Boards set to face the music on cyber security lapses

Company directors will need to get used to facing the music when it comes to mitigating cyber risk, security experts have said, as the frequency and scale of ransomware attacks globally continues to escalate.

The federal government is currently discussing new standards with industry, as figures show cyber crime is costing the Australian economy around $3.5 billion a year. The standards were first floated last year and would potentially come with extra responsibilities for directors of large Australian companies.

Cyber security  needs to be a focus throughout the business, not just in the IT department.

Cyber security needs to be a focus throughout the business, not just in the IT department.Credit:Getty

Meanwhile high-profile attacks, including ransomware which can lock down entire businesses and be very lucrative for criminals, continue to grow in scale and sophistication. This month’s ransomware attack on IT services company Kaseya flowed down to service providers worldwide and thousands of individual businesses, with the attackers demanding almost $100 million in ransom.

Anna Leibel, co-founder of advisory firm The Secure Board, said it was inevitable that Australia would see more significant and widespread breaches, and that responsibility for fostering a security-conscious culture sat with the board.

“The tone is set at the top. It’s the same as them being held accountable for solvency, or for health and safety. The board’s accountable for the culture,” she said.

“It’s much broader than a technology problem now, and all of the executive and the board need to understand all the elements that contribute to cyber risk.”

Anna Leibel, co-founder of The Secure Board.

Anna Leibel, co-founder of The Secure Board.Credit:Eamon Gallagher

Telstra CEO Andy Penn said at a National Press Club speech on Thursday that most Australian businesses were not prepared to respond to a cyber attack. A recent report from cybersecurity company FireEye showed the median “dwell time” (the amount of time between a breach and a company noticing the breach) was 76 days for the Asia-Pacific region in 2020, compared to 17 days for the Americas.

Ryan Murray, regional director of cyber security firm HUMAN, said businesses should consider the type of technology and skills needed to keep up with a constantly evolving threat landscape.

“The sophistication of attacks, and of cyber criminals, is on the rise. Criminals use scaled automated attacks, and 77 per cent of all cyber attacks use sophisticated bots. They are well funded organisations. And the businesses they’re attacking, cyber likely isn’t their core competency.”

“The upskilling of professionals in the space, and new technology adoption, typically has a cost associated with it. You need teams internally to know what to look for, but also to be able to speak the language between security and business to bridge that gap, and say to CEOs and investors and the board, that there are real risks that come with real costs if we’re not protecting ourselves.”

Ms Leibel, who also co-authored a book designed to educate boards on the business risks related to cyber security, said many directors struggled with the concept that IT teams spend a lot of money on cyber but are never done, as new risks emerge constantly. But even a well-resourced IT team can’t keep businesses safe on their own, she said.

“IT departments are spending a lot of money around technology controls, in the event of a cyber breach. But in a lot of the ransomware incidents [we’ve seen lately] it’s actually been an employee clicking on a phishing email that let the attackers in.”

“It’s about awareness across all employees. It’s thinking about the third party, so your vendors that you work with, and people that have access to your data, where they’re storing it and how they’re keeping that safe.”

In the case of something like ransomware, companies also need protocols for during and after the attack, which should be documented and rehearsed, right down to who will be managing social media and what the message will be to customers.

“Once you’ve lost the trust of your customers, it really does impact your retention and your attracting of new customers. So it can actually have a significant impact on your growth, your aspirations as an organisation,” Ms Leibel said.

Both Leibel and Murray agreed that one of the most positive steps businesses could take is sharing experience and expertise, rather than dealing with attacks internally.

“Most Australian companies probably wouldn’t know what to do if they fell victim to a ransomware attack. So it is the right time for the public and private sectors to come together to put a framework, put policy and put best practices in place,” Murray said.

“We need to band together in this kind of collective protection ideology, which says ‘let’s break the economics of cybercrime’. And you can do that much better if you’re collaborating than if you’re operating in a silo.”

Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.

Tim is the editor of The Age and Sydney Morning Herald technology sections.

0 Response to "Boards set to face the music on cyber security lapses"

Post a Comment