Diversity and Success in Cybersecurity

On April 4th I had the pleasure of speaking at an event hosted by Preacta Recruitment and Charlotte Osborne. The topic of the event was ‘Challenging the Status Quo in Cybersecurity’ and I spoke alongside the talented and loquacious Karissa Breen and Tulin Sevgin. This blog post outlines my speaking notes in full for those that are interested.

Gender Quotas

Now, I am going to say something potentially controversial. Staff gender quotas do not work in the long term.

Everyone would agree that the aim of a team or business is to be high-performing and successful. There is no business case for gender quotas. While research shows that a diverse team does increase performance, there is no data to suggest that gender quotas equate to a high-performing team. I recommend you google “golden skirts” and the study of gender quotas in Norway. https://papers.ssrn.com/sol3/cf_dev/AbsByAuth.cfm?per_id=248065

A Danish study examined 2,500 firms over eight years, finding that hiring women did indeed improve firms’ performance. Yet the conclusion was still that “the positive effects of women in management depends on the qualifications of female managers.” If quotas force hiring women, and as a result, the wrong women are chosen, there is a reason to be concerned that quotas will give the push for gender parity a bad reputation.

Instead, an organisation should have a gender quota for the pool of candidates! Then from that gender-balanced pool of candidates, you choose the best person for the role and your team. Nobody wants to be selected for a position based on their gender, cultural heritage, sexual orientation, or otherwise. People want to be chosen because they deserve it and they are the best person for the role.

Building a successful, diverse, and balanced team is not about pursuing gender quotas. It is about focussing on developing a supportive, high-performing, flexible, revenue-generating, kickass environment that people want to be a part of; where there is a culture built on the trust and respect that your colleague next to you in the trenches is there because they are the best person for the role. To choose someone based on their gender does disrespect to that person, whether they are the best person for the role or not.

A Golden Ticket

The cybersecurity industry is still a nascent and rapidly growing industry. Rapid innovation and extremely high uptake of cybersecurity services mean that opportunities are proliferating at a breakneck pace. Ladies and gentleman, this is your golden ticket. If you can establish yourself and your brand strongly within the market, you will rise rapidly. Whether building a start-up or climbing the ranks in the corporate world, the same principles apply.

In a world full of fish, be a shark.

I recently had a conversation with a good friend of mine, whom I respect deeply, and she said: “I am going to wait until I have established my credibility and gradually try and become a bigger fish in the market.”

I told her what I am going to tell you now….. Why wait? (repeat).

Don’t do what everyone else is trying to do and expect a different result. Be an outlier! Don’t ‘fit in’ and don’t be swayed by the consensus and the politically correct. You can not differentiate yourself if you try and do the same thing as everyone else, even if you can do it better. There are no rules! Forget being a bigger fish, be a fucking shark. You are the subject matter expert in your chosen field. You are an industry leader. It is the same principle as “dress for the job you want, not the one you have”. You need to act like the job you want. Demand credibility! Of course, you will have to back it up and earn that credibility every day but start now! This leads me to my next point….

No one ever built a statue of a critic.

There will be people during your journey who will attempt to rain on your parade. There will be haters. There is no avoiding them or the tall poppy syndrome they cultivate.

Let me tell you something: what they think about you, is none of your business.

In my experience, the only people saying negative things are those who have the time, and those who are too cowardly to put their neck on the line and hustle hard every waking minute of every day.

Truly successful people build each other up and are motivated by others’ success. They help and advise and guide the next generation of ‘hustlers’. They simply don’t have time to gossip and ‘hate’ on others success.

I’m a great believer in luck, and I find the harder I work the more I have of it.” – Thomas Jefferson

There is a common factor that ties everything I have said together. That common factor is hard work. Back-breaking, gritty-eyed, carpal tunnel-having hard work. There will always be someone smarter, better looking, or more talented than you. That is out of your control. But how hard you work IS within your control.

How many cyber or business-related books are you reading each week? What articles, podcasts, videos, TV shows are you ingesting to develop yourself? The only way to succeed far beyond the ‘consensus’ is to work harder than every person in the room. If you are curious and passionate about your chosen field, and you devote every spare moment of your time to your passion, there is no ceiling to your success. “Today I will do what others won’t, so tomorrow I can accomplish what others can’t.”

Now, let me add an “asterisk” to this. You need to rest. You need your “zen” time. For each person it is different. For me, it is exercise and reading heroic fantasy novels (cough. Nerd. cough). For you, it might be yoga or walking the dog or watching Game of Thrones. But if you love your chosen profession, then your work and your life will intertwine and you will love every minute of it.

One last point. Kindness is free. Help each other. Find a mentor, or mentor someone. Network and help people without any thought of reciprocation. You will find opportunities and happiness that you did not think possible. The law of reciprocity is ever-present. You only get back what you give.

Shannon Sedgwick

ssedgwick.com

Cyber Security Trends Opined

It is no secret that cyber is, and will continue to be the hot topic in 2019, with global cyber security spending expected to reach USD 124 billion (Gartner). We have all heard the spiel of “technology is evolving, and security must evolve with it” and “as technology innovation increases so does the cyber security risk”. I am not going to bore you to death by repeating what we all have heard a thousand times. Don’t even get me started on the incessant sharing of the same news story when a breach occurs…..

277269_Papel-de-Parede-Meme-Virando-a-Mesa_1600x1200[1]

But I digress! In this short piece, I lay out my opinion (rant) of the current market trends and nuances I have seen in Australia across both government and private industry.
“Vendor agnostic” does not always mean vendor agnostic.
– This is particularly true in Federal government. CIO/CISOs/whoever (the buyer) will identify a requirement/gap and assess potential solutions that will fit in with their overall business and its architecture. Often, before an RFQ is even issued, the buyer will already have a solution or provider in mind. Of course, probity and abiding by the government’s strict procurement regulations prevent them from going direct in most cases. If an RFQ seems like it has been written with a specific vendor in mind, (some are even written by the preferred vendor, although no one will admit to that), then it probably is. It is a useful skill to be able to spot these types of RFQs, and if you cannot provide that particular brand or solution, then it might be best to pass on that opportunity.

11697618

Organisations want a silver bullet, or as close to it as possible
– CIO/CISO/buyers are not overly interested in what “value-adding” vendors can provide or their capabilities. They don’t want your “spray and pray” spam emails and cold calls. That’s rookie s@$t man! They want to know if a vendor can identify and solve more than one of their problems at once. Procurement preference has shifted from deeply specialised providers to a vendor that can provide a platform that performs a wide range of functions adequately. A “one-stop-shop” if you will. The focus is largely now on the following:
o Does the solution solve multiple problems?
o Will the solution integrate with the current architecture and is it easy for staff to manage?
o Can it be automated?
Consider the above before you start marketing your solution and pitching to the CIO/CISO/whoever.

what-if-i-told-you-there-is-no-silver-bullet

IoT is not going away. Ever.
– IoT devices are proliferating like, well, rabbits… I and many others like @Lani Refiti have spoken about this issue many times. There is no sign of slowing down, and the lack of enforceable standards means security is not baked into the product lifecycle from the beginning. They are notoriously difficult, if not impossible, to update/patch, and to respond effectively to the threats posed by IoT, an iterative and adaptive approach is needed. Organisations are gradually becoming more aware of the risk and have taken a more considered approach to their use of IoT devices. Considerations like “do we really need a connected fridge that informs us when we are out of milk?” or “is it possible that my toaster is a Decepticon?” (The answer is “Yes” by the way).

iotJackson

There will be some (see “many”) that still have not implemented basic security standards
– There are security standards which should be common across all organisations by now. If your organisation (particularly mid to large size organisations) has not implemented the following, you should give yourself a swift uppercut (figuratively… or literally. Up to you.) This is obviously a non-exhaustive list. I just picked a few.
o Cyber awareness training for all staff and contractors. The majority of breaches are caused by human error so this one is a “no-brainer”. There is great training available for as little as $50/person. It will be cheaper than a breach. I promise.
o Cyber security as an ongoing topic of discussion at board/leadership meetings. A top-down focus on cyber will flow through the rest of the organisation.
o Backups. PLEASE, PLEASE back up your organisation’s data. Daily preferably. It is fairly straightforward and cost-effective to set up. Should the worst happen, then you won’t lose everything.
o Encrypt your data, including data at rest. This goes a long way to preventing unauthorised users from being able to view your data, even if they are able to get their mitts on it.
o Multi-factor authentication. Enable it on all applications. On every device. Even your Tinder account has MFA, for all you single people.

a2b5247a7df4fa62fd6965676dc4275a
Final thoughts (see “disclaimer”)
– This piece is just my weekend thoughts on paper and does not reflect the beliefs of my employer etc. etc. Take it with a grain of salt and some humour. I welcome constructive feedback and opinions on any or all of the topics I have discussed.

For more of my thoughts/ramblings, visit ssedgwick.com

But-Im-Not-Ready-To-Say-Good-Bye-Meme

Legislation and Cyber Security

Data privacy and cyber security legislation have been a hot topic in Australia of late, with the implementation of the European GDPR, the Notifiable Data Breach Scheme under the Privacy Act 1988, and more recently, the Australian Government’s proposed Assistance and Access Bill (2018). The Assistance and Access Bill, in particular, is causing concern amongst the wider Australian public, privacy watchdogs, technology giants, and telecommunications providers about the level of government access to encrypted information. Aided by an international media “frenzy”, there is an increasing fear of over-regulation and unintended consequences for the privacy of individuals or organisations.

In our dealings with the public sector, it’s clear that there is a lack of legislation and regulation in Australia that is industry specific. Many within the Australian industry view cyber security as something they have to “put up with”, which means that it may not be allocated sufficient budget or regarded as the business enabler that it is. One of the most effective ways to encourage compliance with recognised standards (NIST, ISO27001, ISM, Essential 8 etc.) is to mandate it with legislation. Legislated compliance provides confidence to end-users and business stakeholders. (Greenwald, 2015)

Consider healthcare as an example. The industry is notoriously immature in cyber security maturity with more breaches suffered than any other sector (OAIC 2018). Statistically, over 50% of their data breaches occur due to human error (Verizon 2018), which speaks to a lack of training and enforced standards. By comparison, the US has healthcare-specific legislation in the form of the Health Insurance Portability and Accountability Act (HIPAA) that provides data privacy and security provisions for safeguarding medical information. Almost 1 million people have elected to opt out of the Australian Digital health Agency’s My Health Record due to a perceived lack of appropriate security measures. (ABC News, 2018) Australia’s adoption of a similar approach to the US’ HIPAA would go a long way towards improving the cyber maturity of Australian healthcare and the trust of the Australian public.

Another issue with the lack of industry-specific regulation and legislation is that organisations are not aware of their data privacy obligations. If an organisation suffers a data breach, non-compliance with their legal and regulatory obligations could equal large fines, greater financial loss, and potential loss of trust with their customers/stakeholders. For organisations and industries to thrive and grow they need to be digitally enabled and digitally driven to keep pace with competitors, both domestic and international. Organisations using cutting-edge technologies can create new products and services, and create better end-user experiences.

To innovate rapidly, cyber security must be prioritised and viewed as a business enabler rather than an expensive anchor. Legislation that has been drafted in cooperation with industry stakeholders will aid cybersecurity maturity and compliance in digital transformation and increase the resilience and performance of Australia on the world stage.

Do you think legislatively mandated compliance with cyber security standards is a good idea? Please feel free to comment your thoughts on this issue below. You can read more of my writing or discuss speaking requests at ssedgwick.com

When computer hackers turn out to be the good guys – UNSW Business Think

I contributed to this article for the University of NSW (UNSW) Business Think Journal https://www.businessthink.unsw.edu.au/Pages/When-computer-hackers-turn-out-to-be-the-good-guys.aspx

The popular image of a computer hacker is a hoodie-wearing night owl, a ‘black hat’ who remotely breaks into an organisation’s systems, intent on mischief, financial gain, or political exposure.

But while wearing a hoodie and operating at night may still be de rigueur, recent years have seen the emergence of a new breed – ‘white hat’ hackers, who do what they do legally and with an organisation’s blessing, with some getting paid as much as $350,000 a year to do so.

Mortada Al-Banna, a doctoral researcher in the school of computer science and engineering at UNSW, and his academic colleagues have investigated this phenomenon of crowdsourced vulnerability discovery, interviewing 36 key informants from various organisations about the challenges and benefits of inviting outsiders to test their computer systems in this way.

“I’m interested in how externally generated events affect the security posture of an organisation, and crowdsourcing security is one of these,” Al-Banna says.

While the first award of a ‘bug bounty’ (a payment for finding and reporting a bug) was by web browser company Netscape as far back as 1995, the wider industry remained sceptical.

But in 2017, this attitude was transformed in remarkable fashion when the US Department of Defense announced via website Hackerone that they wanted people to “hack the Pentagon”.

“This has motivated a lot of companies to get involved,” says Al-Banna. “The Department of Defense started small and then expanded, and the US government is currently considering expanding the program throughout all areas of their operation.”

‘Humans are actually better at this. They are more creative and look for the unexpected’

Test your system
Al-Banna’s research has revealed a number of challenges and reservations that organisations have about crowdsourced vulnerability discovery, including the lack of managerial expertise to run a successful bug bounty program, the possibility of low-quality submissions and cost escalations, and a general distrust of ‘white hat’ hackers.

“If companies want to run a bug bounty, but want to minimise the problems, there are techniques to help them do this,” says Al-Banna.

But while it’s possible to automate, say, the examining of reports from bug hunters to exclude duplication or out-of-scope issues, actually automating the process of looking for bugs is more difficult.

“The current automated tools for looking for vulnerabilities are actually more ‘noisy’ than the crowd,” says Al-Banna.

“Humans are actually better at this. They are more creative, and look for the unexpected.”

So how can organisations make use of this research? Al-Banna’s advice is that businesses need to do their homework first.

“Don’t just jump straight into a bug bounty. You need to test your system yourself with [network] availability tools – bug hunters will use these themselves – before leveraging the crowd for problems that require more creative input.

“In the first instance, limit the scope and only invite in a small number of bug hunters. But if organisations keep it this way forever, they will not reap the benefit of crowdsourcing,” says Al-Banna.

Adrenaline rush
Despite being only 22 years of age, Shubham Shah is a veteran of the world of crowdsourced vulnerability discovery. His childhood interest in computer gaming and ‘game hacking’ (modifying games) soon escalated into the world of computer security. By the age of 13, he was hacking web applications.

Shah’s skills led him to work for professional services multinational EY, and then as a consultant for Bishop Fox, doing work for Fortune 500 companies. But he soon found he could make more money pursuing bug bounties, which he has done exclusively for the past year.

‘They can often show you where you are most vulnerable more effectively than your security team could identify’

“My first bug bounty was from PayPal. It took me eight hours to get into an internal network that they owned, and they paid me US$1500. If you’re good at it, the financial incentive is very high,” Shah says.

“When you find a big vulnerability in a big company, there’s an adrenaline rush. You feel you’ve achieved something big – like running a marathon. But you could spend many hours finding nothing, and there’s no model for predicting what money you’ll make.”

Shah envisages a wider move towards a crowdsourced economy, and not just in computer security – he cites the example of design consultancy 99 Designs, which has been operating a similar model in its industry.

“Traditional consulting, where companies charge even if they ultimately do nothing, involves a waste of resources,” he says. “It’s not based on results.”

During the next five to 10 years, Shah believes that low-level bug hunting will become automated – which will focus the attention of the crowd on being more creative, and searching for more serious vulnerabilities.

“We’re currently paying the crowd to do what is in effect manual labour. We’re encouraging ‘noise’, and it’s a significant effort for a company to run a bounty,” Shah says.

“The only way to reduce the noise is to automate what can be automated.”

Establishing parameters
Shannon Sedgwick, a senior manager for cyber risk at Deloitte Canberra, has experience of employing ‘white hat’ hackers and observing the benefits they can bring to an organisation.

“In my experience, the industry is quite open about engaging with ‘white hats’,” he says. “Google paid out US$3 million in bounties in 2017, and some individual bounties can be as much as $100,000.”

Sedgwick believes that, even with the large budgets available to companies such as Google or Apple, ‘white hat’ hackers can be more efficient and cost-effective than companies performing the same tasks with internal staff.

“They can often show you where you are most vulnerable more effectively than your security team could identify. A plan is only effective if you’ve tested that plan, and this is especially true for security systems.”

Another advantage for companies is that ‘white hat’ penetration testing typically occurs outside of business hours, thus minimising potential disruptions to their business operations.

If a company is considering offering bounties for the first time, Sedgwick suggests trialling the process internally first and then, when approaching the market, establishing strict NDAs [non-disclosure agreements] and parameters of what is under review and cannot be exploited.

“Don’t release all of your applications and systems for testing at once, and engage an experienced specialist security company to oversee the process,” he says.

For Sedgwick, one of the challenges for companies engaging with ‘white hat’ hackers is the risk that some can edge towards becoming ‘grey hats’, who identify vulnerabilities but don’t report them, going on to exploit the vulnerabilities for financial gain or selling them to interested parties on the dark web.

“If ‘white hats’ feel they’ve been treated poorly by a company – for example, being underpaid, or not appreciated – then they can cause problems.”

But importantly for Sedgwick, the boards of organisations have to understand that information security is a business risk, not just a technology risk.

“They need to identify their critical data and assets, and direct appropriate resources to those as a priority,” he says.

“You need to consider the big picture. You can patch vulnerabilities all day, but if a company’s governance and security strategy are not effective, then patching vulnerabilities is not going to do the trick.”

Australian Government – The State of Cyber

Australia and Australians are targets for malicious actors—including serious and organised criminal syndicates and foreign adversaries—who are all using cyberspace to further their aims and attack our interests.” (MP, n.d.)

Amongst the never-ending acronyms of Canberra’s public service are government agencies and departments, who guide the direction and implementation of the Australian Government’s cyber security strategy. Agencies and departments such as the Australian Signals Directorate (ASD) and their subsidiary the Australian Cyber Security Centre (ACSC), the Attorney General’s Office, the Department of the Prime Minister and Cabinet (PM&C), the Department of Home Affairs, CERT Australia, and the Department of Defence (DoD). The collective aim of these agencies and departments is to improve the resilience and cyber security posture of the Australian Government, private industry, and its citizens. They are the first line of defence for Australia in the protection against cyber criminals, espionage, and insider threats. There are unique challenges faced by these organisations, and I will shed some light on these challenges and the progress of our government’s cyber security strategy since it’s introduction in 2016 (The Department of Prime Minister and Cabinet, 2016).

The 2016 Australian Cyber Security Strategy addressed five key goals;

1 – Governments, business and the research community together advance Australia’s cyber security through a national cyber partnership,
2 – Australia’s networks and systems are hard to compromise and resilient to cyber attacks,
3 – Australia promotes an open, free and secure cyberspace by taking global responsibility and exercising international influence,
4 – Australian businesses grow and prosper through cyber security innovation, and
5 – Australians have the cyber security skills and knowledge to thrive in the digital age.

These five goals are laudable fundamentals for which to strive. One of the main issues in achieving these goals is that the Cyber Security Strategy did not address exactly how it was going to implement these plans or quantitatively measure its progress. The Strategy breaks down the five goals into 33 separate action points, which may prove unwieldy. A better approach would be to identify the essential action points and prioritise them according to their severity of risk to the overall five goals.

Australian National Audit Office (ANAO) audit reports of various federal agencies make it clear that the government has more work to do in the implementation of its Strategy Action Plan. The ANAO found that the majority of the agencies it audited did not meet the mandatory standards set by the ASD in April 2013, the Top 4 Mitigation Strategies. The Top 4 are a subset of the ASD Essential Eight, which will soon replace the Top 4 as the minimum standard with which Australian Government agencies must meet. The Essential eight are:

  1. Application Whitelisting
  2. Restrict administrative privileges
  3. Patch Application
  4. Patch Operating Systems
  5. Disable untrusted Microsoft Office macro
  6. Multi-factor authentication
  7. User application hardening
  8. Daily backup of important data

The only agency in the ANAO’s purview considered “Top 4 compliant” and “resilient” was the Department of Human Services (DHS). The Australian Taxation Office (ATO) has since achieved Top 4 compliance too.

Whether compliance with the ASD’s Top 4 or any other government regulation signifies an organisation is cyber-resilient is arguable. When too great a focus is on compliance, it can create a “tick the box” culture instead of addressing the principal risks and threats to an organisation’s assets. The ANAO hit the nail on its proverbial head in their recent Performance Audit Report describing what makes an organisation “cyber-resilient”: “cyber-resilient organisations demonstrate a leadership culture and behaviours that prioritise cybersecurity and focus on it. They do more than comply with mandatory requirements; they demonstrate an effective security culture.” (Australian National Audit Office, 2018)

One could be forgiven for not fully understanding which government advice to follow. There is a plethora of different advice and regulations to which industry and government alike can subscribe and align themselves. ASD Top 4, ASD Essential 8, ASD Top 35, Australian Information Security Manual (ISM), Australian Defence Security Manual (DSM), ISO27001, National Institute of Standards and Technology (NIST) Cyber Security Framework, PCI-DSS, Notifiable Data Breach (NDB) Scheme, and the list goes on.  Therein lies another problem. An overabundance of security advice can lead to confusion and cause organisations to either do nothing, over-compensate or attempt to comply with an ineffective mix of national and international standards.

A lack of budget allocation may also be to blame for the slow progress of increasing cyber security maturity, with $230 million earmarked for Australia’s Cyber Security Strategy over four years. The US Government budget for cyber security is approximately A$26 billion, and the UK Government has alotted A$800 million to their cyber security efforts.  When you consider the likelihood of cyber attacks and the possible damage caused by breaches to critical infrastructure and national security, one could argue that spending on cyber is a long way from being sufficient.

It is certainly not all bad news though. The government has opened four Joint Cyber Security Centres (JCSC) throughout Australia which allows the sharing of threat intelligence and collaboration between government, academia, and industry. An additional $30 million in funding has been granted to an industry-led Australian Cyber Security Growth Network that “brings together businesses and researchers to provide a foundation for the development of next-generation products and services required to live and work securely in our increasingly connected world.” (Aust Cyber, 2018)

The Department of Home Affairs has developed initiatives such as the Cyber Security Challenge which promotes the cyber security industry to graduates, with a particular focus on women in cyber. The reforms of the Protective Security Policy Framework (to be released October 1st 2018) to a “principles-based” approach is a welcome change to the previous unwieldy and overly prescriptive version. The revision seeks to simplify the framework by separating guidance material and mandatory requirements. Alastair Macgibbon, the National Cyber Security Adviser & Head of Australian Cyber Security Centre, has also dramatically increased the ACSC’s staff numbers in a relatively short amount of time. This increase in resources will assist to develop collaboration between industry and government further and improve Australia’s cyber resilience and standing on the global cyber stage.

Advanced information and communication technologies (ICT) are necessary for the success of the industry, consumer, and government activities and ICT security should be of the highest priority. Australia is taking steps to address the threats from advancing technology. However, we are lagging behind the pace of other Western countries. (Austin, 2016)

A robust and effective cyber security strategy is critical to the protection of Australia and its citizens and for a profitable technology-led industry.  Effective strategy implementation across government, a cyber-aware and resilient culture, continued collaborative engagement between government and industry, a unified and simplified approach to regulations and standards, and adequate funding is required for Australia to thrive in the digital age and successfully respond to cyber incidents, deter cyber attacks, and protect against threats from both cyber criminals and foreign interference.

As published in Australian Security Magazine Aug/Sep Edition https://issuu.com/apsm/docs/emag_asm_aug_sep_2018/12

 

Cyber Security in Banking

With the recent coverage of the Australian Prudential Regulation Authority’s (APRA) release of its first prudential standard on cybersecurity for financial services firms, security in banking has been a much-discussed topic. Cybersecurity is a prevalent issue in the minds of senior managers, CROs, and CISOs across all industries. Arguably, none are more concerned about this issue than the banking sector. But what should banks be focused on regarding meeting regulatory standards and their overall resilience against cybercrime?

Banks are increasingly looking to improve the customer experience through innovation and digitalisation. Online banking, card-less withdrawals, wearable transactions, mobile credit card readers, connected ATMs, and banking apps are all examples of innovative technologies design to improve operability and gather more data on their customers. However, this pursuit of digitalisation also increases the risk to customer data and security.

The data collected by the banks assist them in assessing their customer’s needs and insights to provide more customised products and services. The banking system is built on maintaining the trust of its customers by keeping their data confidential and secure. Trust is not to be underestimated, it gives a competitive edge and will assist in gaining and retaining customers.

Banks need to develop a holistic approach to cybersecurity to establish and maintain this trust. Robust security frameworks, policies, and procedures should be implemented to enhance cyber resilience. These frameworks, systems, policies, and procedures need to be continually monitored and updated to allow for rapid response times and faster recovery. To develop an effective cybersecurity strategy there needs to be strict policies and guidelines in place to guide organisational culture and behaviour. There also needs to be pre-determined plans and procedures with allocated responsibilities in the event of a cyber breach.

Senior management is responsible for cyber risk management and ensuring that cybersecurity is treated as a business and strategic risk, not just an IT risk. Investing in staff cyber-awareness training, improved security software, intelligence gathering and sharing with government and industry peers, enhanced encryption, efficient use of reporting and metrics, robust frameworks and policies, and a risk-aware culture will lead to greater customer trust, increased profits, and a more stable industry for the future.