There are three certainties in life: death, taxes and cyber attacks

Long-held beliefs that "it can’t happen to us" have been proven wrong time and time again. Cyber attacks are here to stay – fortunately there are things we can all do.

The COVID-19 pandemic has rapidly changed the way we work. Accelerated digitisation has made it possible for organisations to operate with a remote workforce. The digital future, including use of artificial intelligence (AI), cloud automation, internet of things (IoT) devices, automation, personal medical devices, virtual assistants and connected homes, have all brought new opportunities for individuals and organisations.

While modern technology offers businesses a range of opportunities, the benefits of technology can also carry risks. Advantages of a larger digital footprint of networks, devices, systems and data are equally appealing to those with ill intent. According to the recent Australian Cyber Security Centre’s Annual Cyber Threat Report 2020-21, cyber threats are increasing in both complexity and frequency, with a cyber crime reported every eight minutes in Australia. This reinforces the need for cyber security to become a vital part of business.

ANZ’s Threat Intelligence (TI) is increasingly seeing cyber criminals exploiting organisations, resulting in large-scale compromise and leading to significant business disruption, exposure/loss of data and brand damage.

Ransomware remains one of the most prolific threats to small and large organisations, with attackers continually evolving their approach to acquire more victims, and the associated income. ANZ has recently observed groups actively advertising for corporate insiders to assist them in their operations.

These criminal groups are indiscriminate in their targeting, pursuing the “big fish” to ensure high payouts, but equally employing mass campaigns, targeting thousands of organisations across all sectors.  

While most leaders understand that cyber security is a growing business risk, humans are prone to confirmation bias, which fuels the belief that we have not experienced a cyber attack so it can’t happen to us. And yet, global CEOs consider cyber threats one of the top two concerns that can impact their organisation’s growth prospects.

The impacts inflicted by cyber-adversaries have the potential to erode business competitiveness and growth. So not surprisingly, 41 per cent of global CEOs intend to increase their cyber security and data privacy investments by up to 9 per cent over the next three years.

We have a choice to empower our businesses with a risk-based approach to cyber security

Despite the challenges posed by cyber threats, managing cyber risk is achievable. Cyber security presents an opportunity in two ways – to help individuals become cyber-resilient, personally and professionally, addressing more than compliance obligations, and to make cyber security a business enabling proposition, through shared responsibility.

This means ensuring business leaders are empowered to make informed decisions that balance operational benefits with risk implications. Cyber security is ultimately a business issue, and requires focus from everyone in an organisation.

Lynwen Connick – Chief Information Security Officer, ANZ   

“Cyber security can be perceived as overly complex, but doing cyber security well is not as hard as people think - many risks can be reduced simply by improving the basics. If we all play our part right, we can unlock the full potential of the digital age, while ensuring risks are understood and managed. A collaborative approach works because cyber security is not just a technology matter – it’s everyone’s business.

Keeping systems and applications up to date (patching), ensuring working backups are in place, allowing only the right people access to information and systems, and educating teams on the risks and their roles can improve an organisation’s cyber security capability. Modernising general security capability and increasing the use of cloud computing with the right security controls in place can also significantly enhance an organisation’s cyber security position.”

Cyber security is a multidisciplinary issue and everyone's business

What recent cyber incidents have taught us is it takes more than deep cyber and technology skills. It also takes the right mix of risk management, behaviour, communications, analytics, and legal skills to adopt a holistic approach to solve an organisation’s cyber security challenges and enable digital opportunities to be realised.

For example, in the case of a ransomware attack, involving the risk, IT and legal functions at the right time can make a significant difference to an organisation’s ability to respond and recover.

Mary Attard – Partner - Cyber Security & Digital Trust practice PwC

“We’ve moved beyond the clichés of  ‘those who’ve been hacked and those who don’t know they’ve been hacked’ and ‘it’s not a matter of if, but when’.

Organisations need to take a multi-dimensional approach to cyber security across business departments, which is appropriately focused on prevention, detection, response and remediation of cyber threats. The effort required to prepare for cyber threats can feel discretionary or optional, a box to tick or a job for next week. But make no mistake, they’re absolutely critical to building the cyber resilience needed to protect your organisation.”

There is also a renewed focus from regulators on protection of critical infrastructure and making cyber security a Board responsibility. In Australia, the Office of the Australian Information Commissioner (OAIC) is looking to become more active and running cases under the Privacy Act and there is increased focus from regulatory authorities which are likely to introduce personal liability for directors where the company contravenes a law.

There is a need for mandating boards to have more visibility and taking responsibility to actively manage security and resilience.

Striking a balance between digital innovation and reducing cyber risk

Leaders seeking to strike a better balance between digital innovation and cyber risk management should consider having a strategy that spans all pillars of cyber security including people, process and technology, and include multi-disciplinary teams, to collectively achieve a defence-in-depth outcome.

ANZ, talks about cyber security as a team sport given no single control – be it software, process or people – will completely shield companies from cyber crime. Simple steps organisations can take to adopt a risk-based approach to cyber security include:

1. Getting the basics right. ANZ encourages you to make a ‘PACT’ (Pause before sharing information, Activate multi-factor authentication (MFA), Call out suspicious messages and Turn on automatic updates) to drive good cyber hygiene and encourage staff to play their part. More information on ANZ’s PACT can be found on ANZ’s website.
2. Clearly communicating to the entire workforce that cyber security is a whole-of-business issue. Check out ANZ’s Cyber Security Brochure.
3. Creating and investing in a strong culture that encourages positive behaviours around cyber security, such as empowering employees to speak out and act if they see or hear anything unusual.
4. Collaborating across key areas of the company including business, IT, risk, legal and communications.
5. Implementing top-down and bottom up reporting, governance, and processes to protect systems and information.
6. Leveraging relationships with community, threat intelligence and trusted third parties to defend against cyber threats. Consider the Australian Cyber Security Centre Partnership Program.
7. Continuously monitoring cyber events and being prepared for incidents with a practiced response process.
8. Embedding security into culture, sourcing and third party arrangements. 
9. Using security to make the most of new opportunities to innovate and improve customer experience.

Conclusion & key takeaways

• Greater benefits can be realised by ensuring digital transformation is cyber resilient.  
• Cyber security is a team sport. Minimising cyber risks requires strategic alignment between people, process and technology. Investment in technology alone will only take you so far.
• Rethink your approach/strategy to managing cyber risks in the context of future changes to the regulatory, workforce, business and cyber threat landscapes.