Business Australia’s conversation with Shannon Sedgwick, Senior Managing Director at Ankura, on how to protect your business from cybersecurity threats.
Q: We are encouraged to broaden our business horizons and develop a global footprint if we want to remain competitive. However, having an international presence and an ever-evolving digital business landscape, will organisations be faced with cyber risks? And will cyber security threats apply no matter what part of the world they operate?
A: The threat from cybercrime is pervasive throughout the world. Indeed, as businesses expand their global reach through more advanced technology and improved transactional relationships and communication, the risk from cyber threats grows. Statistically, less than 10% of cybercrime occurs in the same geographic location as their target. Cyber security is a rapidly evolving landscape for both industry and government, and no matter where you are conducting business in the world cybercrime remains a significant issue.
Q: What types of cyber security threats are present now and what can we expect in the future?
A: I will limit this to three main cyber security threats businesses face presently. The first is socially engineered malware where the user is fooled into installing a malicious program sent from a source or website that they either trust or frequently use, which then compromises their data.
The second is insider threats where there is a threat to the organisation from employees, former employees, or third-party suppliers. They have access to company data, IP, and systems. Those who pose the threat can be either untrained and unknowingly make common mistakes with their cyber hygiene, or malicious in their intent by stealing or compromising sensitive data.
The third risk is outdated and unpatched software. The software used by an organisation has not been upgraded with the most up-to-date security patches, therefore, creating vulnerabilities in their network. Up-to-date cyber security protection and strong risk management are key to avoiding this threat.
Q: What can we expect from future information security and emerging cyber threats?
A: One of the main threats we will face in the future will stem from the rapidly increasing use of IoT devices* in the workplace and the lack of security architecture in place from the start of the product’s manufacturing roadmap. The addition of IoT within the business can aid in the optimisation of processes, however if it is not secured to the same standard as the rest of the network, cybercriminals can use it as a ‘stepping stone’ to scan for vulnerabilities in more critical systems in the network.
There has also been an exponential increase in the use of business email compromise, where a malicious person sends a team member an email appearing to be sent from senior management requesting or authorising a transfer of funds or sensitive information to a ‘vendor’.
*The Internet of Things (IoT) is a network of physical devices, vehicles, home appliances and other items embedded with electronics, software, sensors, actuators, and connectivity which enables these objects to connect and exchange data.
Q: Does it matter how big or small the business, what industry or sector it is in, or whether the internet only plays a small role in their operations?
A: Certain industries such as banking and the financial sector are frequently targeted, which requires them to have high-security standards. Cybercriminals will often target easier prey such as SMEs who are often aware of their vulnerabilities and unprepared for the threat. Less than 25% of Australian SMEs have a dedicated IT security staff member or provider, and despite facing as many threats as the larger end of town, do not have the resources or training to address and mitigate the risks adequately.
The damage caused by a breach to an SME cannot be understated, with 80% of SMEs that suffer a breach going bankrupt within 12 months.
Q: What cyber security and computer security practices should businesses implement to help protect their data, assets, and network?
A: Cyber security policies, procedures, and frameworks should be implemented throughout the organisation’s structure. From cyber hygiene and employee training to implementing a breach response plan and delegating roles and responsibilities, cyber security should be a top priority. When a company conducts a business impact analysis as part of its business continuity planning, it’s critical that they identify the most significant cyber risks and triage the treatment and mitigation of these risks.
Q: What is intelligence sharing and how important is it?
A: Intelligence sharing is the communication between companies, industry, and government that enhances a greater overall security posture for all concerned parties.
Sharing of intelligence can benefit an organisation by informing them of new threats and practical strategies. However, it can be difficult to convince organisations of the benefits of security intelligence sharing due to the reputational and financial consequences of admitting a breach or vulnerability. Collaborative efforts against cybercrime should be encouraged, including between competitors, and the sharing of valuable insights that can protect their shared industries.
Q: Do businesses require a cyber insurance policy?
A: Cyber security insurance is an essential aspect of an overall risk management strategy. The insurance should cover liability, costs of cyber investigations, public relations, legal, compensation and regulatory fines.
However, cyber security insurance does not have 100% coverage. It is difficult to quantify the complete financial loss incurred by an organisation when their customers and the public become aware of the breach. Loss of trust in products and services can cause immeasurable damage to a company’s bottom line for extended periods of time. Insurance providers can aid in encouraging the adoption of cyber security policies and procedures by lowering premiums when an organisation meets specific standards in their cyber security.
Q: Is there an international policy or technology underway to protect businesses from cyber threats?
A: There has been a recent push by government and industry to develop policies and regulatory standards that ensure a baseline of security across the Australian business landscape.
The introduction of the mandatory data breach notifications laws in February 2018 is one such policy, which provides the accurate and timely reporting of breaches to those who could be harmed by the data breach.
With the formation of the Australian Cyber Security Centre (ACSC) and the Australian Cyber Security Institute (ACSRI), the Australian government is placing greater emphasis on nationwide resilience against cyber threats by promoting innovation and enhancing cooperation between private industry and government.
Six pieces of gold to protect your business against the risk of cyber security threats
1. Train and educate employees.
2. Create and adhere to a company-wide cyber security policy.
3. Update and patch software regularly.
4. Establish access control measures for employees and vendors.
5. Create an incident response plan.
6. Use strong passwords and multi-factor authentication.