In recent years, cybersecurity experts and government intelligence agencies have continually warned businesses of the threat posed by the increasingly sophisticated and malicious nature of cyberattacks, by equally sophisticated and malicious cybercriminals. Some operate on a global scale, are often state-sponsored, and have turned cybercrime into big business.
Despite this, breaches of unencrypted data, damage to critical IT systems, and successful ransomware attacks are on the rise. Why? Could it be as simple as apathy, or a culture of ‘she’ll be right’, including failure to listen to cybersecurity professionals within their ranks.
Effectively managing cybersecurity, like all business risks, requires just three things: management acknowledgement, a clearly defined strategy, and suitable investment. The latter two can’t take place without the former. A lack of awareness and commitment indicates ‘cyberthreat denial’.
In Australia this year, the worst data breaches on record (Optus, Woolworths and MediBank) have gained global attention, despite Australia’s relatively small size. The real victims are not the companies that were breached, they are their customers. Between them, the three breaches impacted over 20 million people – more than half Australia’s population. In the Optus case, citizens were outraged that their confidential data had been breached. In the MediBank breach, announced a matter of weeks after the Optus incident, things started to get even more personal, with private medical treatment records exposed.
While the Optus breach is reported to be due to a “door left wide open”, and the MediBank breach was said to be due to the use of an authorised person’s “stolen” credentials, both companies have suffered significant reputational damage. MediBank, as a publicly listed company, was also reported to have lost up to $2.5 billion in shareholder value. So, there is a long list of victims, and that’s before the class action litigation gets underway.
Whatever the point of access, or the method of attack, the question of ‘adequate defence’ has been raised time and again. A robust cybersecurity stance must include elements of prevention technologies (EG firewall) to secure network infrastructure and data protection (EG encryption) to ensure the confidentiality and integrity of the data in the event of a breach.
Post-breach investigations will focus heavily on what systems and policies were in place and how effectively they were implemented. They are unlikely to simply focus on what boxes were ticked by management (nor should they), because risk management (including cybersecurity) is about more than simply going through the motions or paying lip service to the regulators.
Speak to any cybersecurity professional and you will get a similar story. Best practice starts by adopting a security-first culture. This includes understanding the risks associated with human behaviour, systems access, data protection standards and an ever-expanding number of threat surfaces.
Through all this, one important factor that cannot be ignored is ‘fitness for purpose’. In many cases, businesses appear heavily invested (literally and figuratively) in solutions that are out of date. Understandably, organisations of all sizes are looking to realise as much return on their investment in legacy cybersecurity solutions as possible. But, when this leads to unnecessary risk, it is a false economy and ends up costing the breached organisation much more in the long run.
The add-on is a staple of information and communications technology infrastructure. Most of these are designed to increase convenience or functionality, but unfortunately lead to a weakening of the overall security of the estate. A prime example is collaboration or productivity enhancing solutions that cannot detect, nor defend against, today’s pernicious and persistent cyberattacks.
In a digitally enabled world, businesses of all types and sizes are seeking opportunities to enhance agility, efficiency, and usability, but these cannot come at the expense of security. Customers, shareholders, and executives continue to be exposed to unnecessary risks. Will we wake up to the reality of cyberthreats or remain in denial’?