Not if, but when
Questions directors should ask management about preparing for a cyber attack:
- What are our critical assets and where are they located?
- How can the assets be accessed?
- What protections do we have in place to keep them secure?
- What response plan do we have in place to manage a cyber attack? The plan should take into account the different types of cyber attack that could occur — for example, preventing access to the assets and loss of personal information.
- What are the reporting obligations if an event occurs?
- What plans do we have for management of an attack — do we have the right
relationships with other expert providers to assist at short notice?
Source: Anna Sutherland, Herbert Smith Freehills
The cyber attack on media company Nine Entertainment in March was a potent reminder of what’s at stake in cybersecurity. The attack on Nine’s North Sydney headquarters in the early hours of 28 March initially crippled some IT systems, led to some TV programs not airing that morning and threw production of its newspapers — including The Age, The Sydney Morning Herald and the The Australian Financial Review — into disarray.
The media company’s corporate network had to be unplugged in a bid to limit the spread of the contagion and employees were told to work from home. Every part of the business was affected, including payroll. It could be months before things return to normal while forensic IT teams continue to check the publisher’s systems one by one.
But at the same time, as business leaders and company directors confront the cyber risks to their enterprise, many recognise it’s impossible to eliminate all cyber risk without essentially shutting down the organisation. Instead, they are viewing cyber alongside other risks to the business and setting their risk tolerance for various cyber incidents. This recognition is timely, as stories such as the Nine attack become increasingly common.
The huge increase in home and remote working necessitated by the coronavirus pandemic has been accompanied by an upswing in malicious activity as cybercriminals exploit the increased opportunities to breach corporate defences. The Australian Cyber Security Centre (ACSC) receives more than 1000 cybersecurity incidents and cybercrime reports each week, while calls to its round-the-clock call centre have increased over the past 12 months from one every 10 minutes to one every eight. “The pandemic has forced us all to a pivotal realisation that Australians must make cybersecurity as much a hardwired part of our national mindset as sports, the beach and the barbecue,” says Abigail Bradshaw, head of the ACSC. She told the AISA (Australian Information Security Association) Australian Cyber Conference in March that “2020 has been incredibly confronting. It’s a real reality check on what effective, economy-wide cybersecurity defences must look like — not for some future of self-driving cars or AI, but for the world we are already in.”
In just the previous three months, she said, the ACSC had dealt with significant malicious cyber activity associated with SolarWinds, the Accellion File Transfer Appliance compromise and the Microsoft Exchange Server vulnerabilities.
“COVID-19 has changed the way we work, the risks to Australian businesses and the challenges directors must face to keep their staff, customers and the community safe,” says Australian Information Security Association chair Damian Manuel GAICD. “It has also had a profound impact on businesses as digital adoption has sped up. Gartner has predicted 40 per cent of boards will have a dedicated cybersecurity committee by 2025. In 2020, the Australian Cybersecurity Centre found that cyber crime occurs on average every 10 minutes and affects one in every three Australians.”
Photo: Getty Images.
As the threat environment intensifies, so, too, does the onus on directors to better come to grips with the extent of the cyber risks to their organisation and how they are being mitigated. Anna Sutherland, head of Herbert Smith Freehills’ Australian disputes practice, notes there is a growing trend for non-privacy regulators, such as the Australian Securities and Investments Commission (ASIC), to take an interest in and direct enforcement action for data and cybersecurity practices.
Thinking like a cybercriminal
It can be a useful exercise for directors to try to think like a cybercriminal, says Interactive’s chief security officer, Scott McKean. There are three factors to consider: capability, intent and opportunity.
This ranges from unsophisticated players who use automated tools they have bought on the dark web to launch “spray and pray” attacks in the hope they can snare a victim and make a profit, to nation-state threat actors backed by significant resources and expertise, and sophisticated cybercriminals who have a hit list of victims and large prizes.
Are the attackers trying to make a profit by scamming someone in the organisation or via ransomware? Are they environmental or social activists trying to cause as much disruption and embarrassment as possible? Or are they nation-states or competitors trying to steal business secrets and intellectual property?
This relates to the size of the attack surface, or the estate, that the attacker can go after. Reducing the attack surface can be as simple as ensuring computer programs are kept up to date with security patches; using multi-factor authentication that requires, for instance, a password and phone code to log in; and, most importantly, training staff on cybersecurity.
Given the magnitude and prominence of cyber risk for most organisations, ASIC notes: “informed oversight of risk involves the board being satisfied that cyber risks are adequately addressed by the risk management framework of the organisation”.
Directors will be expected to obtain current information around the threat that cyber risks pose to their particular business and what management has done to prepare the business for a potential cyber attack, says Sutherland. “Many corporates are identifying cyber attack as the major risk to their business and this reinforces the need for directors to give close attention to ensuring a current and comprehensive cyber-resilience program has been implemented and monitored periodically,” she says.
Just as the landmark 2011 court case on the collapse of the Centro property group found directors had to understand the accounts of their organisation, they must also understand cyber risk.
Rachael Falk, CEO of the Cyber Security Cooperative Research Centre, says boards should always get independent and external verification of their organisation’s cyber practices and risk. “You wouldn’t let the CFO mark his or her own homework,” she told the AICD Australian Governance Summit in March. “Be curious. Make a nuisance of yourself almost, but really drill down in those reports because you do want to make sure you have discharged your obligations — not just under the law, but also morally discharged your obligations — so that you understand the cyber underbelly of your organisation,” she said.
Echoing Falk’s call to action, Boston Consulting Group’s Paul O’Rourke told the summit: “Cyber literacy is paramount on boards.” He expects more boards to form dedicated cyber committees to manage the risk. O’Rourke told directors that boards are indeed maturing their approach to adapt to the evolving nature of cyber risk.
“[What] really helps with the governance and execution of directors’ responsibilities is if you get a much better handle on a risk position in the organisation and then you set the parameters and the framework for management to execute,” he said. However, he expressed concern that too many boards’ stated risk appetites for cybersecurity are little more than motherhood statements; for example, “We have zero tolerance to cyber risk”.
Companies will inevitably suffer cyber breaches and security compromises, but what counts is how well prepared they are, how they manage a breach and how transparent they are about the actions they choose to take.
Regulators investigating a cyber breach want to see evidence that companies have carried out all the steps they should have in terms of management, reporting, governance, oversight and external reviews, according to O’Rourke. Cybersecurity shouldn’t just be a function of the IT department. Instead, it should come from the top down, starting at board level, and involve all parts of the business. But it tends to be tuned out when it’s perceived as a “show stopper” by other departments that want to deploy a new capability or acquire a new company and fear IT will tell them “no”.
“If we start to shift that conversation to ‘Actually, cybersecurity can help us go faster, because we can do these things with confidence’, then it becomes a strategic asset for the business,” says Scott McKean, chief security officer at Australian IT services provider Interactive. “Typically, cybersecurity is a function of the IT department and you’re always playing catch-up. It’s very reactive. It’s costly. It’s siloed and very operational.”
Director tools for cyber literacy and preparedness
The AICD has published a new suite of tools for directors, with Patrick Fair GAICD covering the latest in cyber governance. The tripartite resource includes practical applications of cyber-risk awareness and recent legislative developments directors need to know.
Managing a data breach: 10 oversight questions for directors helps identify issues that can arise in the context of a data breach, such as ensuring an independent investigation occurs, keeping in touch with the regulator and drafting an appropriate communications strategy. bit.ly/3t2BUpY
National security compliance for directors examines key areas of national security compliance, including broadly stated criminal offences, as well as requirements to register when engaging in political and public communications. bit.ly/32ZgQ96
The consumer data right framework outlines the consumer data right (CDR) framework — sometimes referred to as “open banking” — in its early rollout to financial services. The framework can be used to access a great deal of valuable information about customer behaviour and opportunities for product bundling. bit.ly/3nw3omx
Patrick Fair GAICD is principal of Patrick Fair Associates and chair of the communications security reference panel at the Communications Alliance.
Living with cyber risk
Looking at cybersecurity through a risk lens means cyber teams are involved early in business decisions and move from being reactive to sustainably reducing risk. McKean suggests directors take a top-down approach to assessing their cyber-risk tolerance, starting with measuring the likelihood and impact of the three or four biggest risks to the organisation. Risks will be different for each business. For one, it might be that their systems stay up so their delivery trucks can get from point A to point B. For another, it could be protecting trade secrets and sensitive information.
“You need to attach a monetary figure to the impact because, without understanding the impact from a commercial point of view, you can’t say how much you’re going to invest to reduce your risk,” says McKean.
The operational and security teams need to work alongside board members to help them articulate well what those risks are and ensure this becomes a sustainable practice, because the risk profile changes as the business changes and grows.
According to Nicola Nicol, cybersecurity partner at PwC, directors should regard security strategy not just as value preservation, but as a business enabler.
“If you can secure your business processes and translate them to more agile ways of operating — and think about making your client... user experience simple from a security point of view — that can really be a strategic enabler, not just a way of managing risk,” she says. “This is particularly true when organisations build security into their business processes from the outset — then they don’t add cost or complexity to the experience. A simple and easy-to-use application, such as a banking app, can differentiate a business and help attract customers.”
Businesses need to align cyber-risk management with their business needs and integrate it into their enterprise risk management and board governance framework, adds Nicol.
Claire Pales, co-author of The Secure Board, says directors should understand that having access to highly sensitive data necessitates rules, structures and frameworks they need to comply with. This means ensuring the virus protection and software on their own devices is up to date, being careful about clicking on links and documents, even when apparently from trusted sources, and exercising caution when using public wifi networks. “Cybersecurity is an enterprise-wide responsibility, not something just for the CIO to be managing or making decisions about,” says Pales.
Australian Cyber Security Centre head Abigail Bradshaw lists four major cyber threat trends in 2021: Ransomware, email phishing and malware-laden SMS scams are an increasing threat, thanks to more people seeking information and services online.
Professional syndicates operating ransomware crime and coupling their attacks with distributed denial-of-service (DDoS) attacks to increase the pressure to pay. Business email compromise has significantly increased over the past year, with four times as many reports when compared to the previous year.
Managed service providers — which supply IT services to companies — and supply chain providers will remain targets because of the privileged access they have to their customers’ networks.
Some companies mentioned in this feature may have advertised in Company Director, but have had no involvement in determining editorial content.