Understanding Cyber Security: The Human Factors

As retail becomes more enabled by digital ecosystems, cybersecurity threats become more pronounced. To understand the complexities of these threats, we must look beyond the technicalities and delve into the human motivations behind them.

Jason Robertson, the ARA’s Director of Policy, Sustainability and Impact, opened up a crucial conversation about the human factors behind cyber threats. Joined by Cyber Sociologist, Kylie Watson, they unpacked the psychology of cyber criminals and what is leading criminals to your business.

Kylie Watson, a cyber sociologist with an extensive background in cybersecurity, has a unique blend of technical knowledge and sociological insight. She categorised cyber attackers into four main groups:

1. Espionage & Nation States: This group, driven by political motives, accounts for only 5% of cyber-attacks in Australia.
2. Cyber-criminal Groups: Predominantly targeting the retail sector, their primary motive is financial gain. About 95% of attacks on the retail sector come from this group.
3. Hacktivists: Motivated by political disagreements or stands, they aim to make a statement without monetary intentions. Hacktivism is only a small component of the cyber risk presenting to the retail sector.
4. Saboteurs: These can be disgruntled insiders or outsiders aiming to disrupt, often motivated by personal vendettas or gains.

Theories Behind the Motive

Kylie touched upon two primary sociological theories that help explain cyber-criminal behaviour:

1. Anonymization: A digitised world allows people to take on different personas, often very distinct from their real-life identity. This detachment can sometimes lead individuals to act in ways they wouldn’t in their everyday lives.

2. Anomie or Social Strain Theory: This theory suggests that when individuals feel they can’t achieve societal expectations through legitimate means, they might resort to illegitimate paths.

The Increasing Threat of Cyber Attacks in Retail

Recent data from the Australian Cyber Security Centre shows that the retail sector is rapidly becoming a prime target, trailing only behind financial services and healthcare. But why is this the case?

The digital transformation of the retail industry has brought about numerous benefits, such as efficient inventory management, enhanced customer experience, and expanded reach. However, with these advancements, the sector has also become a lucrative target for cyber-

criminals, a whopping 24% of cyber-attacks in Australia are aimed at the retail sector. This statistic is alarming, especially given that it reflects an increase from the previous year.

Why Retail?

The primary reason for this surge is the perception that retailers are “easy targets”, for example, a significant 48% of organisations lack a comprehensive ransomware policy. This lack of preparedness makes them vulnerable to cyber threats. Case in point: large establishments in the US, Caesars and MGM, recently faced ransomware attacks. While Caesars quickly came back online after paying the ransom, MGM incurred a massive loss of $100 million in its efforts to restore its systems.

This is not to endorse paying ransoms. Kylie underscores that it’s neither ethical, and nor potentially legal. However, when facing the dilemma of impending business collapse versus paying the ransom, many retailers are left with a complex decision.

Cyber-criminals operate based on the ‘Rational Choice Theory’. They weigh the risks against the benefits. If the benefits of attacking a retail business outweigh the potential risks, they will more likely proceed. Considering the vast amounts of financial data and sometimes insufficient security measures, retail becomes an alluring sector for them.

However, bigger retail chains, due to their more mature cyber security protocols, are tougher nuts to crack for cybercriminals. This makes the small-to-medium businesses (SMBs) the low-hanging fruits. They often lack sophisticated security protocols, making them increasingly vulnerable.

Who Are These Cyber Criminals?

Shedding light on the typical cyber-criminal profile, Kylie noted some common characteristics, though cautioning against overly stereotyping. Surprisingly, about 30% of these criminals are women, debunking the commonly held belief of it being a predominantly male field. Many are young, tech-savvy individuals who spend a significant amount of their time online. A considerable percentage of them are single, living with their parents, and have a penchant for online shopping and/or gaming.

But it’s crucial to recognise that cyber-crime, in many instances, is a group activity. Over 50% of convicted cases in the US were part of organized criminal groups. This group dynamic in cyber-crime bears similarities to traditional street gangs or mafia structures, where there’s a hierarchy, specific roles, and even initiation rituals.

The fascinating concluding segment of the interview goes to questions at the crux of the human behaviours and tendencies that cyber-criminals exploit, especially in the retail sector. Kylie elaborated on the myriad of strategies these hackers employ to get a foothold in retail systems.

1. Data Collection and Targeting: cyber-criminals meticulously gather data over a span of time, observing where a company’s most guarded information resides, often referred to as the “crown jewels”. They may access seemingly innocuous data but use this as a stepping stone to breach deeper layers of information, leading to substantial financial gains.
2. Predatory Behaviours: criminals often target the vulnerable, seeking out organisations or individuals who are easier to exploit. This might include start-ups, or even individuals through manipulative social engineering tactics, urging everyone to always verify and authenticate any requests for personal or sensitive data.
3. Exploitation via Social Media and Contact Centres: hackers use information gleaned from social media to deceive. A seemingly innocent post about a recent purchase can become a door for exploitation if not cautious. Contact centre are also rich pickings in terms of personal data.
4. Retail’s Trust Dilemma: the inherent ethos of retail emphasises trust and the age-old mantra that “the customer is always right”. This can sometimes create a challenging dynamic where security might take a backseat in the interest of keeping customers satisfied. A need for balance was highlighted, where businesses can both safeguard their interests and maintain trust with their consumers.
5. Supply Chain Risks: the often-overlooked risks associated with supply chains. From sensors and chips that send unauthorised data to unsecured repair processes, retailers need to be more vigilant than ever. The challenge lies in embedding robust cyber security measures without disrupting long-standing business relationships.
6. The Human Firewall: beyond the technology and systems in place, the people are the first line of defence against cyber threats. Emphasis was placed on training and educating employees to recognise and respond to anomalies, be it phishing scams, irregular access requests, or disgruntled colleagues. Proper access management is also paramount, ensuring individuals only have access to information pertinent to their roles.

While retailers invest billions into safeguarding their systems, the evolving strategies of cyber-criminals necessitate a proactive, human-centric approach to cyber security. The industry’s challenge lies in fostering an environment where customer service thrives alongside rigorous data protection measures.