Boards set to face the music on cyber security lapses
Company directors will need to get used to facing the music when it comes to mitigating cyber risk, security experts have said, as the frequency and scale of ransomware attacks globally continues to escalate.
The federal government is currently discussing new standards with industry, as figures show cyber crime is costing the Australian economy around $3.5 billion a year. The standards were first floated last year and would potentially come with extra responsibilities for directors of large Australian companies.
Cyber security needs to be a focus throughout the business, not just in the IT department.Credit:Getty
Meanwhile high-profile attacks, including ransomware which can lock down entire businesses and be very lucrative for criminals, continue to grow in scale and sophistication. This monthâs ransomware attack on IT services company Kaseya flowed down to service providers worldwide and thousands of individual businesses, with the attackers demanding almost $100 million in ransom.
Anna Leibel, co-founder of advisory firm The Secure Board, said it was inevitable that Australia would see more significant and widespread breaches, and that responsibility for fostering a security-conscious culture sat with the board.
âThe tone is set at the top. Itâs the same as them being held accountable for solvency, or for health and safety. The boardâs accountable for the culture,â she said.
âItâs much broader than a technology problem now, and all of the executive and the board need to understand all the elements that contribute to cyber risk.â
Anna Leibel, co-founder of The Secure Board.Credit:Eamon Gallagher
Telstra CEO Andy Penn said at a National Press Club speech on Thursday that most Australian businesses were not prepared to respond to a cyber attack. A recent report from cybersecurity company FireEye showed the median âdwell timeâ (the amount of time between a breach and a company noticing the breach) was 76 days for the Asia-Pacific region in 2020, compared to 17 days for the Americas.
Ryan Murray, regional director of cyber security firm HUMAN, said businesses should consider the type of technology and skills needed to keep up with a constantly evolving threat landscape.
âThe sophistication of attacks, and of cyber criminals, is on the rise. Criminals use scaled automated attacks, and 77 per cent of all cyber attacks use sophisticated bots. They are well funded organisations. And the businesses theyâre attacking, cyber likely isnât their core competency.â
âThe upskilling of professionals in the space, and new technology adoption, typically has a cost associated with it. You need teams internally to know what to look for, but also to be able to speak the language between security and business to bridge that gap, and say to CEOs and investors and the board, that there are real risks that come with real costs if weâre not protecting ourselves.â
Ms Leibel, who also co-authored a book designed to educate boards on the business risks related to cyber security, said many directors struggled with the concept that IT teams spend a lot of money on cyber but are never done, as new risks emerge constantly. But even a well-resourced IT team canât keep businesses safe on their own, she said.
âIT departments are spending a lot of money around technology controls, in the event of a cyber breach. But in a lot of the ransomware incidents [weâve seen lately] itâs actually been an employee clicking on a phishing email that let the attackers in.â
âItâs about awareness across all employees. Itâs thinking about the third party, so your vendors that you work with, and people that have access to your data, where theyâre storing it and how theyâre keeping that safe.â
In the case of something like ransomware, companies also need protocols for during and after the attack, which should be documented and rehearsed, right down to who will be managing social media and what the message will be to customers.
âOnce youâve lost the trust of your customers, it really does impact your retention and your attracting of new customers. So it can actually have a significant impact on your growth, your aspirations as an organisation,â Ms Leibel said.
Both Leibel and Murray agreed that one of the most positive steps businesses could take is sharing experience and expertise, rather than dealing with attacks internally.
âMost Australian companies probably wouldnât know what to do if they fell victim to a ransomware attack. So it is the right time for the public and private sectors to come together to put a framework, put policy and put best practices in place,â Murray said.
âWe need to band together in this kind of collective protection ideology, which says âletâs break the economics of cybercrimeâ. And you can do that much better if youâre collaborating than if youâre operating in a silo.â
Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.
Tim is the editor of The Age and Sydney Morning Herald technology sections.
0 Response to "Boards set to face the music on cyber security lapses"
Post a Comment