Cyber resilience and the role of boards

14 June 2019

Digital transformation and cybercrime

Rapid digital transformation has created significant change and disruption for Australian businesses, government agencies and individuals. At the same time, organisations are increasingly dependent on secure and reliable technology to serve and engage their markets.

It is an unpleasant fact that the ‘age of digital transformation’, with all its promise for the betterment of businesses, the community, and individuals’ wellbeing, is also the ‘age of the cyber-criminal’.

The state of cyber threat

According to the 2019 World Economic Forum (WEF), ‘cyber-attacks’ is the highest rated ‘technological risk’, and one of the highest rated risks faced by business overall1.

In 2018, 88% of Australian organisations experienced more than 5,000 alerts per day - the highest rate in the Asia Pacific2. They have close to a 1 in 3 chance of experiencing a cyber incident each year3 . The average cost of a data breach in Australia is USD $1.99 million4. From 2017, destructive cyber attacks on technology infrastructure have impacted manufacturing, logistics, and supply chain operations for some of the most sophisticated global organisations. The impact of the ‘NotPetya’ pseudo-ransomware attack alone was estimated at “more than $10 billion in total damages”5.

Attacks do not discriminate and small and medium-sized businesses commonly experience ‘Business Email Compromise (BEC)’ attacks. Such attacks enable malicious actors to compromise systems, typically to commit fraud. Cyber threats are often tailored to specific sectors or targets. Retailers are mainly subject to financial (e.g. credit card) data theft. Universities and government agencies are an inviting source of intellectual property (IP). Health sector data is a target for cyber criminals interested in identity theft.   

Australian organisations improving preparedness

The recently released 2018/2019 BDO and AusCERT Cyber Security Survey Report indicates that Australian organisations are responding to the increasing threat. More than 60% of boards and executives now receive cyber security risk reporting and more organisations have adopted a Cyber Security Awareness Program.

While reported data breaches are up year on year, much of this can be attributed not to worsening security controls, but to the improved regulatory environment promoting cyber secure corporate behaviours.

The introduction last year of the Australian Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB) and the European Union’s General Data Protection Regulation (GDPR), have both been linked with improvements in organisations’ investment in Security Operations Centres, and the appointment of Chief Information Security Officers (CISO). Confidence in meeting the obligations of the NDB has increased markedly.

Cyber risk management is becoming the norm for Australian business. By 2020, almost 85% of organisations plan to have adopted regular cyber risk assessments. Further, the incidence of ransomware attacks necessitating a disaster recovery exercise has greatly dropped year-on-year.

Overall, there is a continuing increase in cyber attacks and impacts, although the composition of those attacks has changed. Phishing is still the main way organisations are attacked. More than 20% of respondents experienced a phishing attack in 2018. Also, while it has reduced slightly from previous years as a percentage, close to 30% of survey respondents still indicated that they had experienced a cyber incident.

The ‘why’ of cyber resilience

In this febrile atmosphere of threat, with a continual stream of data breach incidents, it seems that no organisation is immune. Given the near impossibility of avoiding an attack, there is the temptation to just accept the inevitable. However, prepared organisations will better detect, contain, recover, and limit potential harm caused to the business and its clients.

Research from Ponemon6 has shown that the average time to detect a cyber attack is 197 days, and the average time to contain one is 69 days. Organisations with an incident response capability report significantly lower costs per record breached. Global organisations that were able to contain a breach within 30 days of it occurring saved more than $1 million per incident (or almost 30%) compared with those that needed longer. 

It is a salient point that organisations who respond decisively to a cyber attack in a transparent way to protect customer interests are rewarded for their efforts. Those that fail to do this risk reputational damage, short and long-term share price impacts, and negative consequences for both executives and directors.  

Given the inevitability of an attack, organisations are encouraged to adopt a cyber resilience approach – avoiding overweight investments in defence, towards more proactive capabilities to detect, respond to, and recover from cyber incidents.

This implies the ability to reconfigure cyber operations as needed to meet dynamic, constantly evolving cyber threats. A front-footed and nimble capability is needed, whatever an organisation’s scale of operations.

The first and biggest shift that organisations need to make in dealing with cyber threats is attitudinal. A mind shift is required to recognise the threat posed by cybercrime and to realise the benefits a cyber resilience approach offers over more traditional and overly defensive methods of protecting systems and data.   

The board, along with the executive, is best positioned to lead this shift.  

Ten good practices for boards

At the hub of stakeholder relationships, the board is uniquely positioned to understand, and proactively drive, governance of cyber risk. Boards can help guide their organisations to adopt a cyber resilience approach.

This requires a set of proactive considerations that reinforce consistent progress across the cyber resilience lifecycle. We have identified 10 steps that directors can take to help influence these outcomes within their organisations.   

Before cyber incidents, boards should: 

  1. Ensure cyber expertise exists on the board, or in an advisory capacity, to help inform and advise the executive team
  2. Encourage the selection of suitably experienced cyber security leaders, including the Chief Information Security Officer (CISO)
  3. Oversee the strategy and practice of cyber risk management, cyber resilience assessments, and cyber risk appetite setting
  4. Ensure the organisation’s cyber threat context is well understood, key information assets are known, and material cyber risks are planned for
  5. Oversee security governance through the whole board, the Audit & Risk Committee, or subcommittee. 

During cyber incidents, boards should: 

  1. Provide guidance, support and advice to executive management
  2. Manage key stakeholder relationships
  3. Act to protect an organisation’s reputation, shareholder value, and regulatory compliance (including overseeing reporting obligations).

After cyber incidents, boards should:

  1. Provide guidance and oversight over restoration and recovery efforts and lessons learned from the incidents, to minimise the longer-term effects of cyber incidents
  2. Ensure that regular reviews are performed to drive changes to the cyber security strategy, risk framework and controls to avoid recurrence. 

The opportunity to lead

Of course, none of this is easy, but the challenge and opportunity for boards are clear. Digital transformation offers vast promise for organisations in all industries and at every scale. Boards can help fulfil this promise for their organisations.

With balanced judgment about the threats faced, the insights needed, and the responses required, boards can help build the cyber resilient organisation.

It is important to maintain a real-world perspective on the cybercrime problem. While cyber threats are undoubtedly here to stay, and cyber attacks almost inevitable, the capabilities available to meet them are continually improving. Taken in this light, achieving cyber resilience should be seen as a manageable task and one that is greatly advanced by proactive, cyber-informed boards.    

If you think your organisation could benefit from an increased cyber focus at the leadership level, please get in touch to discuss the options available.

The fourth BDO and AusCERT Cyber Security Survey is now open. Don’t miss out on this year’s chance to gain free insight into how mature your organisation’s cyber security approach is.

Take part now

1 World Economic Forum (WEF) – The Global Risks Report 2019
2 Cisco 2018 Asia Pacific Security Capabilities Benchmark Study – Regional Breach Readiness
3 Around 30% of respondent organisations to the 2018-2019 BDO AusCERT Cyber Security Survey indicated that they experienced a cyber security incident in 2018.
4 Ponemon Institute 2018 Global Cost of a Data Breach Report
6 Ponemon Institute 2018 Global Cost of a Data Breach Report