“Cyber” has certainly created a wave of excitement in recent times, across Government and in all sectors of business. Data breaches are almost a daily headline and even issues surrounding national security and “hacktivism” are now mainstream. The most recent Insights Report from the Office of the Australia Information Commissioner clearly outlines where many of our risks exist. 60% of the incidents reported were the results of malicious or criminal attacks and more concerning was that 35% of incidents were the result of human error. While this report didn’t estimate the cost of an average breach of IBM Security suggest the average total cost of a data breach is $3.86 million.
Mitigation of Cyber risk has captured the attention of leaders, executives and boards given the real and heavily reported consequences of not addressing Cyber risk appropriately. As part of this wave of Cyber publicity, there have been numerous articles published that address building Cyber resilience, taking into account the obligations placed on business as the custodians of “high value” data such as payment card information.
A significant amount of this commentary is inwards focussed, looking predominately at compliance agendas, testing of controls, team roles and responsibilities, and the implementation of security technology. It is easy to forget that Cyber, as with most enterprise risk, is as much about our people and our ability to share meaningful information as it is about our use of technology.
By now, most organisations are well down the path of executing their Cyber resilience strategy or, at least, are asking the right questions to begin that journey.
- What critical or “high value” data do I have?
- How is it integrated into my business and in particular, my approach to technology?
- Who has access to it?
- What governance framework, controls and technical capability do I have to adequately protect myself?
Knowing all of this, an organisation can then develop a plan that takes into account current capabilities and seeks to mitigate the identified risks. Nothing new here. But how does this journey remain agile and evolve as a business grows? Effective evolution requires an investment in people and in establishing a way to collaborate collectively across industry and society. This can be summarised in two further questions:
- Are my people and trusted parties adequately prepared to help me defend myself?
- How can I participate in sharing and receiving information that collectively improves our approach?
People are an important part of ongoing resilience
Education and awareness is not a new concept. By now, most of us are well versed in the art of eLearning and most organisations use this medium regularly to engage with their employees and, increasingly, their trusted third parties.
However, is this “tick and click” style of learning effective for mitigating Cyber risk, especially in a world where we are only ever as strong as our weakest link?
We know that reported Cyber incidents are on the rise and recent data suggests that the major threat actors for orchestrating Cyber-attacks are Phishing and the use of valid (often stolen) user credentials. These threats by nature are designed to first leverage a weakness in people, in order to then leverage a technology weakness.
While over the last few years we have seen organisations invest in technology and surrounding process, have we really seen the requisite level of investment in people, in particular, non-technical people? In short, the quality and investment in the education of people vary between organisations and industry sectors, however, public commentary on the importance of people in a holistic Cyber defence is on the rise.
There is no doubt that a well-constructed Cyber resilience strategy should include a dedicated stream aimed at increasing people’s awareness of Cyber risk and the use of technology and should evolve as the risks and threats to a business evolve. Arguably, these risks and threats change more frequently than once a year. Therefore, our approach to keeping our people informed needs to be agile and remain relevant.
We have seen good programs that are regularly assessed for relevance, that include a combination of Phishing exercises, controlled Cyber incident exercises, eLearning modules, visible “memory jogging” cues and informal communications and briefing sessions. There is an opportunity for business leaders to improve taking people on this journey. With such a heavy focus on “attacking the person”, a good Cyber strategy that invests in meaningful engagement with employees and third parties can result in a balanced approach to addressing real-time risk and, if done well, tangibly effects the success of potential attacks.
Unlike many workplace compliance learning, employees perceive an increased understanding of a fast-moving issue as beneficial not only to their employer but to themselves as they navigate Cyber risks in their personal lives. People can be our biggest weakness but can also be part of our best defensive team. Engaging in a manner that accelerates their transition from weakness to defence is a worthwhile investment.
Collaboration helps collectively lift the game
Another area of increasing commentary is collaboration and the sharing of actionable intelligence; both internally to an organisation and across industries and regions. It is fair to say that the current level of collaboration in Australia is immature, however, it is heading in the right direction.
As organisations gain more visibility of the “noise” within their environment and take steps to reduce the gaps between detection and response, what are they doing with these lessons learned? Often, they are used to improve the internal process, but do these lessons hold greater potential? What if there was a way in which organisations could share with each other the trends, incidents and opportunities they are seeing to improve their resilience and protect themselves against the changing risk landscape? As organisations build resilience and increase their internal capability in partnership with their vendors and trusted advisors, the potential for a collective benefit seems possible. In our experience in participating in conversations across the industry, it appears that there is a general level of enthusiasm for a mechanism for this collaboration.
As the orchestrators of cyberattacks build-in capability and maturity, it makes sense that organisations and regions will seek strength in numbers to collectively raise their game. As organisations bed down technology and settle into ongoing operation, awareness and collaboration will be key areas where Cyber strategy will continue to evolve, and perhaps differentiate those that do it well from those that do not.
Darren Hopkins is a Partner at McGrathNicol Advisory and specialises in advising businesses on both proactive and reactive uses of technology in the areas of cybersecurity, privacy, digital forensics and technology-led investigations.
Shane Bell is a
Partner of McGrathNicol Advisory
and specialises in has more than 18 years experience
managing technology and information risk in business, with a particular focus
on cybersecurity, digital forensics, data and information governance,
eDiscovery and technology-led investigations.
 Notifiable Data Breaches Scheme 12-month Insights Report. Office of the Australian Information Commissioner 2019
 2018 Cost of a Data Breach Study: Global Overview. IBM Security