With 76,000 cyber crimes last year, roughly one incident every 7 minutes, Australian boards are struggling to address the social impacts of organisational security breaches in the face of complex inbound critical infrastructure legislation and emerging connected devices.
Chief information security officers’ (CISOs) concerns regarding security gaps are not getting the attention they deserve from board directors overwhelmed by the demands of emerging threat landscapes that cross climate change, modern slavery, and cybersecurity.
Several industries, including healthcare, are now 10-15 years behind financial services, where progress is evident in robustly protecting customer and employee data.
Boards are turning to short-term measures, including cyber insurance, to mitigate risk, falling well short of new guidelines and recommendations under the Australian government’s Essential Eight Maturity Model.
“Boards are playing catch up – overwhelmed with often confusing cyber advice and inbound legislation. However, over the next 12 months, they need to adopt a much broader and sustained approach to cyber security, including deeper investments,” said Claire Pales, director of the Secure Board, a consulting company committed to advising executives and boards on security practices.
Ms Pales joined Gary Savarino, the solution engineering manager of SailPoint, in a recent InnovationAus podcast on Connected Infrastructure to discuss threats and opportunities in bridging the cyber divide in Australia.
The recent COVID-19 pandemic amplified the fragility of supply chains in the face of emerging cyber incidents, compelling government agencies to consider cybersecurity legislation that covers a broader range of organisations and institutions as critical Infrastructure.
These could include, for instance, universities, home services, electricity, and water supply services, where infrastructural breaches pose a severe social risk, particularly for older generations dependent on critical Infrastructure.
While technology, including sensors and intelligent systems, drives down operational costs and accelerates data insights for government and commerce, a cyber incident has overlapping Environmental, Social & Governance (ESG) implications.
The recent Colonial Pipeline incident in the United States showcased the severity of a cyber hack shutting down petrol stations and impacting jet fuel availability at airports. Despite these attacks, most boards in Australia still adopt a reactive approach waiting to see what solutions their competitors adopt.
The low levels of cyber literacy from the board to management reflect a growing cybersecurity skills gap across various industries. Plus, vague government legislation requires complex legal consultation and audits, deterring boards from taking decisive action or bringing CISO concerns to the same status as balance sheets, legal liability, and solvency performance.
Further, directors often sit on multiple boards in diverse sectors bringing decades of operational experience in sales, accounting, and marketing to the table but very little in the way of cybersecurity, climate change, and modern slavery.
These knowledge shortfalls are difficult for long-term board members to overcome, but their efforts in upskilling are vital to protect their local communities from breach fallouts.
Additionally, the Essential Eight guidelines also have a strong focus on technology. Still, without people to manage specific protocols, including application whitelisting and multifactor authentication, on a day-to-day basis, security gaps will continue.
“It’s taken a while for disaster recovery solutions to evolve and become normalised in most organisations. Cybersecurity now needs to become part of any new technology initiative and a key step in the process,” said Mr Savarino.
These efforts become even more vital if one considers the regional challenges an organisation may face when deciphering new laws around cybersecurity. Certain states may be prone to floods and fires, suggesting organisations’ products and services may be considered critical Infrastructure in one state but not in others.
The government may soon add cyber incidents to the list of recognised disasters, such as fires and floods, as part of new emergency management frameworks.
Cyber experts are thus imploring board directors to pursue serious conversations around protecting customer and employee data that involves the entire company, from employees to management.
“It needs to become part of standard business processes, especially as cyber breaches increase in intensity over the next 12 months,” said Mr Saravino.
InnovationAus.com are producing this podcast series in partnership with SailPoint.
Do you know more? Contact James Riley via Email.