The Australian Cyber Security Strategy launched by the Federal Government last month sees many organisations, large and small, renewing their focus on cyber risk. Our guest blog this week, by Morgan Sloper, Co Founder and Executive Director of InScope Consulting Group, looks at practical considerations (including people strategy and the use of assessments) for businesses seeking to mitigate their exposure.
Cyber risk has been increasingly topical in Australia and globally in recent years, due to the pervasive use of technology, in particular mobile technology, the proliferation of data and the increasing sophistication of threats. This is not going to change in the near future as our increasingly interconnected world makes it easier for cyber criminals to inflict more damage.
Organizations everywhere are being targeted and attacked by hackers who constantly adapt and innovate their methods. According to PwC’s Global State of Information Security Survey 2016, 38% more security incidents were detected in 2015 than in 2014. Cyber security incidents are also common and recurrent for Australian businesses. CERT Australia, one of the partner agencies to the Government’s Australian Cyber Security Centre (ACSC), responded to 11,733 incidents affecting businesses in 2015, 218 of which involved systems of national interest and critical infrastructure.
In this environment it is essential that organizations – including the Executives and their Boards of Directors – understand the nature of the threat, their particular vulnerabilities and the risks cybersecurity threats present to them, and, most importantly, what they can and should do to mitigate exposure within appropriate risk tolerance levels.
5 Important things to know
1. Cybersecurity threats are real and they affect businesses of all types and sizes
According to the ACSC 2015 Cyber Security Survey of major Australian businesses:
- 50% of respondents have experienced at least one cyber incident in the past year. Of concern, 8% of respondents were unsure if they had experienced a cyber incident!
- 92% of respondents that experienced an incident indicated the threat of the cyber security incidents had been identified in the organisation’s risk register. This is more than double the 2013 finding of 39%.
- There has been a significant surge in the number of ransomware incidents with four times the number of respondents reporting in 2015 (72%) as compared to 2013 (17%).
2. Cyber risk is a Board and Executive issue
Cyber risk is not just an IT issue. The impact of a cyber security incident can be enterprise wide and the financial impact can be significant. Cybersecurity therefore must be managed and governed centrally by the organisation’s Executive with oversight by its Board of Directors.
In 2015, the Australian Securities & Investment Commission published a useful Cyber Resilience Health Check Report which highlights the application of directors and officers duties in the context of cyber risk and notes that the oversight by the Board and senior management “should take into account your legal and compliance obligations and be proportionate to the cyber risks you face and the nature, scale and complexity of your business”.
A large and growing number of boards and executive are now aligned:
- PwC’s 18th Annual Global CEO Survey 2015 identified that in 2015 61% of CEOs were worried about cyber security compared with 48% a year ago and 78% see cyber security technologies as strategically important for their business.
- 45% of boards participate in overall security strategy according to PwC’s Global State of Information Security Survey 2016.
3. Cyber risk is not just about loss of sensitive data
It can affect organizations in multiple, diverse ways and can even cause physical harm. As well as stealing data and taking systems off-line, cyber attacks can trigger:
- Employment relations issues – employees are regularly cited as the primary source of compromise. According to the ACSC 2015 Cyber Security Survey the ‘trusted insider’ was the actor of most concern to respondents (60%) and PwC’s Global State of Information Security Survey 2016 confirmed that employees remain the most cited source of compromise.
- Legislative and regulatory obligations – including applicable Stock Exchange Listing Rules and ASIC requirements, as well as obligations under Privacy law.
- Breaches of customer agreements and SLAs.
- Board of Directors and Executive obligations – as noted above, Boards will be held accountable.
- Reputational damage – there is rapidly diminishing sympathy for organisations who are subject to cyber attacks, and who are now more likely to be viewed as delinquent for their failure to take adequate precautions.
Cyber attacks can also cause real world damage and people can be physically hurt. For example, in the malware attack on Saudi oil company Aramco in 2012 the “Shamoon wiper virus” partially wiped or totally destroyed hard drives of 35,000 computers. In 2015 state-owned LOT Polish Airlines suffered a hacking assault on its ground systems which resulted in 10 national and international flights being cancelled and around 1,400 passengers being grounded. The implications of these incidents and the many others like them are far reaching.
4. Cloud based technology presents new risks and opportunities
Businesses are migrating applications and data to the cloud and, in particular, public cloud environments where substantial cost savings can be achieved. However, security still remains a concern. The Cloud Security Alliance has identified a “Treacherous 12” of the top cloud based security risks, which includes:
- The nature of shared technology inherently presents shared dangers. Public cloud service providers share infrastructure, platforms, and applications, and, if a vulnerability arises in any of these layers, it affects everyone.
- Cloud customers rely on software user interfaces (UIs) and application programming interfaces (APIs) to manage and interact with cloud services. The security and availability of general cloud services is dependent on the security of these basic UIs and APIs.
However, with this new environment and these new risks comes new opportunities, as many companies are now also employing cloud based cyber security services to help protect sensitive data and ensure privacy. This remains an area for further development and diligence.
5. Data driven cyber security allows for rapid identification and response
By incorporating big data analytics into their cybersecurity systems organizations are better placed to recognise and understand anomalous network activity, and more quickly identify and respond to cybersecurity incidents. Real opportunity lies here.
5 Important things to do
1. Make sure you at least cover the basics
There are things every organization can do to significantly reduce the risk of cyber intrusion. According to Heimdal Security, browser exploits, along with Adobe Flash exploits are present in 99% of attacks carried by hackers, because software that is not up to date is vulnerable. This shows that these organizations lack fundamental cyber security measures.
The Australian Signals Directorate has published its recommended Top 4 Mitigation Strategies to Protect Your ICT System, namely: application whitelisting (a technical measure that only allows specifically authorised applications to run on a system, which helps prevent malicious software and unauthorised applications running), patching applications and operating systems, and using the latest versions, and minimising administrative privileges.
Scheduled security system audits and penetration testing by external technology experts are also highly recommended.
2. Adopt a risk based cyber resilience framework
Recognized standards and frameworks provide guidance that enables organizations to implement internal systems to help identify and prioritize threats and respond efficiently to mitigate vulnerabilities. By adopting a risk based approach an organization can determine whether they are taking the right combination of measures, and to the right level of effort and expense, in light of the nature of the threats they face and their own internal vulnerabilities, with regard to their prevailing risk appetite. Among the most commonly followed guidelines are the ISO 27K series standards, the US National Institute of Standards and Technology (NIST) Cyber Security Framework and the SANS Critical Controls.
Under a risk based approach, organizations should also prepare a cyber security policy (providing internal education and guidance on required and desirable internal behaviors, such data usage and safeguards, roles and access privileges) and a cyber incident response plan (which guides the response to an incident with the intention of reducing the damage and recovery time), and they should train their staff.
Organizations should continually monitor performance and incidents against their stated risk tolerance and appetite levels.
3. Don’t ignore your people risks
There is a heavy emphasis in the prevailing standards and guidelines on technical security and controls; largely to the expense of clear discussion and guidance on treating people risks. In addition to the risk of deliberate malfeasance, according to the 2014 IBM Cyber Security Intelligence Index, over 95% of all incidents investigated involved human error.
There are a range of measures available to organizations to help reduce the likelihood and impact of employee related cyber risks, which can be adopted in varying combinations depending on the outcome of their cyber risk assessment and in light of the organization’s risk tolerance levels.
Those options include:
- Psychometric testing of employees, and detailed background and police checks for key or high risk roles
- Segregation of duties and higher levels of clearance for relevant roles
- Education, training and regular reminders on roles, expectation, policies and controls
- Regular review of controls on user access permissions and privileges
- Utilisation of one time passwords and physical security devices, in place of traditional passwords
- Third party provider security assessments
- Awareness programs, involving mock cyber attacks
4. Review and consider your insurance coverage
Cyber security technology will not stop all cyber attacks, so more companies are purchasing cyber security insurance to help reduce the financial impact of breaches when they occur. However, transfer of unmitigated or high risks via specific cyber insurance cover may be appropriate in some cases but not others. A risk based approach, as recommended above, will inform this analysis. Also, some forms of management liability policies include types and amounts of cyber coverage, for example against certain third party claims. Whether you need additional and specific cyber coverage is something you should consider further with your risk adviser.
5. Do proper diligence
Before implementing any new technology or moving any applications or infrastructure to the cloud, consider relevant cyber threats and internal vulnerabilities. Do proper due diligence on the service provider, and their operational and architectural structures, security standards, update processes and procedures, financial position and reputation. Also, look closely at the contractual terms, in particular the provider’s liability in the event of an incident, and ask to see details of their insurance coverage for cyber breaches.
Cyber risk is not just an IT issue – it is a Board, Executive and all of enterprise issue – and it cannot be ignored. It takes time, involvement and investment to strengthen your company’s defenses against cyber security risks. The Executive and Board need to be involved and committed on an ongoing basis to develop lasting cyber resilience. A risk intelligent approach will better inform what levers to pull, and how hard, in terms of cost, technology, time and effort, and insurance, to optimize the return from an organization’s cyber resilience program.
About the Author
Morgan Sloper is a Co Founder and Executive Director of InScope Consulting Group, a consulting solutions partner and trusted expert network for agile talent and targeted projects.