Today cyber attacks feature in news headlines almost daily, as businesses and consumers grapple with the fallout – but the threat of attacks like these is far from new. The first major cyber attack to be reported in mainstream media affected just 6,000 internet users when it was unleashed in 1988, but over time these attacks have evolved to a level of sophistication and scale that presents a much more substantial risk.
As a Director or Executive, you may be wondering how the risk of cyber crime relates to your organisation. We invite you to join renowned cyber security expert, Dr Chris Bolan, as he shares his experience and insights on this critical business issue.
How significant is cyber risk?
Statistics, like those outlined in the Annual ACSC Cyber Threat Report, confirm that cyber crime is a significant and growing problem.
- In 2020–21 Australian losses from cyber crime exceeded AUD$33 billion.
- In 2021–22 over 76,000 cybercrimes were reported, an increase of almost 13 per cent.
- The cost to victims has also risen, with the average cost of a single incident reaching $39,000 for small businesses, $88,000 for medium businesses, and $62,000 for large businesses.
“One of the interesting things about cyber crime, is that as the cost to victims increases, the cost of probing for vulnerabilities and delivering attacks remains relatively small,” says Chris. “There is also no difference in cost of going up against a small business or a large corporation, so while we like to think that cyber crime is targeted – and there is still an element of this – no one is completely immune from this threat.”
Mitigating risk and minimising impact
There is no silver bullet for eradicating cyber threats because there will always be factors outside of our control. However, by taking a clear and measured approach, businesses can lower the risk of an attack and minimise the impact if one does occur.
Finding the right approach
Navigating the many different approaches and recommendations on cyber security can be extremely challenging. “As cyber threats have evolved, so has a minefield of competing ideas and technologies to address this issue, many of which can be misleading and ineffective,” says Chris. “Only by taking a pragmatic view of cyber security can we ensure that our investment is targeted to true risk reduction.”
Cyber security in the supply chain
In developing cyber strategy, it’s important to look at risks both inside and outside of an organisation. “Recently there was an incident where a major retailer was impacted by a cyber attack in their supply chain,” Chris explains. “Regardless of the size of your organisation, or the sophistication of your own technologies, if you rely on third party systems this exposure must be factored into your strategy.”
Learning from workplace safety
Chris draws many parallels between cyber security and occupational health and safety (OSH). “Going back 20 or 30 years, you’d be hard pressed to find a dedicated OHS professional, or sit through a meeting where workplace safety wasn’t discussed, but look how far we’ve come,” he says. “If we are as successful as we appear to have been with safety, with cyber security, then we will all be much better off. But for this to be happen the same level of commitment and strategic focus must be applied.”
Getting started: Applying cyber security principles
To make sense of cyber security and guide strategy development, Chris recommends adopting a set of guiding principles – like those issued by the Australian Institute of Company Directors (AICD).
Principle 1: Set clear roles and responsibilities
Having clearly defined cyber security roles and responsibilities is critical, but too many businesses allocate this responsibility to existing technology managers. Chris stresses the importance of establishing a dedicated cybersecurity function where feasible, and embedding cyber security culturally to be seen as everyone’s responsibility.
Defining performance expectations and targets is another interesting consideration, and one with strong ties back to OHS. “There isn’t a role today that doesn’t need to adhere to safety practices and policies, and the consequences for non-compliance can be as severe as instant dismissal,” says Chris. “Cybersecurity must be equally mandated, and in a mature organisation I would hope to see all job descriptions outlining cyber security responsibilities alongside other risk mitigation expectations.”
Principle 2: Develop, implement and evolve a comprehensive cyber strategy
As cyber threats continue to evolve, the organisational response must evolve too. “After businesses develop cyber strategies, they often add new systems without going back to adjust their strategy. But these changes can create new points of weakness,” says Chris.
The desire to keep legacy systems adds another layer of complexity to cyber strategy. “The ongoing patching and maintenance of legacy systems creates a significant risk, and in some cases these legacy systems can’t easily be made secure,” says Chris. “Weaponising vulnerabilities is also much easier with older systems, with attacks that once took 2-3 days now taking just minutes to perpetrate. This doesn’t mean that legacy systems shouldn’t be used, but it is a risk to be mindful of as the IT landscape grows.”
Principle 3: Embed cyber security in existing risk management practices
Most organisations already consider risk management in terms of issues like health and safety, supply chain disruption, and regulatory change and compliance. Instead of managing cyber risk as an IT or other departmental issue, it must be embedded in other existing risk management practices, and assessed as part of the wider organisational risk context.
Principle 4: Promote a culture of cyber resilience
According to Chris, cyber security is most effective when it is embedded in organisational culture. “Where it becomes an afterthought, businesses often miss or bypass cyber controls, which ultimately creates greater risk. Again, I see huge parallels here between cyber security and OHS,” says Chris. “The mining and resources sector has been very effective in making safety part of industry and organisational culture, and cyber security will be at its most effective when this level of maturity has been reached.”
Principle 5: Plan for a significant cyber security incident
In applying this final principle, Chris urges businesses to assume that cyberattacks will happen, and plan accordingly. “Not being adequately prepared; failing to communicate; or trying to cover-up a cyber attack, will only erode customer and stakeholder trust,” he says. “The more your response can be planned and rehearsed, the more effective your recovery will be. This may include establishing relationships to provide PR or legal expertise, knowing your regulatory requirements to report incidents, or having clarity on any ethical considerations within your response.”
“Cyber security isn’t something that can be rushed or addressed rapidly, and principles like these provide a good framework for getting started,” Chris reflects. “Business leaders must also allow time to investigate and apply deeper level of thinking and questioning to these principles, because often the uncomfortable questions have the greatest impact.”
Need more help?
A wide range of resources are available through industry bodies like the AICD and the Australian Cyber Security Centre (ACSC). To discuss Board or Executive Leadership professional development opportunities, connect with your local Gerard Daniels team.