Cyber security starts at the top

By Rachael Falk, CEO, Cyber Security Cooperative Research Centre

Cyber security starts at the top

By Rachael Falk, CEO, Cyber Security Cooperative Research Centre

Published in The Australian on 4/06/20

In 2012, then FBI director Robert Mueller famously said, “there are only two types of companies: those who have been hacked and those that will be”. That was eight years ago.

Data breaches, hacks and ransomware attacks happen every day all over the world. They should all serve as a reminder to ensure that systems are patched, appropriate controls are in place and that humans understand they play a vital role in stopping breaches and protecting valuable data and systems.  

And the simple fact is that if you are a global business, a small business, or an individual running systems connected to the internet, then you too are at risk.

The reality of cyber breaches is blunt and surprisingly simple. Ultimately, in most cases, it comes down to the number one – that is the number of people a hacker needs to trick to gain access to data.

So, when teamed together, cyber security system weakness such as an unpatched system and human fallibility make easy prey for cyber criminals. More often than not, it is as simple as a link that has been clicked, allowing access to a system. The amount of disruption and damage depends on the intentions of the cyber criminal, the type of organisation that was attacked, global spread and how quickly the intrusion is detected. 

For cyber criminals it is a game of numbers and they are versatile. They always have been.

During the COVID-19 crisis it has been easy for them to pivot their activities to take advantage of the increase in people working from home. But for them it is also business as usual, pandemic or not.

Because valuable data is, and always has been, a target.  

Sadly, history is replete with examples of serious data breaches both in Australia and around the globe. This is not new. This has nothing to do with COVID-19. This is risk that is entirely foreseeable.

Businesses and more importantly, their boards, must start treating their online assets with the same level of care and attention that they pay to their real-world assets, because now both are inextricably linked. There is no such thing as online or offline – we live in a connected world.

Boards must use that same keen eye that is trained on looking out for financial discrepancies, governance issues, and oversight and apply it to how their organisation is effectively managing their valuable data. That is because, more often than not, that valuable data is held across multiple repositories, with multiple vendors (who sometimes sub-contract), and in multiple jurisdictions. It is the board that must satisfy themselves that data assets are stored and protected appropriately – just like they would have done, in the ‘old’ days, where their files were stored or where they were taken to be destroyed.

Just like businesses must conduct financial audits, they should be conducting cyber security audits. These should include independent external assurance and the findings are reported back to the board, to give them a sense of whether they are effectively managing their cyber risk. 

How can a board ever understand the significant weaknesses in their cyber security controls if they have no visibility of external review? And as decent and as trustworthy as a chief security officer may be, you would not let your decent and trustworthy CFO mark their own homework, so why would you let your CSO do the same?

It is the responsibility of executives, business leaders and boards to be aware of the risks, ensure appropriate measures are in place and to foster a culture that cyber security really does matter. That it is more than ones and zeros. It is something that involves them.

Culture starts from the top. If cyber security matters to a chair and board, I can assure you it will have a trickle-down effect. It will be a priority for the leadership team and wider staff. 

No board member should be afraid to ask the tough questions. In fact, as history (and case law) shows, they should feel compelled to ask them.  

Because, as Mike Burgess, former Director-General of the Australian Signals Directorate once observed, “In the majority of hacking cases we investigate, I can tell you the root cause is a known problem with a known fix”.

Risk can never be completely avoided and that is why mitigation is key.

We exist in a world reliant on tech. Systems are so interconnected that if there is a breach, it can be exploited like never before.

Being aware and prepared is not just good practice – it is good business.