The following is an opinion article written by Peter Bailey, general manager, Aura Information Security. The views expressed within the article are not necessarily those of Insurance Business.
With digital technology now a critical part of modern business, keeping systems and data safe has become a board-level issue. Where once responsibility would have been delegated to the CIO or IT manager, now decisions about cyber security are topping C-suite ‘to-do’ lists.
You don’t have to look far to see why. High-profile data losses, crippling hacker attacks and Australia’s looming mandatory breach notification laws have raised awareness of IT security. Boards have become acutely aware of the financial and reputational costs of not getting it right.
At the same time, there have also been rapid changes in the ways in which digital technologies are being used by businesses. These, in turn, have significant security implications that need to be addressed.
One example is the rise in mobile and flexible working. Where once critical applications and data were usually stored in and accessed from an on-premise data centre, now they can be spread across multiple hosted platforms and accessed from a myriad of portable devices.
Another key trend is the rise of the Internet of Things (IoT). Increasing numbers of smart devices are being connected to corporate networks where they generate and share data. Keeping track of these new streams is a far from trivial task.
One security-related issue that is also gaining traction is the dramatic rise in the number of ransomware attacks. Victim organisations find critical data files become locked down and face either paying criminals to unlock them or losing access forever.
According to the Telstra Cyber Security Report 2017, 59% of organisations in Australia have detected a business-interrupting security breach on at least a monthly basis. This is more than twice as often as was the case in 2015 when 24% reported a similar situation.
According to the report, 60% of Australian organisations experienced at least one ransomware incident in the preceding 12 months. Of those that did, 57% opted to pay the ransom.
The Telstra research also found that the most popular delivery method for cyber threats is via phishing emails. Worryingly, approximately one third of Australian businesses experienced a phishing email incident which had an impact on their business on at least a monthly basis.
It is for this reason that the most crucial component in good information security is people. Granted, IT is one of the weak points, but technology is manageable. It’s human nature that can’t be predicted and controlled thereby presenting the biggest opportunity for hackers.
Hackers know where weaknesses lie … and it’s with people. It’s their inability to identify risks, and their often relaxed approach to security.
For this reason, ongoing education of staff is an essential component in establishing a sufficiently secure organisation, and should be a mandatory focus for all businesses in the year ahead.
Looking ahead to the coming 12 months, it has a predictably familiar feel: more phishing, more employees making uneducated mistakes, and more ransomware. Cybercrime is big business, and criminals will keep doing what nets them the best result.
Key steps
As a board member, you can make yourself and your business less of a target with these three recommendations:
Board members also need to make it their business to stay at the forefront of what is a constantly evolving threat landscape. It’s one thing to know what has happened in the past, but it is even more important to understand emerging threats and the potential impact they could have on the organisation in the future.
By maintaining a focus on security fundamentals, the board can ensure an organisation is best placed to withstand IT security threats and maintain a focus on customer service and growth.
