The recent scourge of worldwide cyber attacks like WannaCry and Petya have increased the demand for urgent action, education and preparation against these inevitable threats. Throughout June and July, the AICD partnered with Optus on a series of events to answer burning questions and bring expert insights on cybersecurity to Australian directors and business leaders.
(AICD): What does the cybersecurity landscape look like in Australia?
Stuart Mort (SM): The cybersecurity landscape in Australia is very interesting at the moment. We are seeing lots of strong government drivers coming out, the Cyber Security Strategy coming out; trying to execute that across the complex cyber landscape in Australia. We have got industries talking more and more to each other. We are seeing more conferences, more sharing of ideas around security. Australia also has a very active startup and entrepreneurial concept of security. Great companies like Ditno for example are coming out and bringing new security technology into the marketplace.
In addition, there are very strong drivers for cyber education, [focusing on] bringing up the next generation of cyber professionals into the marketplace, and companies have become very active in that. We’re also looking at bringing people across from other industries into cyber; to bring their risk knowledge, their legal knowledge, to help us protect Australia’s infrastructure.
In saying that we still need to be aware of what is happening in other countries. Other countries might be leading the way, but we need to learn from their successes and their mistakes and apply that more effectively within Australia.
AICD: What types of cyber attacks are most common and what effects do they have on businesses?
SM: We see at the moment a large increase in ransomware attacks, [meaning] the targeting of information, not taking information away, but encrypting information so it is not accessible. And then criminals demanding payment to release information to make it free again. We are seeing a lot of that, however there is a common theme through many attacks and that is the human element. You can always attack the weakest link, what I like to call the carbon unit between the chair and the keyboard. [The individual] is something you can attack. That’s has been prevailing for years and is not changing. So if you’re going to attack a company, attack the individual. Get them to do something on your behalf, provide you with information, or click on that link within the email which leaves the environment to be compromised.
AICD: How much does the average ransomware attack cost a business?
SM: The obvious answer is that if you pay the ransom you have a clear financial statement that shows what that cost is. For organisations that don’t pay the ransom, it becomes a much more difficult equation to work out because you’ve not only got the expenses around the people involved in dealing with the incident – the time they have spent – you also need to consider things like brand value, share price. How do you measure the reputation lost if you have been subject to a successful cyberattack? How many customers have you lost?
It’s always difficult within our industry to put true dollar values on the cost or price of information and its value to the organisation. But if you have a good cybersecurity practice you can limit all those costs.
AICD: How can directors best engage with their organisations on cyber issues?
SM: There’s always been an issue with company directors being aware of the cyber problem or having cyber awareness themselves. [Directors] need to reach out to their teams and get education from the people controlling security and what security means to the organisation.
But it has to work both ways. You have to have the business leaders articulating the business direction to the security team and the security teams then articulating back to the board how they can protect the business as they move forward. [This may mean] adopting disruptive technologies and moving into an acquisition space. This needs to be articulated in a way that the board understands. I would engage with the security officers within the organisation and start asking them questions like, where do my critical assets lie, for example.
Perhaps the board members could drive the conversation from a position of what is the worst-case scenario that would kill my share price, or end my business, or damage my business strategy. Hopefully the security team can start articulating that to them in a manner that they understand about why cyber protection is important and from that they then understand what the cyber threat actually is and how vulnerable they are.
AICD: What are the red flags that indicate an organisation isn’t prepared for a cyber attack?
SM: The three red flags of an organisation not being prepared to deal with cyber are; the first time the board discusses it is after they have read something in the newspaper, where perhaps their competitor has been hit, or something in their industry is happening.
The second red flag is that security teams aren’t talking across the organisation and they are operating too much in a silo, where they are not speaking to procurement, they are not speaking to legal from a privacy perspective, or marketing and sales teams to see what is happening across the organisation.
The third marker is that they do not have a tried and tested instant response plan. We say that you’re either breached or you don’t know you’re breached. So, having all that preparedness in place to deal with an incident is key because that is what protects an organisation.
AICD: How can organisations begin to adjust their cultures to better address cybersecurity?
SM: There is a culture within many organisations to identify the security person as being ultimately responsible for the security of information within the organisation. That culture needs to change. It needs to change as quickly as possible. The mindset everybody needs to have is of the ‘information owner’. If you are creating information for the organisation, then you are ultimately responsible for the security of that information. You should be using the security team as a resource to help you protect that information, because it is your information, it’s the businesses information. You shouldn’t assume that the security team is going to take care of that information for you. If you don’t think that your information is being protected enough, reach out to your security team ask them for guidance. Don’t assume that they are going to give you that security by default.
AICD: How is Optus working with businesses to improve their approach to cybersecurity?
SM: Optus wants to partner with its customers on a cybersecurity journey and learn about their business objectives to align a security solution to those objectives. [In doing this] we look at the risk landscape, provide customers with threat monitoring and give that feedback to the customer so that they see the bigger picture of what is happening in their environments.
As the data carrier, Optus owns the underlying network. We will layer our security on top of that for our customers, so that they get as early warning as possible about what is going on in their environment. We want to offer that threat intelligence that ‘over-the-horizon’ view of what is going on. This is a problem that is going to grow and there is going to be a wider target landscape – it’s not just IT systems it is operational technology. There is always the people element, so we constantly want to upskill individuals through education programs and bring in new individuals to protect the organisation.