I'm Connie McIntosh, head of security and head of solution security in market area, Moi for Erickson. I look after cybersecurity, information security, operational security, product security, and privacy. And of course, you know that today I'm about to talk to you about how staff are your biggest cybersecurity risk, but also how they can be your first line of defense. All right. Unbelievable. But true. We're gonna look at some statistics here, just to give you an idea. The average office worker yourself included receives 121 emails a day. Now, what about you? Do you get more than that? I know. I probably get double that email, but on average, they're saying 121 business emails a day. Do you check your email headers before opening your emails? Have you opened an email from somebody you don't know? Have you ever clicked on a link directly in an email? Yes, of course you have.
We all have. We know that, but do you know how many decisions on average that a person needs to make a day? You will be blown away? I know I was. I had no idea. This was so high. The average person as stated in a study by psychology today makes around 35,000 decisions. I think that's staggering and a lot. Would you agree? I think you would. So there's a phenomenon called decision fatigue. Just remember that one now I'm sure you know, these names, bill gates, Steve jobs. These are prime examples of people who you recognize and are often seen wearing the same clothes daily. And you might wonder why do they do that? They have billions of dollars. They can afford beautiful clothes, but let's say they understand that making rudimentary decisions such as what clothes you're gonna wear, takes up processing capacity. We have to make 35,000.
We don't want to spend our processing capacity on things like what we are going to wear. They save them for the bigger decisions. So think about some rudimentary decisions that you are having your staff make repeatedly that could be causing decision fatigue. Can we get rid of them? So not only were you asking people on average to open 121 emails a day, but to make decisions on whether to click or not click on links. So as you can guess, people probably click and time and time again, despite whatever awareness program, whatever training you're putting in place, people click John C. Maxwell. He famously put this life is a matter of choices and every choice you make makes you. So let's move on to our second box, which is 95% of all corporate security incidents involve human error, whether deliberate or accidental. Now I didn't make this up.
This is an IBM study and they showed that some common attack vectors include, you know, like viruses, emails, of course, webpages pop up windows, chat messages. And of course deception, all of these methods generally involve programming. So that tells you something, but in a few cases, hardware, and of course deception, and this is where the human operator, the human factor comes in and they're fold into removing weaknesses. You know, they, they are fall into defending against your system by unending it. So they reduce the security by adding a weakness, like clicking on a link or doing something with their admin account when they probably shouldn't be. So remember your employees are focused on the job you hired them to do. And when they're faced with to-do lists, distractions, pressures, you know, they need to get things done quickly. Cognitive loads become really overwhelming. And that's when mistakes happen.
Studies show that people, they make more mistakes when they are stressed, tired, distracted, forced to work extra quickly, or they feel burnt out. Now we've all felt that sometime, but we need to factor that in when we are, you know, processing our loads. So let's move on to the real statistics here. The shocking statistics that I'm gonna show you here. 4.6, 2 million is the us average cost of a ransomware. Now we've heard a lot about ransomware and this all comes from the IBM security report, the 2021 security report. And it found that ransomware and destructive attacks were costlier than any other type of breaches. Now, ransomware costs on average, more than the average data breach. Now just think about this 4.62 million that doesn't include the cost of the ransom payment. What that includes is escalations notifications, lost business and response costs, but it does not include the ransom.
So if we look at the real cost, it's much higher than that. So militia's attacks also that destroy data such as wiper style attacks, they average 4.6, 9 million. What percentage of companies do you think where ransomware was a factor? It was allegedly to be 7.8% in the us. So at some point there's 7.8% organizations had a cyber breach of a ransomware kind, which tells you that across the board, it's likely it fact to hit your organization at some point. So we wanna look at that. Let's move on to our next slide. So with our short-term risks and long-term risks, we need to look at many things, but let me just give you a little bit of, you know, a story before we move on on corporate fishing program that I ran. I'm gonna share a little story about an organization where I worked. I conducted a fishing program to evaluate the potential risk of email compromise by employees of the organization.
I was working for. One unit I tested was the it department. Now you, in theory, think your it department is going to be the hardest ones to fish. How do you think your own it departments? You know, because we tend to think that it, people get security. Have you tried fishing on them? Maybe it's a thought. And I thought it would be pretty tricky. I thought they're gonna spot fishing a mile away. So I decided I'll do two tests two weeks apart. And the very first test I did was a very phishy looking email. So I didn't expect anybody to click on it. But 20% of the email recipients clicked on it. 20% of my it department at that point clicked on it. And I thought, surely not. So I did a second test. I thought I'll try a little harder. It was a spoofed email.
And I thought this one's harder, but I still think they won't click on it. I was so wrong. 65% of people clicked on that email. That was scary to me. But what was worse was that 80% of the people that clicked in the first week clicked again in the second week, despite knowing there was a fishing campaign running. So my test told me that even educated users will click and also there's studies on human factors that despite your education and awareness programs, that social psychology tells you that the human factor contributes and the people have a need to click why you say, well, human nature's considered one of the most affecting factors in the process of fishing. When we look at curiosity and urgency, that's a trigger for people. And most of them respond. There's psychological triggers as well. For instance, if people are under stress, as we said before, they don't necessarily think about the consequences.
And they've shown that everyday stress actually damages the part of the brain that actually controls emotion. So we end up with a weakened control of our emotion. When we're under stress, several studies have also showed an, an association you're gonna love these statistics. I'm sure that younger people, those 18 to 25 are more susceptible to fishing than other age groups, because they're more trusting when it comes to online communication. They're also more, more likely to click on unsolicited emails. This is the one everyone's gonna love. Studies show that women are more susceptible than men to fishing. As they tend to click on links in fishing emails and enter information into fishing websites more than men do. But I have good news for the women and AVAs study showed that men are more susceptible to smartphone malware than women. Well, that's an interesting one. Isn't it wonder why we, we haven't checked the psychology of why men do more on their phones maybe than women.
So what we know here is that for each person, there is a trigger that can be exploited by Fisher Fisher, fishers, even people with high experience like the it department, they do fall prey to fishing. Something about insider threats that I just wanna share with you. And I might just go I'll, I'll go to next slide here. This was the corporate fishing program. When we talk about insider threats, the insider threat, we've gotta consider something and there's this great principle or a, or a statement called Hanlon's razor. And what it means is that never attribute malice to something that can be adequately explained by stupidity. What does that mean in simpler words, that bad things happen. And it's not always because people have bad intentions, but it's because they didn't think it through properly. What I'll tell you in my experience, it is very rare that you'll come across a malicious insider.
In most cases, it'll be the unintentional insider that causes the incident in the same organization where we did fish testing. We actually did root cause analysis on all our incidents and what we found. And, and this might surprise you, 80% of all of our incidents were attributed to human error. Does that surprise anybody body? So what do we say about humans are the weakest link straight out of the words of one of the world's most famous hackers, self announced most famous hacker, Kevin Mitnick. He was once on the FBI's most wanted list for hacking into 40 major corporations. He now uses his knowledge to help organizations as a lot of black hat hackers tend to do. Once they have been caught, they go and then try to do some good, which is wonderful. So he gave a keynote at the data center world in Los Angeles, and he clearly illustrated why people are the weakest link in the security chain.
He's he's also written books on, on this as well. He demonstrated that combinations of hacking and social engineering, which require human factor along with some cutting edge technical exploits used to penetrate client systems had a 100% success rate. That is pretty scary. When you think about it, a hundred percent success rate, if you look at the human factor and 80%, when we talked about, when I in my last organization looked at our root cause analysis. Now you are saying, how do we overcome this? Okay. It's not easy. Let's first look, and we will go to how we can overcome this, but let's first have a look at those short-term and long-term risks, which you got to see a little bit of already. So short-term risks. Of course, you would recognize that when you have a ransomware and we've seen so much of it lately, thanks to solar winds, colonial pipeline, Sony pictures had, there's been so many, it paralyzes your operations.
So you have the cost of that, but you also have your reputational cost. You give threat actors a way to come into your system. Then they're gonna move laterally. Then you'll have instances where they're going to be back doors. And then you've got the, of of course, the risk of theft of your information. Now they might be valuations bids, your intellectual property. And then the cost, of course, the risk of having to go through a full, you know, either a pen test or a forensic investigation, many, many consequences of a breach, but the longterm ones. And they're the ones that the board, your board is going to be interested in. And they're gonna wanna mitigate these risks because of these long term factors. So those are when you're gonna hit regulatory requirements and lawsuits, if you haven't undertaken your due diligence and due care, that is when you're gonna be exposed to either an investigation by the regulators or penalties.
You know, we don't need to talk much here. I'm sure everybody's familiar with GDPR breaches in Europe, they are substantial, and they are something that your company will be very sensitive to. So apart from that, you'll have loss of customers associated impacts on your sales profits. And of course your loss of market share or margins and something very UN difficult to undo is that reputational damage. I mean, solar winds now is renowned and, and how they go forward selling their product, I think will be very tricky, very tricky. So let's have a look at protecting your front line. How do you turn that around? Of course, I just told you that you can't train people to fix this because the human nature is that people will click so good cyber hygiene. That's one area. There is no better cyber hygiene, and I'm watching the time just to make sure I don't run over no better cyber hygiene than the world renowned Australian signals director at top eight, they state that it stops 80% of compromises if put into place.
We'll have a really quick look. I did plan to go into detail in these, but I, I don't have a lot of time. So I'm gonna just go into the topic, the heading, and we can talk about them another time. So their application control, patching applications, configuring Microsoft office, macro settings, user application, hardening restricting admin privileges, patching operating systems, multifactor authentication, and regular backups. So that's, that is the top eight for cyber hygiene. I would suggest you really investigate. And if you can implement, do standards and frameworks, there are so many good standards and frameworks. And I'll just mention a couple. And you're probably already familiar ISO CSF, which is cybersecurity framework missed 853, SOC two CS controls. I also recommend fully understanding the Lockhard Martin stages of attack, you know, being reconnaissance, weaponization delivery, exploitation, installation, command control, and action of objectives now of awareness and training because you cannot ignore it.
You must still do it. The more you do it, the better because it's repetition that really comes in. I'm gonna talk a little bit more when I talk about culture on how we really do this better. So technical controls, those are your cyber hygiene factors along with your others. I have a whole list and I'm happy to share them with you, but right now I'm going to try and finish off on time. So when we talk about the human factor, addressing the human factor, make employees aware of the scale of threats. It's so important that you tell them the things that are happening in your networks, the real things, not, not the, you know, in the stories in the news, the real things you're seeing on your network. They need to be aware of the actual threats, whether they've been realized or not. It's always good to make them aware, make security a topic at every all employee meeting.
So all your employee meetings, people need to understand how they can help defend. So I always say, show them examples of incoming fishing emails, teach them basic cybersecurity. So they know what to look for. Build a security culture. It is so important. Start from the top down. It has to come from the top. If you want to reduce human error, it has to be part of your DNA for your organization, your security culture. There's a number of things you can do around building a culture. Encouraging discussions is always important. Make it part of their day-to-day activity, make it easy for them to ask questions, have people in the units like I call them security heroes, people who are going to spread the word, promote training, someone that can be a security go to for each of your areas, report all incidents that is really important, but it's important that you show employees' results and show them visibility, accountability, and ownership.
Now, how do you do this? So you gotta think about this in design thinking when you are programming or when you are delivering programs around awareness, you have to have the human factor in mind because you know, the unconscious habits that people have in regard of their use of technology, you know, the neuro and behavioral sciences must come in so that you are coming to people and appealing to that part of, of their psyche, the UN you know, the unspoken, the, the habitual use, where they will click without thinking. So build that into your systems. You know, people always take the path of least resistance by nature, and I've given you a good book to read in the references, and it will show you just how that does. So please ensure you harden your systems from the human factor, but teach people to be your security defenders. Thank you so much for joining me in today's session. And I'm happy to date questions now, or email, or look me up on LinkedIn and we can talk more. Thank you so much.
