Where once responsibility would have been delegated to the CIO or IT manager, now decisions about cyber security are topping C-suite to-do lists.
You don’t have to look far to see why. High-profile data losses, crippling hacker attacks and Australia’s looming mandatory breach notification laws have raised awareness of IT security.
Boards have become acutely aware of the financial and reputational costs of not getting it right.
At the same time, there have also been rapid changes in the ways in which digital technologies are being used by businesses. These, in turn, have significant security implications that need to be addressed.
One example is the rise in mobile and flexible working. Where once critical applications and data were usually stored in and accessed from an on-premise data centre, now they can be spread across multiple hosted platforms and accessed from myriad portable devices.
Another key trend is the rise of the Internet of Things (IoT). Increasing numbers of smart devices are being connected to corporate networks where they generate and share data. Keeping track of these new streams is a far from trivial task.
One security-related issue that is also gaining traction is the dramatic rise in the number of ransomware attacks. Victim organisations find critical data files become locked down and face either paying criminals to unlock them or losing access forever.
Keeping the board awake at night
It’s fair to say cyber security is a topic that is keeping many corporate decision makers awake at night. Looking back at the past 12 months, attacks have been relentless and, unfortunately, there’s no sign this year will be any different.
Hackers are looking to profit from their attacks, and despite a business’ defences, it is possible a sufficiently determined one will breach security walls regardless of how strong they may be. Without a solid information security approach, a breach is not necessarily an ‘if’, but a ‘when’.
According to the Telstra Cyber Security Report 2017, 59 per cent of organisations in Australia have detected a business-interrupting security breach on at least a monthly basis. This is more than twice as often as was the case in 2015 when 24 per cent reported a similar situation.
According to the report, 60 per cent of Australian organisations experienced at least one ransomware incident in the preceding 12 months. Of those that did, 57 per cent opted to pay the ransom.
The Telstra research also found that the most popular delivery method for cyber threats is via phishing emails. Worryingly, approximately one-third of Australian businesses experienced a phishing email incident which had an impact on their business on at least a monthly basis.
Education is the key
Something every business needs to be aware of in 2018 is that those doing the phishing are sophisticated and highly adaptable. It is difficult to spot the attacks, and it takes just one person in an organisation to let down their guard for the hackers to gain access.
It is for this reason that the most crucial component in good information security is people. Granted, IT is one of the weak points, but technology is manageable. It’s human nature that can’t be predicted and controlled, thereby presenting the biggest opportunity for hackers.
Hackers know where weaknesses lie … and it’s with people. It’s their inability to identify risks and their often relaxed approach to security.
For this reason, ongoing education of staff is an essential component in establishing a sufficiently secure organisation, and should be a mandatory focus for all businesses in the year ahead.
The growing role of the board
Thankfully, there are likely to be some positives. What may seem like a spike in attacks could actually be evidence of more companies examining their security situation. Directors are appreciating the threat landscape and acknowledging security – long perceived to be an IT problem – is in fact a company-wide one.
In the past 12 months, boards and executives have become engaged in the topic. There is considerable interest to understand the issue and their role in cyber security.
Looking ahead to the coming 12 months, it has a predictably familiar feel: more phishing, more employees making uneducated mistakes, and more ransomware. Cybercrime is big business, and criminals will keep doing what nets them the best result.
As a Board member, you can make yourself and your business less of a target with these three recommendations:
- Update your IT hygiene: The Australian Signals Directorate’s Essential 8 outlines some of the basics. These include application whitelisting, patch applications, disabling untrusted Microsoft Office macros, and daily data backups.
- Educate staff: Understand the dangers and make it part of the company culture to stay up to date with cyber security best practice. At Aura Information Security, we recently launched CyberWise, an online subscription-based training tool designed to help businesses raise the overall standard of cyber security. Tools such as this make completing one of the most important focuses for cyber security simple.
- Plan for the worse: Despite the best preparations, there remains the possibility that something could happen. How you respond is often the greater determinant of damage and fallout, and failure to plan is a plan for failure.
An ongoing, board-level process
Achieving effective cyber security can never be a set-and-forget exercise. The board must retain it as a top priority and ensure all necessary steps are taken to maintain effective defences and a plan should anything occur.
Board members also need to make it their business to stay at the forefront of what is a constantly evolving threat landscape. It’s one thing to know what has happened in the past, but it is even more important to understand emerging threats and the potential impact they could have on the organisation in the future.
By maintaining a focus on security fundamentals, the board can ensure an organisation is best placed to withstand IT security threats and maintain a focus on customer service and growth.
Peter Bailey is the general manager of Aura Information Security.