The cyber threat environment – is it likely to affect my organisation?
(Sponsored article) Even before the Australian government announced that a series of major cyber-attacks by state-based actors had been launched against Australian governments and organisations the technology press had been warning that COVID-19 and the disruption to normal processes created by working from home was a bonus for cyber criminals giving them more and more opportunities to exploit uncertainty and networking arrangements.
A recent McKinsey & Company article on emerging themes for boards and executive teams recognised the growing threat of cybersecurity.
Fundamentally, the disruption to the normal way of working has created opportunities for cyber criminals, and even for more human error as individuals grapple with new systems and new technologies. Some of us had used Zoom before 2020 but many had not and happily jumped on the “free” videoconferencing bandwagon, with little regard to privacy and confidentiality issues.
These issues have been widely reported in the press so there is no need to repeat them here.
The fact that the government announced in the last week of June that $1.35 billion in existing defence funding would be spent over the next decade to boost the cybersecurity capabilities of the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) underscores the importance. The ACSC then relaunched its website to be more user friendly for both individuals and businesses.
The Australian Communications and Media Authority (ACMA) has also just issued a series of resources to help combat home and mobile phone scams, with the Chair of ACMA’s Scam Taskforce noting that “scammers are using the COVID-19 pandemic to take advantage of Australians.”
What questions should I ask?
First, the basic governance hygiene issues of structures around use of systems and the tolerance (or not) for workarounds are key. Data from both the OAIC and overseas regulators such as the UK ICO over recent years consistently show that data loss and personal information breaches have human error, including “workarounds” as a significant cause. This means investing in remote working systems that actually work followed by training so users remain on the mandated platforms and do not engage in workarounds is key. More about training below.
The most recent report from the OAIC showing data breaches was recently released and can be found here.
Isn’t cyber security IT’s job?
You may think that your Chief Information Officer, Chief Information Security Officer or Chief Technologist is across all of the threats and is managing them. However, given that we are all only as strong as our weakest link, and the weakest link has been shown to be human error, the embedding into your environment of training and a culture of security is key.
It is necessary that executives outside of IT understand the importance of various cyber security practices so that they reinforce them. It is also important that training extends to front line staff who understand that processes that may seem otherwise annoying and time consuming to them, are for the benefit of the organisation.
Training does not have to be boring and Airbus industries has in fact developed five award winning training videos for its staff on cyber security which show that it can be done in an engaging and informative way.
Cyber security training also requires regular updates so people do not become complacent.
- Could a cyber-attack happen to us?
- How can we protect ourselves against either this happening or mitigating any adverse consequences if it did?
Of course a cyber-attack could occur. So what can you do to protect yourself?
- Ensure annual attention to corporate governance structures, business continuity plans, desktop simulations of cyber-attacks and other exercises that help prepare organisations.
- Map now, and track regularly your organisations maturity against the Essential Eight Maturity Model-Strategies to Mitigate Cyber Security Incidents, available here.
Holding Redlich is a national corporate and commercial law firm that acts for clients of all sizes including many of Australia’s largest public and private companies and all levels of government. The firm has a national Data & Privacy practice group.