Coping with Cyber Risk: Engineering enterprise resilience
Canute was a wise king who knew he could not stop the tides; wise corporate leaders understand they cannot prevent cyber breaches - but they can establish processes and culture that can swiftly respond to attacks, underpinning enterprise resilience.
The threat landscape
In its most recent cyber security survey the Australian Cyber Security Centre revealed that in 2014-15, CERT Australia - the national cyber response unit - responded to 11,733 incidents affecting businesses, 218 of which involved systems of national interest and critical infrastructure.
It's only the tip of the iceberg.
Cyber breaches lead to the loss of intellectual property or risk customers' identity theft; distributed denial of service attacks stall all online activity; ransomware can bring an organisation to its knees.
The multiple Sony hacks from 2014 and through 2015 serve as a textbook illustration of the devastation that can be wreaked by cyber attacks. Closer to home retailers Kmart and David Jones have both had customer information stolen as a result of cyber breaches in late 2015, while the Ashley Madison hack, and most recently the Panama Papers scandal, have placed cyber threats on the front pages of newspapers worldwide.
Executive leaders and board members are now keenly aware of the risks and impacts of cyber breach. The exposure that boards have to cyber risks has grown enormously. The likely advent of mandatory breach notification legislation in Australia means that corporate leaders need to prepare themselves and their organisations for even greater scrutiny. Are you ready?
Cyber-crime outweighs drug trafficking as the most lucrative form of crime. Cyber-crime experts have described how these criminal networks have hierarchies, employees, health-plans, they even have employee performance reviews. These are well established and sophisticated operations.
Visiting Australia recently, Mary Galligan, a director at Deloitte and Touche, and a former FBI cyber special agent, said that when the FBI cracked a single ransomware racket in late 2015, it uncovered an organisation raking in $US30 million a year from cyber extortion.
Ransomware is, according to the ACSC, what Australian executives fear most - having their computer systems locked up by hackers until they pay a ransom or rebuild their information systems from scratch. How would you respond?
You need to take control and keep yourself updated about the threat landscape. Ensure board level agendas regularly consider cyber risk. Update directors on current and emerging legislation and regulatory requirements. Invest in cyber security technologies and specialists to optimise front line defence.
Engage in a risk mapping exercise with all stakeholders, with a view to being covered for:
- Direct ramifications of a breach both financially and for brand reputation;
- Notification costs (PR budget, call-centre costs and credit monitoring services);
- Investigations response and compliance;
- Compensation to affected individuals;
- Engagement of forensic experts; and • Defence of claims for misleading conduct, negligence, breach of contract, breach of confidence and privacy compromises.
We can then make recommendations about risk control, processes and mitigation techniques, perform a gap analysis in regards to current insurance, and tailor a risk transfer policy, looking at current portfolios to see what can be offset.
Canute got his feet wet before his people recognised the truth - be smart, stay dry.