the information online, causing reputational damage to the organisation.
The way forward
Cyber attackers are focusing efforts on exploiting social, emotional and psychological drivers that influence human behaviours due to the strides organisations are making in implementing stronger technical controls. Organisations can, however, embrace the opportunity to strengthen not only the digital walls that protect them, but also to address the human aspects of cyber security by educating their employees and customers of the dangers as part of their cyber security awareness programmes. By understanding cyber criminals through the lens of behavioural economics, businesses can change their employees' behaviours, ultimately creating a security-conscious culture that assists in reducing their overall cyber security risk.
Authors: Junaid Amra, Director at PwC Forensic Technology Solutions and Cybersecurity, Nina Kirsten, Economist and Genevieve Frydman, Political Risk Analyst at PwC Strategy&
PwC can assist with cyber security awareness through a number of initiatives. These range from implementing behavioural measures to protect organisation and their employees from cyber attacks to conducting interactive cyber crisis workshops with the C-suite. These workshops use a head-to-head strategic simulation, which is based on realistic cyber attack scenarios and enables executives to deal with a cyber attack.