Highly publicised and potentially disastrous data breaches are becoming par for the course. So what practical cybersecurity steps can directors take to avoid being caught off guard?
The cyber attack on media company Nine Entertainment in March was a potent reminder of whatâs at stake in cybersecurity. The attack on Nineâs North Sydney headquarters in the early hours of 28 March initially crippled some IT systems, led to some TV programs not airing that morning and threw production of its newspapers â including The Age, The Sydney Morning Herald and the The Australian Financial Review â into disarray.
The media companyâs corporate network had to be unplugged in a bid to limit the spread of the contagion and employees were told to work from home. Every part of the business was affected, including payroll. It could be months before things return to normal while forensic IT teams continue to check the publisherâs systems one by one.
But at the same time, as business leaders and company directors confront the cyber risks to their enterprise, many recognise itâs impossible to eliminate all cyber risk without essentially shutting down the organisation. Instead, they are viewing cyber alongside other risks to the business and setting their risk tolerance for various cyber incidents. This recognition is timely, as stories such as the Nine attack become increasingly common.
The huge increase in home and remote working necessitated by the coronavirus pandemic has been accompanied by an upswing in malicious activity as cybercriminals exploit the increased opportunities to breach corporate defences. The Australian Cyber Security Centre (ACSC) receives more than 1000 cybersecurity incidents and cybercrime reports each week, while calls to its round-the-clock call centre have increased over the past 12 months from one every 10 minutes to one every eight. âThe pandemic has forced us all to a pivotal realisation that Australians must make cybersecurity as much a hardwired part of our national mindset as sports, the beach and the barbecue,â says Abigail Bradshaw, head of the ACSC. She told the AISA (Australian Information Security Association) Australian Cyber Conference in March that â2020 has been incredibly confronting. Itâs a real reality check on what effective, economy-wide cybersecurity defences must look like â not for some future of self-driving cars or AI, but for the world we are already in.â
Not if, but when
Questions directors should ask management about preparing for a cyber attack:
- What are our critical assets and where are they located?
- How can the assets be accessed?
- What protections do we have in place to keep them secure?
- What response plan do we have in place to manage a cyber attack? The plan should take into account the different types of cyber attack that could occur â for example, preventing access to the assets and loss of personal information.
- What are the reporting obligations if an event occurs?
- What plans do we have for management of an attack â do we have the right
Source: Anna Sutherland, Herbert Smith Freehills
In just the previous three months, she said, the ACSC had dealt with significant malicious cyber activity associated with SolarWinds, the Accellion File Transfer Appliance compromise and the Microsoft Exchange Server vulnerabilities.
âCOVID-19 has changed the way we work, the risks to Australian businesses and the challenges directors must face to keep their staff, customers and the community safe,â says Australian Information Security Association chair Damian Manuel GAICD. âIt has also had a profound impact on businesses as digital adoption has sped up. Gartner has predicted 40 per cent of boards will have a dedicated cybersecurity committee by 2025. In 2020, the Australian Cybersecurity Centre found that cyber crime occurs on average every 10 minutes and affects one in every three Australians.â
Cyber literacy
As the threat environment intensifies, so, too, does the onus on directors to better come to grips with the extent of the cyber risks to their organisation and how they are being mitigated. Anna Sutherland, head of Herbert Smith Freehillsâ Australian disputes practice, notes there is a growing trend for non-privacy regulators, such as the Australian Securities and Investments Commission (ASIC), to take an interest in and direct enforcement action for data and cybersecurity practices.
Given the magnitude and prominence of cyber risk for most organisations, ASIC notes: âinformed oversight of risk involves the board being satisfied that cyber risks are adequately addressed by the risk management framework of the organisationâ.
Directors will be expected to obtain current information around the threat that cyber risks pose to their particular business and what management has done to prepare the business for a potential cyber attack, says Sutherland. âMany corporates are identifying cyber attack as the major risk to their business and this reinforces the need for directors to give close attention to ensuring a current and comprehensive cyber-resilience program has been implemented and monitored periodically,â she says.
Just as the landmark 2011 court case on the collapse of the Centro property group found directors had to understand the accounts of their organisation, they must also understand cyber risk.
Rachael Falk, CEO of the Cyber Security Cooperative Research Centre, says boards should always get independent and external verification of their organisationâs cyber practices and risk. âYou wouldnât let the CFO mark his or her own homework,â she told the AICD Australian Governance Summit in March. âBe curious. Make a nuisance of yourself almost, but really drill down in those reports because you do want to make sure you have discharged your obligations â not just under the law, but also morally discharged your obligations â so that you understand the cyber underbelly of your organisation,â she said.
Echoing Falkâs call to action, Boston Consulting Groupâs Paul OâRourke told the summit: âCyber literacy is paramount on boards.â He expects more boards to form dedicated cyber committees to manage the risk. OâRourke told directors that boards are indeed maturing their approach to adapt to the evolving nature of cyber risk.
â[What] really helps with the governance and execution of directorsâ responsibilities is if you get a much better handle on a risk position in the organisation and then you set the parameters and the framework for management to execute,â he said. However, he expressed concern that too many boardsâ stated risk appetites for cybersecurity are little more than motherhood statements; for example, âWe have zero tolerance to cyber riskâ.
Companies will inevitably suffer cyber breaches and security compromises, but what counts is how well prepared they are, how they manage a breach and how transparent they are about the actions they choose to take.
Regulators investigating a cyber breach want to see evidence that companies have carried out all the steps they should have in terms of management, reporting, governance, oversight and external reviews, according to OâRourke. Cybersecurity shouldnât just be a function of the IT department. Instead, it should come from the top down, starting at board level, and involve all parts of the business. But it tends to be tuned out when itâs perceived as a âshow stopperâ by other departments that want to deploy a new capability or acquire a new company and fear IT will tell them ânoâ.
âIf we start to shift that conversation to âActually, cybersecurity can help us go faster, because we can do these things with confidenceâ, then it becomes a strategic asset for the business,â says Scott McKean, chief security officer at Australian IT services provider Interactive. âTypically, cybersecurity is a function of the IT department and youâre always playing catch-up. Itâs very reactive. Itâs costly. Itâs siloed and very operational.â
Thinking like a cybercriminal
It can be a useful exercise for directors to try to think like a cybercriminal, says Interactiveâs chief security officer, Scott McKean. There are three factors to consider: capability, intent and opportunity.
Capability
This ranges from unsophisticated players who use automated tools they have bought on the dark web to launch âspray and prayâ attacks in the hope they can snare a victim and make a profit, to nation-state threat actors backed by significant resources and expertise, and sophisticated cybercriminals who have a hit list of victims and large prizes.
Intent
Are the attackers trying to make a profit by scamming someone in the organisation or via ransomware? Are they environmental or social activists trying to cause as much disruption and embarrassment as possible? Or are they nation-states or competitors trying to steal business secrets and intellectual property?
Opportunity
This relates to the size of the attack surface, or the estate, that the attacker can go after. Reducing the attack surface can be as simple as ensuring computer programs are kept up to date with security patches; using multi-factor authentication that requires, for instance, a password and phone code to log in; and, most importantly, training staff on cybersecurity.
Living with cyber risk
Looking at cybersecurity through a risk lens means cyber teams are involved early in business decisions and move from being reactive to sustainably reducing risk. McKean suggests directors take a top-down approach to assessing their cyber-risk tolerance, starting with measuring the likelihood and impact of the three or four biggest risks to the organisation. Risks will be different for each business. For one, it might be that their systems stay up so their delivery trucks can get from point A to point B. For another, it could be protecting trade secrets and sensitive information.
âYou need to attach a monetary figure to the impact because, without understanding the impact from a commercial point of view, you canât say how much youâre going to invest to reduce your risk,â says McKean.
The operational and security teams need to work alongside board members to help them articulate well what those risks are and ensure this becomes a sustainable practice, because the risk profile changes as the business changes and grows.
According to Nicola Nicol, cybersecurity partner at PwC, directors should regard security strategy not just as value preservation, but as a business enabler.
âIf you can secure your business processes and translate them to more agile ways of operating â and think about making your client... user experience simple from a security point of view â that can really be a strategic enabler, not just a way of managing risk,â she says. âThis is particularly true when organisations build security into their business processes from the outset â then they donât add cost or complexity to the experience. A simple and easy-to-use application, such as a banking app, can differentiate a business and help attract customers.â
Businesses need to align cyber-risk management with their business needs and integrate it into their enterprise risk management and board governance framework, adds Nicol.
Claire Pales, co-author of The Secure Board, says directors should understand that having access to highly sensitive data necessitates rules, structures and frameworks they need to comply with. This means ensuring the virus protection and software on their own devices is up to date, being careful about clicking on links and documents, even when apparently from trusted sources, and exercising caution when using public wifi networks. âCybersecurity is an enterprise-wide responsibility, not something just for the CIO to be managing or making decisions about,â says Pales.
Australian Cyber Security Centre head Abigail Bradshaw lists four major cyber threat trends in 2021: Ransomware, email phishing and malware-laden SMS scams are an increasing threat, thanks to more people seeking information and services online.
Professional syndicates operating ransomware crime and coupling their attacks with distributed denial-of-service (DDoS) attacks to increase the pressure to pay. Business email compromise has significantly increased over the past year, with four times as many reports when compared to the previous year.
Managed service providers â which supply IT services to companies â and supply chain providers will remain targets because of the privileged access they have to their customersâ networks.
Some companies mentioned in this feature may have advertised in Company Director, but have had no involvement in determining editorial content.
Latest news
Already a member?
Login to view this content