In this three-part series, Digital Pulse looks at how cyber security — in prevention, response and remediation — calls for a multi-faceted approach across business departments, incorporating actions across IT, legal and risk management.
Another article on cyber security? Yes. It’s understandable if your eyes glaze over. The risks may feel obvious and done to death. But cyber security incidents are estimated to cost Australian businesses up to AU$29 billion per year — that’s the equivalent of 1.9 percent of Australia’s GDP.
If that number doesn’t concern you, then this should: Cyber attacks are becoming materially more sophisticated, complex and frequent. Australian organisations in both the private and public sectors are being actively and increasingly targeted.
We’ve moved beyond the clichés of ‘those who’ve been hacked and those who don’t know they’ve been hacked’ and ‘it’s not if, it’s when’. Our experience suggests that you have almost certainly already been subjected to a cyber attack and it’s quite likely you could be under some form of cyber attack right now.
What else have we learnt through our work with Australian organisations? A cyber attack can cause a greater than estimated impact which will affect you in ways you’ve not considered. IT systems may get shut down for material periods of time (losing capabilities as fundamental as email connectivity), customers and suppliers may leave, leverage or litigate, deals may fall through, regulatory investigations may ensue (with very ‘sobering’ fines) and executives may lose jobs.
It may sound dramatic, but that’s the reality of a cyber attack. Therefore, on the heels of the Australian Government’s recently published Cyber Security Strategy 2020, we are sharing our ‘must-do’ technology, risk management, legal and regulatory recommendations — from preparation and breach response through to remediation and future prevention.
In this first piece, we tackle preparation. The effort required to prepare for cyber threats can feel discretionary or optional, a box to tick or a job for next week. But make no mistake, they’re absolutely critical to building the cyber resilience needed to protect your company. And it is needed more so now than ever before.
Risk management recommendations
- Protect the most important parts — Security budgets and resources are limited so focus your risk management efforts on the services and information that matter the most: what your business needs to fulfill its mission, maintain its competitive advantage or remain afloat. These assets, commonly referred to as ‘Crown Jewel’ assets, are your most valuable and cyber security capabilities and controls (in all areas) should protect them as a priority.
- Understand where assets are located, who has access, and who is protecting them — Businesses are retaining more information and leveraging more third parties (including cloud providers) to manage critical assets. Protecting them is key. Ensure you understand your third party ecosystem, what data they have access to and how it is protected.
- Prepare layers of defence and test regularly — Organisations must establish a strong baseline of preventative, detective and responsive controls, and focus on these controls as an initial priority to materially improve cyber resilience. Clear communication and quick responses on top of these will also dramatically reduce any secondary impacts to a business. Additionally, as technology and ways of working change, controls and testing (of tech, people and processes) should be ramped up to ensure all are up to the task. This is particularly true in a COVID-19 environment.
- Manage vulnerabilities in operating systems and software — Security vulnerabilities in software are regularly found and fixed by their manufacturers via updates, but they only work if they’re applied. Have processes in place to patch every asset as soon as a vulnerability is detected. Configure systems so they don’t create more risks (eg. ensure admin login pages are only accessible from inside your network). You can identify misconfigurations using methods such as automated vulnerability scanners, penetration tests and configuration management. And don’t forget your shadow IT — non-IT-approved technology used by employees or internal departments — as it may not have necessary security controls.
- Get control of your administrative users — Admin users have wide-ranging access to systems and the ability to install or modify software. It’s a beacon for cyber criminals wanting to gain access or unleash a ransomware attack. Reduce the number of administrators to the absolute minimum required and give them the minimum rights needed to do their job. For all users, make sure you use multifactor authentication to secure your internet accessible infrastructure and cloud-based platforms — that includes access from third parties and business partners, too.
- Monitor your environment — Incidents can occur rapidly, but intrusions often last days, weeks, or even months before being detected. Even in a well-managed environment, controls can fail, so invest in monitoring technology, processes and a safety-conscious culture to monitor your cloud, on-premises hardware and software, workstations, internet-facing systems and shadow IT. Log both successful and failed connections so that if a user’s account is taken over, you can trace it back. We also recommend that you use security experts to perform no-notice ‘red team’ tests of your systems and data to make sure your monitoring works. With the right log monitoring, you will be far better equipped to manage an incident, conduct investigations and respond to issues raised by suppliers, customers and regulators.
Legal and regulatory lessons
- Link your data breach plan and your business continuity plan — It’s vital that these two plans, which outline your incident response, operate together. Both must be ‘live’ and ‘agile,’ continually adapting to the changing cyber landscape. Business continuity plans typically prioritise the restoration of BAU, but restoring servers to back-ups, for example, can erase vital evidentiary traces of the breach. Restoration activities should be coordinated along both plans so that you preserve as much evidence of threat actor ‘movement’ as possible and ensure there isn’t a delay in your assessment of regulatory obligations — notification timeframes can be very tight, with material consequences for failure to notify.
- Stress test supplier and customer relationships — Modern businesses utilise a complex array of suppliers each with their own vulnerabilities. Check the cyber security of new suppliers as part of your procurement process to understand their security controls, policies and breach history. Ensure that your contracts are explicit about compliance obligations (including industry certifications), privacy compliance and data breach response obligations. Consider requiring vendors to hold cyber insurance (as well as considering this for yourself). For existing suppliers, review current contracts and confirm data flows, personnel access, requirements and obligations (privacy law, reporting obligations, audit rights etc.) and check if they’re required to notify you upon a breach or incident. A ‘quick reference guide’ that summarises obligations, restrictions and contractual rights (including termination and audit) that are triggered in the event of a breach is a good investment.
- Stay abreast of developments — Cyber attackers constantly adapt their methods of attack, so it’s essential to keep up to date on the latest attack techniques. Regulation of privacy and data security is undergoing a significant overhaul, particularly in the Asia-Pacific region (often in line with Europe’s GDPR or Australia’s own regulatory framework), so stay abreast of regulatory requirements, update policies and procedures, and review any proposed reforms for potential impact.*
Look out for part two of this series in the coming weeks where we will examine how these three areas of an organisation can respond in the event an incident occurs.
For further information on how your business can shore up defences against cyber attacks, and how to respond if an incident occurs, check out PwC Australia’s cyber security site.
*For instance, the Australian Government’s response to the ACCC’s Digital Platforms Inquiry has proposed a series of initial reforms to the Privacy Act 1988 (Cth), with a more detailed review to be completed in 2021, and mandatory data breach regimes are increasingly common (impacting businesses with both domestic and international footprints).
Also contributing to this article:
Andrew Morrison, Senior Associate, Financial Advisory – Legal, PwC Australia
James Patto, Director, Financial Advisory – Legal, PwC Australia
David Stocks, Senior Manager, Consulting – Digital Transformation, PwC Australia
Helen Teixeira, Senior Manager, Assurance – Trust & Risk, PwC Australia