How serious is the cybersecurity challenges that Malaysia face? Malaysia reported 4,741 cases of cyber threats last year, while this year, 456 fraud cases were recorded as of February 2023 [1]. A Fortinet survey [2] found that 45% of Malaysian businesses experienced a cybersecurity breach in the past year, and that the average cost of a breach was over US$1 million. The survey also found that there is a significant skills gap in cybersecurity in Malaysia, with only 30% of businesses having the necessary skills to protect themselves from cyberattacks.
According to Cybersecurity Malaysia (CSM) [3], the lack of resources, tools, processes and personnel makes it difficult to establish security operations centres (SOCs) and to gather cybersecurity threat intelligence (CTI) to pre-empt such attacks. The increasing number and sophistication of cyberattacks, combined with the skills gap in cybersecurity, make it difficult for businesses to protect themselves. People are also a major cybersecurity risk, as they can make mistakes that can lead to cyberattacks. Email remains the top cyberattack vector.
General cybersecurity and policy awareness are important for shifting employees’ compliance attitude towards enhancing reactive capability [4]. Businesses that have a strong focus on cybersecurity and policy awareness are more likely to be able to respond quickly and effectively to cyber attacks.
But the million dollar question is how? How do we effectively ensure that employees are able to react in a manner that minimises their vulnerability? Traditional methods have always included awareness training and education, building a security culture and so forth. But have these methods produced the change at an impact that is satisfactory? As of now, human is still the weakest link [5].
Habituation and Awareness
Habits is a means of conserving energy by bypassing conscious decision making in familiar situation. This means the choice is automatic to certain extent - Autopilot.
The greater the tendency to act habitually, the less receptive one will be to decision-relevant information. For example, many users habitually open email attachments or click on links.
Awareness is the state of being informed about something. It entails having the knowledge and understanding of potential threats and mitigating them.
In the context of cybersecurity, one need to be able to understand that attackers are trying to exploit their thoughts, feelings, and beliefs in order to gain access to their systems.
So how can we be more mindful of the risks?
Oneself
Think about how you use your computer and the internet, is there any habits that could put you at risk. For example, do you click on links in emails from unknown senders? Do you use the same password for multiple accounts?
-
First, we need to be more aware of our habits. When we are more aware, we are more likely to notice when we are clicking on links in phishing emails or downloading attachments from unknown sources.
- Within us, is a storehouse of all our past experiences and knowledge which is the foundation of our present understanding of matters and it influences our thoughts, feelings and actions. This storehouse is constantly changing depending on our perceived experience of the world. We just need to be aware - aware of our vulnerabilities, how our emotions and feelings can make us susceptible to these threats and be more critical of the situation we are in.
- For example, if we are aware when we are checking our email, we may notice that a link in an email looks suspicious. We may also notice that an attachment is from an unknown sender. By being more careful, we can avoid clicking on these links or downloading attachments, which could help to protect us from cyberattacks.
-
Second, when we are more focused, we are less likely to be distracted by our thoughts and emotions, which can lead to us making mistakes.
- For example, if we are focused when we are working on our computer, we may notice that we are starting to react in a certain manner and be distracted by our thoughts or emotions upon reading the content of the email. We can take a step back and focus on the task at hand, which can help us to objectively rationalise the content that we read, and avoid making seemingly harmless mistakes.
- We should also be aware of our internal reactions, are they motivated by tendencies of greed, or anger? Are we curious? Are we taking shortcuts? Do we have sufficient knowledge to act in response?
-
Third, if we receive an email that makes us feel angry, scared, or excited, take a step back before responding. We should not react with emotions. If one is not aware and is affected by surrounding then one acts according to surrounding conditions.
- What we think, affects our inclination. If we think about cybersecurity as being important and something that we need to take seriously, and they are not just the responsibility of the IT department, we are more likely to take the necessary precautions to protect ourselves from cyberattacks. If we have the notion that it will only happen to others, we will be less likely to take that security warning circular seriously.
Others
- I remember in one SecurityLAH episode early on, one of the hosts commented on the effectiveness of creating awareness among communities by word of mouth.
- Campaigns will not succeed if there is lack of understanding on user perspectives, knowledge, attitudes, beliefs and emotions. This is probably why blasting out a regular Awareness advertisement or banners have limited impact. People can’t remember what they don’t identify with.
- Tailoring messages to the users’ mental modes and preferences enables security campaigns to be more effective.
- The campaigns must suit users’ current needs, interests and motivations. Different segment of societies would require different tone to increase the appeal, relevance and persuasiveness of the the message. If simulations are used, feedback mechanisms should allow for measuring impact of messages on users’ awareness, understanding and behavioural change.
In summary, strengthening cybersecurity practices begins internally with one self. Being aware of oneself, one’s habitual tendencies and vulnerabilities can help us to develop safer practices by making us more aware of the risks that we face and the steps that we can take to mitigate them. If we are aware of our own biases, we can be more critical of the information that we encounter. We can also be more mindful of the personal information that we share online, and we can take steps to protect it.
In addition, we should develop a more secure mindset. When we are aware of our own vulnerabilities, we are less likely to fall victim to cyberattacks. We are also more likely to be proactive in protecting our systems and data. The notion of false belief is important in cybersecurity because it can help to address the factors that influence susceptibility or attribution.
Let’s take some examples of false belief:
- People share misinformation that supports their view motivated reasoning or confirmation bias. Cybersecurity campaigns can use these false beliefs to anticipate and counter common misconceptions.
- False beliefs help to identify gaps or barriers in secure behaviours. Campaigns may leverage on these gaps to tailor the message to the mental modes and preferences of users.
What about this? Is this a case of false beliefs?
A data breach at Microsoft allowed hackers to steal source code for the company's Exchange email server software. This code could be used to create new exploits that could be used to attack Exchange servers. A vulnerability in the system made it possible for attackers to penetrate corporate networks and emails connected to an MS Exchange server. The hackers were able to exploit false beliefs to gain access to sensitive data. What began as a hack led by Chinese hackers soon gave way to a frenzy from criminal gangs in other countries, including Russia. The hackers exploited the belief that Exchange email server software was a secure product. At least 10 criminal espionage groups have exploited the flaws in the Exchange Server email program worldwide.
With computer systems, reboot takes cares of many things. In cybersecurity, to reboot or not reboot, that’s no longer the question.
Note:
This article is a spin off from a recently completed research [4] on the importance of awareness in cybersecurity.
References
[1] Bernama, Malaysia faces increasing cybersecurity threats - Teo, News Straits Times, March 17, 2023. https://www.nst.com.my/news/nation/2023/03/890120/malaysia-faces-increasing-cybersecurity-threats-teo (accessed May 15, 2023).
[2] D. Azmi, “Malaysia faces escalating cybersecurity breaches and skills gap: Fortinet Survey,” Digital News Asia, May 10, 2023. https://www.digitalnewsasia.com/digital-economy/malaysia-faces-escalating-cybersecurity-breaches-and-skills-gap-fortinet-survey (accessed May 15, 2023)
[3] F. Fisal, Weak defence keeps Malaysia vulnerable to cyber threats, Free Malaysia Today, May 14, 2023. https://www.freemalaysiatoday.com/category/highlight/2023/05/14/weak-defence-keeps-malaysia-vulnerable-to-cyber-threats/ (accessed May 15, 2023).
[4] L.-W. Wong, V.-H. Lee, G. W.-H. Tan, K.-B. Ooi, and A. Sohal, “The role of cybersecurity and policy awareness in shifting employee compliance attitudes: Building supply chain capabilities,” International Journal of Information Management, vol. 66, p. 102520, Oct. 2022, doi: https://doi.org/10.1016/j.ijinfomgt.2022.102520.
[5] J. Darmody, “The human firewall: Protecting the weakest link in the chain,” Silicon Republic, Feb 10, 2023. https://www.siliconrepublic.com/enterprise/cybersecurity-human-firewall-cyberattacks-bt-donal-munnelly (accessed May 15, 2023).