“Cyber crime is the greatest threat to every company in the world” said IBM CEO Ginni Rometty two years ago. In a recent survey, 40% of Australian directors agreed, rating cyber risk higher than other business risks. If you’re a Board member or director and not involved in cyber-protection, it’s time you should be. Here’s why.
In the past 25 years, the nature of corporate asset values has changed significantly, shifting away from the physical and toward the virtual. Close to 90% of the total value of the Fortune 500 now consists of intellectual property (IP) and other intangibles. Along with the rapidly expanding digitisation of corporate assets, there has been a corresponding digitisation of corporate risk.
Cyber breaches are more likely than ever to be made public now Australia’s new Mandatory Data Breach Notification Law is in effect and expose your company to recriminations of failed governance and reputational damage.
Cyber attack trends
The facts and figures below from recently released cybersecurity threat reports illustrate some alarming trends.
- More than 4 billion records were leaked in 2016, 500% more than the previous year
- Email remained the top vehicle for malware with malicious attachments increasing over 600% from 2015-2016
- Ransomware attacks spiked over 500% in 2016 with 60% with Australian organisations stating they had experienced a ransomware incident
- 76% of websites scanned by security professionals in 2016 were found to have vulnerabilities
So who are the cyber attackers?
Cyber criminals are working overtime to infiltrate organisations and are clearly the biggest threat as the diagram below shows. However, what may be surprising is that people inside your organisation pose the next biggest risk, and that unintentional actions by employees, contractors, and third parties result in significant data breaches.
The role of employees in data breaches
Staff are already inside a business’s security framework and can easily be exploited to bypass security controls. The sorts of employee actions that can cause data breaches include:
- Using ‘unpatched’ applications where software updates containing security fixes are not installed
- Using easy-to-guess or default passwords
- Opening an infected attachment or using an unsafe URL
- Falling victim to social engineering scams (such as phishing)
- Neglecting operating processes or security protocols
The rise in these breaches is partly due to lack of cybersecurity awareness and knowledge among end users. Security awareness training for your employees can help manage this risk more effectively.
Two classic examples of social engineering scams
As business accountants, social engineering scams are the type of breach we often hear about. For example, a bookkeeper who received an email from a supplier informing them of a change of bank account details. That email was not really from the supplier, and payments of $30k a month were requested. Another case involved a PA who received an email from her boss (travelling interstate) to transfer $200,000 to secure a business deal. She did as requested – only to find out later that the email was not from her boss.
Checking transactions and requests like these should be done personally – by calling the sender and asking for verbal confirmation. When updating bank details and making payments, two different people in your organisation should be required for authorisation. As an extra safeguard, run monthly exception reports on creditors to check if any unusual changes have been made. Scammers may wait weeks or months to make their move.
How Boards should be involved in cyber risk
Cyber risk requires an enterprise-wide approach with leadership by the top levels of management. A senior executive should lead the cybersecurity program to ensure management and the Board truly understands its current cyber risk state and its most critical business processes, IT systems and information assets. Only then can effective protection strategies and tactics for people, processes and technologies be developed across the whole-of-business.
Boards should be actively engaged in protecting their resources. Here are some pointers for Boards and Directors to consider.
- Be prepared for success and business innovation Managing cybersecurity is not just about managing the risk of bad things happening—it’s also about handling the upside of a company’s successful digital initiatives to ensure that the organization’s cybersecurity systems are resilient enough to handle them.
- Accept that your organisation is at significant risk of breach It is not simply a matter of trying to prevent a cyber risk from occurring. Breaches are happening—now. Boards should be concerned about the duration of significant breaches before they are detected, and the organisation’s ability to respond, recover and resume normal business operations afterwards.
- Cyber threats are constantly evolving Boards should question how the organisation’s threat management program proactively identifies and responds to new cyber threats, taking into consideration the company’s most valuable assets, the business outcomes it wishes to avoid, the nature of its industry and business model and visibility as a potential target.
- Expect more from your security function As well as protective technologies, your security function needs to clearly articulate the current cyber risks facing all aspects of the business, recent cybersecurity incidents, how they were handled and lessons learned. It should also provide a short-term and long-term road map outlining how the company will continue to evolve its cybersecurity capabilities to address new and expanded threats, and meaningful metrics to judge the success of managing top-priority cyber risks.
- Assess the advice you receive and your understanding of it There may be circumstances where a Board should consider adding individuals with technology experience either as members of the board or as advisers to the board.
Cyber risks are impossible to eliminate and resources are finite, but there are neverthless many measures you should be taking to protect your organisation. No Board or business, large or small, can afford to ignore cybersecurity.
Please contact your Accru advisor if you would like some initial guidance.