Most directors now accept that cybercrime requires board-level oversight – though some still think of it in terms of technology rather than a whole-of-business risk.
“Cybersecurity is a matter of organisational culture,” says Guy Coles, sales director at Privasec Governance and Information Security Partners.
“In the majority of cases the bad guys get in because an employee made a mistake. The information technology (IT) department can have no control over that.”
Boards may also maintain too narrow a focus. “Breaches of customer data are the stories that make the news – we’ve all heard about Target, Sony and Yahoo,” says Cameron Abbott, partner at global law firm K&L Gates.
“The threat posed by ransomware can be overlooked because it’s much easier to keep these attacks out of the media. Yet, when I talk to my colleagues around the world, we all share the opinion that ransomware is actually a bigger threat, particularly to mid-sized and smaller companies.”
Ransomware can be activated by a single click on a link in an authentic-looking email. It then blocks access to a company’s computer systems until a ransom is paid.
“Because it’s rarely reported we don’t have an accurate picture of how companies respond,” says Abbott. “The evidence we do have suggests that those who can afford to rebuild the systems are less likely to pay a ransom. Though when paying is temptingly cheap by comparison, it’s not an easy decision. There are a few instances where we know organisations have paid because the information had to be made public – for example, a medical institute in the US. Either way, an attack could do serious harm to the business.”
The importance of culture
The first line of defence is technical – finding ways to stop the emails from getting through or preventing the attachments from activating. But this will always be a race to keep up with increasingly sophisticated methods of attack.
“That’s why well-organised companies maintain high levels of awareness among their employees and warn them whenever there’s a new wave of convincing-looking emails,” says Abbott. “They also provide an easy way for employees to report anything suspicious without fear of being criticised for wasting someone’s time.”
Staff should also be encouraged to own up to a mistake. “The sooner you react to an event, the more you can do to reduce the impact,” says Coles. “If employees are scared to tell someone they clicked on a suspicious link, the consequences could be unnecessarily dire.”
Abbott recommends that cybersecurity education begins with the induction process and continues through regular updates and reminders. “You want all of your employees to be thinking about it at multiple levels,” says Abbott. “For example, as well as looking out for fake emails, are they collecting and storing information in compliant and appropriate ways? Obviously there are a lot of other things that employees need to keep front of mind but, with cybersecurity, the stakes are high if they get it wrong.”
The dangers of being connected
The proliferation of devices that can be connected to the internet is creating more security headaches.
“It’s no longer just the cloud that’s the issue,” says Tessa Court, chief executive officer at IntelligenceBank, an Australian board portal and risk and compliance software provider. “Alarm systems, point of sale terminals, air-conditioning systems, wearables, bring your own device (BYOD) policies, supply chain connectivity – the so-called Internet of Things (IoT) is creating an extremely complex network to manage from a risk perspective.”
Last year saw the first serious events involving connected devices. “I’m concerned that the rush to get things connected to the internet may have run ahead of security,” says Abbott. “People trying to hack into a connected system only need to find one point of vulnerability and, as a lot of connected ‘things’ aren’t protected by robust security, there’s an opportunity to apply a great deal of processing power to evil ends. If your company is producing something that can be connected to the internet, you’ve got to turn your mind to how it’s going to be kept secure.”
Botnets – a network of private computers infected with malicious software – are enabling criminals to take control of an interconnected network of computers. Also known as a zombie army, botnets can be used to spread viruses, generate spam and commit other types of online crime and fraud. Machine learning and artificial intelligence (AI) are also emerging as critical technologies on both sides of the security equation.
“More hackers will use AI to uncover vulnerabilities on a massive scale,” says Court. “At the same time, companies will be able to use machine-learning technologies to detect unauthorised intrusion attempts very quickly.”
Holograms in the brain
Anuja Rao GAICD, managing director of Select 3D, a 3D printing business, predicts that cyber-threats will soon extend to the human brain and body. “Medical scanning techniques are being developed that can trace human behaviour, thought patterns and processes,” she says. “The body works on electrical impulses and if these signals can be amplified and intercepted, there is potential for cybersecurity breach and cyberbullying.”
An application of Microsoft’s HoloLens, which is already in research, can project holograms into the brain. “This technology could replace conventional software on a mobile or laptop in business decision-making and scenario or risk planning,” says Rao.
“The combination of HoloLens and virtual reality/augmented reality software would present many challenges to board members. For example, the quality of augmented reality can be so high that it’s difficult to detect the difference between actual corporate content and content that has been introduced intentionally to mislead decision-makers or to influence a director’s ability to demonstrate independent thinking.”
Directors can only ask the right questions about cyber-risk if they’re aware of the latest technologies.
“That doesn’t mean they need deep technical knowledge but they do need to understand broad trends,” says Court.
Applying best practice
Cybersecurity is a complex issue that demands best practice from the boardroom down. “Top performing boards have a process for cyber-risk management, not just a checklist or a spreadsheet,” says Court.
Regular, scheduled, systems checks are a good starting point but systems must also be checked after a change. “Several of the clients we have worked with recently have kicked own goals in this respect,” says Abbott. “For example, one company had set up a new environment and copied across their files but didn’t check whether the security files had copied across properly. They hadn’t. The company suddenly had a development environment sitting in the cloud with nothing to protect it. Even if it’s your policy to test every six months, five and a half months is much too long to run the risk that information is exposed.”
Court recommends monthly internal audits for internal and external systems that host business-critical information, with third party penetration testing audits at least once a year. Coles agrees that external audits should be part of an organisation’s culture.
“The IT department shouldn’t see this as implied criticism or lack of trust,” says Coles. “External auditors live and breathe cybersecurity so they can very quickly identify, itemise and prioritise the kinds of weaknesses that can easily be overlooked by someone who is very familiar with the environment.”
Suppliers must also be committed to the same high levels of security. “If I want to get strategic or critical information out of a major bank, I’m not going to hit them directly,” says Coles. “I’ll hit someone like their lawyers or contractors because it’s likely to be much, much easier.”
A cross-functional board committee can ensure that the spotlight remains trained on security and, once again, an independent presence can be of value. “An external expert can advise on new types of threats and ensure that the risk register and associated controls are relevant and up to date,” says Court.
Planning to respond
A breach plan is fundamental to cybersecurity, and public relations activity plays a crucial role. “According to a recent IBM study, the average breach costs approximately $4 million and this figure is rising by 5 per cent year on year,” says Court.
“Data breaches do adversely affect consumer confidence and short term sales but, statistically speaking, when companies call in experts to help handle the crisis and communicate clearly and honestly with the public, their share prices bounce back in about a year.”
She suggests a nine-step preparation and recovery process.
- Establish an incident response team that includes public relations specialists.
- Identify a panel of independent cybersecurity and forensic experts that you can call on quickly in a crisis.
- Stop the breach as soon as possible.
- Secure evidence.
- Document the breach.
- Involve law enforcement agencies.
- Determine corporate legal and contractual obligations.
- Change security access levels as required.
- Continually communicate to all affected stakeholders.
Court highlights that it’s important to be ready for the media.“It’s a very good idea to prepare a press release and have it cleared by the legal department so you won’t be on the back foot if something goes wrong,” says Coles. “This will be even more important when the impending mandatory disclosure legislation comes into effect.”
Mandatory reporting on the way
After a couple of false starts, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 passed through the Senate on 13 February. When it takes effect, most organisations will be obliged to report an eligible data breach.
“For a breach to be deemed eligible, it must involve the loss of, unauthorised access to, or unauthorised disclosure of personal information and a reasonable person must conclude that this is likely to cause serious harm to the people affected,” says Steven Klimt, a partner at Clayton Utz.
When an organisation believes that such an event has occurred it will need to act quickly. “The company will generally have 30 days to prepare a statement with details of the breach for the Australian Information Commission (AIC),” says Klimt. “It must then generally notify everyone who could be affected or, if this is not possible, do its best to make the contents of the statement public.”
The legislation will apply to all companies bound by the Privacy Act 1988, credit reporting bodies, credit providers and file number recipients. In effect, the only companies not affected will be those with a turnover of less than $3 million that aren’t in the business of collecting or storing data.
“I think the legislation will play a positive role in heightening awareness of privacy and data security,” says Klimt. “And, as reputational damage is one of the major risks boards need to manage, it could encourage directors to focus on ways of avoiding an event that would lead to mandatory disclosure.”
There are several things a board can do now to prepare.
“Directors need to familiarise themselves with the legislation,” says Klimt. “It would also be a good idea for them to read the current Office of the Australian Information Commissioner (IOAC) data breach guidelines, which are likely to remain fundamentally the same when notification becomes mandatory rather than voluntary. And a response plan is vital.”
A growing insurance market
In some jurisdictions, breach response plans include insurance for people whose online data has been exposed. “The company provides cover for its entire database of customers for a period of time in case the information is used in a nefarious way,” says Abbott. “This is a positive way to respond and a relatively inexpensive way to help protect the brand.”
The prospect of mandatory disclosure could drive greater take-up of insurance cover for breach-related costs not covered by existing policies.
“Cyber insurance can provide both indemnity and liability cover,” says Meena Wahi MAICD, a cyber insurance specialist at Cyber Data Risk Managers. “It indemnifies the business for costs incurred as a result of the cyber-incident, including loss of revenue due to business interruption and the cost of restoring data and systems to their original state. Under the Privacy Act, if personal information is breached, a business is exposed to regulatory risk and may be held liable by the privacy commissioner. Payouts and additional spend on legal advice that follow a breach can also be claimed from the insurer.
For many companies, there is a tension between the amount of cover they would need in the worst-case scenario and how much they can afford. “As a broker, I ask clients what level of cover they’re looking for and it’s surprising how often they don’t know,” says Meena. “So we talk about the potential cost of a breach and, if they can’t afford the premium for that amount of cover, we look at ways of bringing down the cost. That might be doing more to mitigate the risk and/or agreeing to pay an excess, just as you would with car insurance.”
Wahi advises boards to choose an insurance specialist with an understanding of the broader business connections and then to make them part of the cybersecurity conversation.
“You need to feel confident that your cover is keeping pace with changes in your environment and know that, in a crisis, you can rely on your policy to react in an appropriate way,” she says.
Questions to ask about cyber insurance
Have we clearly articulated the risk we want to transfer?
Can we demonstrate to an insurer that we have policies and practices in place to mitigate cyber-risk, including regular staff training?
What level of risk are we willing to accept?
Do we already have cyber insurance?
Have we audited our insurance and reviewed all of our policies to identify any risks that are uncovered?
Do we have adequate cover?
Will it still be adequate to cover for response when the Mandatory Reporting bill takes effect?
Should we consider an excess to reduce the premium or enable us to increase the amount of cover?
How well-prepared is the board for an attack?
10 questions boards need to ask.
- Who is responsible for cybersecurity and how is that accountability structured? Should we have a dedicated board committee?
- Do we have regular external reviews and do all of the results go to the board?
- How are we supporting a culture of cybersecurity? Are all employees trained to identify suspicious emails and respond appropriately? Are they rewarded rather than punished for promptly reporting a mistake, such as clicking on a suspicious link?
- Are we investigating alternative ways of storing information that will help to mitigate the risk of cyber-attacks?
- Do we have a business continuity plan?
- Do we have a breach recovery plan that includes limiting damage to our reputation?
- Do we have a media release ready to distribute as soon as we are aware of a breach?
- Do we check that our suppliers are committed to best practice security?
- Do we have cyber insurance and if not, why not?
- Are we prepared for Mandatory Notification?