Despite the Australian Securities and Investments Commission being hit by a cyber-attack just over a year ago, along with several other high profile ransomware attacks in the last few years, many local organisations – both public and private – remain vulnerable to increasingly sophisticated and ever-proliferating cyberattacks.
The immense challenge posed by cyberattacks and ransomware will only get harder in 2022, forcing governments, industry bodies, organisations of all kinds and sizes, regulators, and policy makers to either act decisively or face severe ramifications, such as loss of revenue or the removal of those found to be complacent.
Cyber threats and ransomware are becoming a digital plague, because as COVID-19 continues to disrupt the entire economy, and more organisations are being forced to allow information to be shared remotely and across the value chain.
At the same time, the pandemic has accelerated organisations’ reliance on technology and the adoption of data-driven applications, which generate more data to manage and protect, therefore increasing the risk and fallout of being hit by ransomware.
This is a perfect storm for attackers, who are continuing to take advantage of this disruption and data proliferation, with attacks on the finance sector – for example – increasing 238 per cent globally at the onset of the pandemic (according to VMware Carbon Black).
According to IBM and the Ponemon Institute, the cost of a data breach now tops $US1.59 million, or 38 per cent of the total cost of a breach, with ITIC research finding IT downtime now costs more than US$300,000 per hour for 91 per cent of organisations, which demonstrate why no organisation can afford to be ‘down’ or offline due to a cyber-attack. And that’s before the hit to their brand reputation comes into play.
So how can organisations sure-up their business continuity when they are consistently generating more data, whether by choice or by necessity, in this ransomware era?
The answer lies in adopting a ‘cyber resilience first’ mindset, which starts with organisations understanding that data management, as a core component of data compliance and risk management, must shift from an IT concern to a boardroom and executive priority. Just as cybersecurity has become a boardroom and executive priority over the last five to ten years.
This shift in approach and thinking is crucial because business continuity both now, and in the future, will be reliant on how cyber resilient an organisation is able to become.
What is cyber resilience and why is it important? Put simply: it’s the concept whereby an organisation can continuously deliver its intended outcomes despite adverse cyber events.
If cyber resilience becomes the objective, the focus shifts to conducting business securely, this helps change the way data governance and protection problems are addressed; and that a security posture needs to solve.
This approach will not only help to maintain business continuity and avoid disruption to their customer offering, but it also allows organisations to minimise risk and meet regulatory expectations.
As with many other governments around the world, various Australian governments and their agencies have responded to increasing cyber threats and the necessity for data governance by rightly refining regulatory frameworks and increasing the data protection, privacy, and security requirements of all organisations.
The Australian Prudential and Regulation Authority (APRA) is taking strong strides in encouraging a greater focus on data governance and cyber resilience, which includes their recent announcement requiring “…a number of general insurers to review the soundness of their risk management frameworks in light of recent issues with business interruption (BI) insurance.”
Similarly, the Australian Cyber Security Centre (ACSC) and Office of the Australian Information Commissioner (OAIC) are now some of the leading bodies of their kind in the Asia-Pacific region.
With the OAIC having put into place the Notifiable Data Breach Act and scheme in 2017, and the ACSC continuing to update their ‘Essential Eight Maturity Model’, which acts as a baseline for cyber threat mitigation strategies. These initiatives, while a great in their own right, must serve as springboard to encourage an economic-wide adoption and focus on establishing cyber resilience.
However, the adoption of a ‘cyber resilience first’ approach by private and public organisations is not the sole responsibility of the government, organisations must priorities it within their own leadership and boards, regardless of whether they are government departments or private company.
Especially considering cybercrime evolves and mutates at a much faster rate than mandated government initiatives, legislation, and regulation. However, if APRA’s latest Insight Report, titled Improving cyber resilience: the role boards have to play, highlights more action must be taken by organisations’ at a function, executive and board level:
“APRA’s observations from the CPS 234 assessment and its supervisory activities have found little evidence of boards actively reviewing and challenging the information that senior management has provided on cyber topics.
“In many cases, APRA observed that management reporting on information security to the board is not fit-for-purpose and unlikely to facilitate meaningful discussion. For example, APRA identified that some boards are not receiving information about the effectiveness of testing of information security controls.”
This is alarming given the various legislative and regulatory requirements of organisations when it comes to governing, storing, and protecting data, not to mention the fact Gartner’s 2021 Board of Directors Survey found regulatory compliance risk was rated as the highest source of enterprise risk internationally.
It also demonstrates the clear need for organisations and their leadership, both at a board and executive level, to unite under a collective approach or philosophy to uphold their data protection obligations.
Gartner also predicts that within the next three to four years over 40 per cent of boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member, up from less than 10 per cent today.
However, organisations simply cannot wait three or four years to prioritise cyber security and data protection beyond their IT or security teams, if they are to meet regulatory expectations, respond effectively to cyber threats, and ensure business continuity.
The winners and losers of tomorrow to be decided by those that can better leverage their data to capitalise on the insights it provides, while adequately governing and protecting it.
Adopting a cyber resilience-first approach is fundamental to business continuity and economic competitiveness in this digital age, where data is every organisation’s most valuable and vulnerable asset.
The challenge for Australia is getting our organisations, their leadership and boards, governments, and regulators, to collectively strive to make cyber resilience a core organisational attribute.
Do you know more? Contact James Riley via Email.