As the frequency and scale of ransomware attacks continues to escalate globally, security experts have warned that Australian Company directors will need to get used to taking the flak when it comes to mitigating cyber risk.
The research shows that Cybercrime is costing the Australian economy around $3.5 billion a year. As a result, the Federal government is considering making company directors personally liable for cyberattacks.
In July last month, Karen Andrews, the home Affairs minister declared that Australia “cannot allow this criminal activity to become a significant handbrake on our economic growth and digital security”.
So, in parliament there are discussions on whether to make the new standards mandatory. It’s not the first- time talks have taken place. In August last year at 2020 Cyber Security Strategy a huge $1.66 billion was given to boost to the nation’s cyber defences. And as part of the cyber security strategy, it was stated there will be a legal duty that Company Directors have abide by to ensure a reasonable standard of cyber security is in place.
Now chief strategy officer of CyberCX, Mr MacGibbon has voiced how implementing fiduciary duty on company directors would send a clear message that “it’s time to start treating cyber security risk seriously”.
That is to say, the potential new cybersecurity standard would mean extra responsibilities for the Directors of large companies in Australia. Co-designed with industry, it would cover corporate governance, smart devices and the handling of personal information. And work in a similar way to workplace health and safety regulations and protocol.
Most importantly, this is to tackle the cyber criminals who continue to grow in scale and sophistication. The cybercriminal business is becoming very lucrative as many victims pay the ransom demand. Secondly, the Government realise there have been some high-profile attacks of late. Thirdly, ransomware can lock down entire business and have a flow on effect to other businesses. For instance, the ransomware attack on IT services company Kaseya effected other services providers, it spread the malicious software to others and on a global scale. So, thousands of individual businesses were affected, with the criminals demanding a massive $100 million in ransom money.
Co-founder of the advisory firm, The Secure Board, Anna Leibel, said it was inevitable to see more significant and widespread breaches in Australia. And that fostering the change in security-conscious culture in business, sat with the board of Directors.
If the leaders, “set the tone” at the top, it will flow on through the company. And it will be the same as the board being held accountable for health and safety and solvency. So ultimately, the “board will be accountable for the security culture,” said Anna.
“All of the executive and the board need to understand all the elements that contribute to cyber risk,” she continued to say.
At a National Press Club speech Telstra CEO Andy Penn said that when it comes to responding to a cyberattack, most Australian businesses were just not prepared.
Cybersecurity company FireEye in recent report discovered that the Asia-Pacific region in 2020 are significantly behind when it comes to noticing a breach. “Dwell time” (the amount of time between a breach and a company noticing the breach)
- 76 days for the Asia-Pacific region in 2020
- 17 days for the Americas in 2020
These ransomware warning signs could mean you are already under attack
The regional director of cyber security firm HUMAN, Ryan Murray said businesses need to keep up with the constantly evolving threat landscape by considering the type of tech and skills needed to stay on top of their security.
For instance, cybercriminals in 77% of attacks use sophisticated bots so they are scaled automated attacks. They are also well-funded organisations, according to Ryan. In other words. they have the resources, money and expertise plus the latest technology.
Certainly, as a business leader you need to consider “upskilling of professionals in the space, and new technology adoption” these of course will come with additional costs to the business”, Ryan goes on to say.
Furthermore, internally your teams will need to be able recognise the risks and translate that into what the risk means. In other words, the internal teams will need to advise the CEOs and board members about what the real risks are and the real costs, if the company chooses not to protect itself or not.
Many directors, according to Ms Leibel, struggle with the concept that IT teams spend a lot of money on cybersecurity, yet new risks emerge all the time. But even if the IT Team has all the latest technology to guard against an attack, it’s still not foolproof. As typically the ransomware incidents of late have been caused by “an employee clicking on a phishing email that let the attackers in.”
So, cybersecurity is a team effort. Firstly, it’s about creating awareness and educating all employees about security. As well as asking third party and vendors who have access to your data or your customers data,
#1 where they’re storing it
#2 how they’re keeping it safe
In addition, companies need protocols in the case of a ransomware attack for during and after the attack. Everything needs to be documented and responsibilities understood and rehearsed, including notifying customers and down to social media posts.
It definitely- impacts your retention and your attracting of new customers in a negative way if you lose the trust of your customers. To clarify, it has an impact on the business, in terms of growth and mission of the company, Ms Leibel says.
One of the most positive steps businesses could take and both Leibel and Murray agree, is for companies to share experience and expertise.
So, it makes sense for the public and private sectors to come together to work on
#1 framework
#2 policy
#3 best practices
Now’s the right time, as “most Australian companies probably wouldn’t know what to do if they fell victim to a ransomware attack”, says Murray.
To break the stronghold of cybercrime, coming together in collaboration rather than doing it solo is a better/best approach. In other words, let’s band together and talk about a collective protection ideology, to beat these criminals, once and for all. After all Australian business can’t afford to keep giving in to this type of crime.
