Person working on laptop with security

The number of cyber-security breaches in Australia rose 16 per cent in the first half of this year, compared to the same period last year, partly due to COVID-19, an AICD webinar audience was told recently.

A total of 518 breaches were reported in the first half of 2020 as threats to Australian businesses increase, said Damien Manuel GAICD, Chair of the Australian Information Security Association. Manuel hosted the webinar, titled: ‘Australian Cyber Security Strategy 2020: Understand your business's digital future.’

Currently one in three Australians are adversely impacted by cybercrime - and cyber incidents can cost the economy up to $29 billion per year, according to Manuel. Australians also lost more than $142 million to scams in 2019.

Webinar panellists commented on the 2020 Cyber Security Strategy, released by the Australian government recently. The strategy will invest $1.67 billion over 10 years in a number of measures including new ways to shut down cyber-crime, especially on the dark web, setting up stronger partnerships with industry through the Joint Cyber Security Centre program, providing a 24-hour cyber security advice hotline for SMEs and families, offering clear guidance for businesses and consumers about securing Internet of Things devices, and delivering advice to small and medium enterprises to increase their cyber resilience. The strategy builds on the 2016 Cyber Security Strategy, which invested $230 million to advance and protect Australia’s interests online.

What boards can do

Webinar speaker Hamish Hansford, First Assistant Secretary Cyber, Digital and Technology Policy Division, Department of Home Affairs, says cyber-security is a big risk area for boards to manage and he proposes a cyber audit as an option.

“The board needs to have a big understanding of the cybersecurity risk, especially if they don't have the expertise on the board. Maybe a cyber audit might be a good way to do it. If you haven't had a good understanding of how cyber security is impacting your business, just like a financial audit, a cyber security audit might be a good thing to invest in.”

It is also important for all directors on a board to try to understand as much as possible about technology and cyber-security, says Denholm. “Not everybody is going to be an expert in cyber. You need diversity of skills on the board. But I think it's incumbent on every director to understand what the company is actually dealing with and to ask questions of the management team about how they are tackling the issue. What is their strategy?”

She has a view that all directors on the board should try to gain an understanding of the organisation’s cyber environment, whether they are an expert or not. On the boards on which she has served, she insists on seeing regular reports on cyber-threats, on attacks that are being detected, and on whether threats are successfully defended or not.

“To me, there are two types of companies, those that have been penetrated by cyber-attacks, and those that don't know that they have been, and there isn't anybody out there that hasn't been exposed to cyber threats in one form or another.”

Boards should ask management the following questions about cyber-security, she says.

  1. What's going on in my company from a cybersecurity perspective?
  2. What is the cyber security strategy?
  3. What is that strategy in a disaster?
  4. What's the communication throughout the organisation of the importance of cyber hygiene?
  5. What is the reporting coming back to the board?

A snap poll asked webinar participants the question: Do you have people on your board with cybersecurity risk management skills? Only 13 per cent had multiple board members with some level of cyber risk management experience, and 29 per cent had one person with these skills. Most – 38 per cent – said they don't have a director or executive at the board level who possesses this type of experience. “It's not just about technology,” says Denholm. “The best technology in the world will not prevent a cyber-attack if people do things that allow the attacks to happen inside organisations. So, from my perspective, it has to be a collaborative effort, not just between government, industry, and consumers but also within each of those entities as well.”

She says boards can benefit from work being undertaken by the Joint Cyber Security Centres (JCSC), which bring together businesses and the research community, along with state, territory and Australian government agencies. “If I was a director on an Australian company, whether it was publicly listed or smaller, I'd want the team to get involved with the Joint Cyber Security Centres,” Denholm told the webinar. These are located in Sydney, Melbourne, Brisbane, Adelaide and Perth. And they have been given extra funding to reach out on cyber-security to SMEs, as well as to bigger companies, she said.

Denholm and fellow webinar speaker Bob Mansfield AO, Chair, Vocus Group, both sat as panelists on the Cyber Security Strategy Industry Advisory Panel and helped to compile the report, which came up with 60 recommendations and a five-pillar framework of action. “It really started with a vision of a strong cyber security environment, actually, enabling Australians to prosper,” says Denholm. “We want to build the digital capabilities within Australia, going forward.”

Five pillar framework

  • Deterrence: deterring malicious actors from targeting Australia.
  • Prevention: preventing people and sectors in Australia from being compromised online.
  • Detection: identifying and responding quickly to cyber security threats.
  • Resilience: minimising the impact of cyber security incidents.
  • Investment: investing in essential cyber security enablers.

Mansfield told the webinar that every board should carry out a skills matrix to analyse what skills are present across the board, including digital and cyber-security skills. “As resources develop and the depth of resources develop, they'll become very significant elements around the board table.”

In the short term, the two words “visible accountability” should apply to every director. “If you don't know who's doing it [overseeing cybersecurity] and you don't know whether they are, whether you're doing it or the company is doing it, answer that question first. And after that, find out how regularly you get information to keep you updated on where things are at.”

Protecting an organisation from cyber risks is everyone's role in an entity - we all have a part to play, says Manuel. “Improving cyber security is also a journey which requires building and maintaining the right culture, adapting business processes to address digital risks and applying the right level of controls, commensurate with the threats businesses face”.

Cyber for Directors Online course

This Cyber for Directors Online explores the current cybercrime landscape and the board’s role in cybersecurity governance.

Download our AICD Director Tool on Information Technology Governance.