This is the unedited version of an article that appeared two weeks ago in The Australian.
Cybersecurity is becoming an important responsibility for executives and directors. Often shortened to ‘cyber’, it’s easy to dismiss cybersecurity as just being the latest IT industry buzzword however ensuring information systems are secure is now firmly a management issue.
Information breaches have become embarrassingly common in recent times with events ranging from Target exposing forty million of its customers’ records in 2013, a breach which cost the company $162 million dollars, through to national security embarrassments like the Snowden revelations.
Exacerbating the risks to businesses is the dependency upon information systems to normal operations and the damage from denial of service attacks such as the outage across much of the US last weekend can be debilitating and costly. The recent Australian census saga that cost taxpayers thirty million dollars, is an illustration of how costly poorly planned responses to service interruptions and security breaches can be.
Compounding the risks for Australian executives are the breach disclosure laws tabled in Federal Parliament last week which threaten 340,000 dollars fines for individuals and 1.7 million dollars for corporations that fail to act quickly on data privacy failures.
In such a high risk environment business leaders need to be proactive says Leonard Kleinman, the Asia Pacific and Japan Chief Cyber Security Advisor for security software firm RSA, “the legislation is aimed at organisations that I’d call ‘wilfully blind’ or like to employ the concept of ‘plausible deniability’.”
As that period of ‘wilful blindness’ and ‘plausable deniability’ comes to an end, executives and directors have to start taking their responsibilities in protecting data far more seriously. The challenge lies in understanding the risks.
“What a lot organisations – both private and public – haven’t done well is their ‘Crown Jewels assessment,” says Glenn Maiden, Principal Security Consultant at Canberra’s ?Shearwater Solutions. “It has to be contextualised. My crown jewels might be credit card numbers but for that may not be the interest for foreign intelligence agencies.” Then understand where the risks are for those critical data and processes.
In understanding what those ‘crown jewels’ are, it’s important to consider what is valuable within the organisation. While to the marketing team the most valuable information may be customer data, to the COO it may be ensuring continuity of service while to external parties it could be pricing details or legal correspondence.
“The things I’ve suggested in the conversations I’ve had with organisations is simple stuff; review things like your instant response strategies – can you start an investigation quickly,” says RSA’s Kleinman. “It’s probably good to review your contracts. If you have a cloud services providers that experiences a breach, how are they going to go about doing the notification?”
In a world where subcontracting and outsourcing is normal business practice, the risk from third party vendors is real and goes beyond cloud providers. The disastrous Target hack being due to an air conditioning contractor’s compromised system and Edward Snowden himself wasn’t a direct government employee.
Privacy and security breach notifications are only part of the broader cybersecurity picture though and the field is becoming more complex. Last weekend’s massive denial of service attack that compromised many US based online services was caused by the Mirai botnet, that exploits vulnerabilities in cheap internet of things devices.
With business processes becoming increasingly connected and automated, management concerns are extending to the security, integrity and reliability of devices being used in their organisation. Even if the business critical sensors being officially purchased are of high quality, everything from smartphones to connected kettles being bought into the staff tearoom could be a potential risk to the corporate network and a business’ reputation.
It would be a mistake however to think cybersecurity is purely a technology problem however. “Ultimately insider threats are about people,” says Senior Vice President of Nuix’s threat intelligence and analysis, Keith Lowry. “These are all people who used tools or technology to do what they did and they got away with it because others were focused on the technology rather than focused on the people.”
As the business world becomes more dependent upon data and connected systems, the governance of networks and their security is going to be increasingly the responsibility of business leaders.