Cyber attacks on Australian businesses are rising
With our increasingly fast-paced lives it is hard enough to stay on top of our personal cybersecurity let alone protecting the information assets of the companies we work for. From ransomware, malware attacks and mobile phone hacks to advanced email phishing attacks and social engineering threats, the variety and volume of security risks we are facing is growing. In 2016 we have seen the big 4 banks targeted with an incredibly sophisticated malware play, major data breaches that included consumers private information, hospital systems denial of service attacks and dedicated cyber attacks on high profile government entities. There has even been a report of pirates targeting a global shipping company using cyber espionage to target high value goods. And for all the security breaches we know about, many more go unreported. Even if you limit the cost to your reputation by not publicly exposing a breach, the costs to your bottom line can be severe. A 2015 Ponemon Institute study found that the average cost of a cybercrime attack is US$7.7 million.
As a consequence we are seeing increasing boardroom level awareness, and serious questions asked, about cybersecurity protection and controls. Traditional security solutions are based around technical controls – perimeter firewalls, access control, logging and monitoring. These responses are mainstream and mature and when combined with advanced analytics solutions they present a hefty corporate level defence against cybersecurity threats. However, in an environment where an employee’s or customer’s ability to access information at any time, from any device and any location is no longer a competitive edge but a mandatory requirement, the traditional traffic cop role of the security function needs to be reassessed.
With today’s increasingly mobile workforce and distributed IT footprint, a more data-centric approach to security is required. Security experts have been preaching for decades that the biggest risk to cybersecurity is the human factor. This remains true – and an organisational culture where every employee is responsible for cybersecurity needs to be applied.
Rethinking Security
Business Aspect believes that aligning security planning with organisational change and culture principles is key to delivering effective cybersecurity management. As cybersecurity practitioners and advisers we:
- Work with our clients to understand the true requirements of their staff and customers.
- Translate these requirements into a security profile that is as multifaceted as the organisation for which it is being built. One size fits all solutions are no longer practicable or workable.
- Provide input into the strategic business planning process – not just the technical planning. Effective cybersecurity requires more than technical solutions; we are developing a strategy that needs to be understood by and embedded with every staff member.
- Talk to the business – to be able to answer the ‘why’ questions with something other than ‘just because’.
- Work with the change specialists within your organisation to develop a strategy for developing, implementing and embedding the security strategy; and
- Prepare for future threats with an adaptable plan that can respond to the challenges ever-present in the modern corporate culture.
Cyber-attacks against corporate environments are the new normal, yet we need to continue running our businesses. Technical controls go part of the way but people, behaviour and culture need to do the rest.