Last month, a Russian crime syndicate was found to have stolen more than one billion usernames and passwords. Just this week, American homewares franchise Home Depot has suffered a massive cyber security attack. The amount of power contained in such information is frightening to consider – especially when security standards among many businesses and websites remain so low.
Consider the following:
- The average cost to an Australia business when dealing with a cyber attack is $2 million.
- One in three organisations across the world have experienced cybercrime within the past 24 months.
- The average number of days spyware could be on your system before it’s detected = 243.
- Two thirds of cyber crime victims need to be notified by a third party they’ve been compromised.
- The rate of attacks is increasing– this isn’t a problem that will go away.
Incidents like the Russian crime syndicate show the importance of maintaining a significant cyber presence, but many organisations are reluctant to even share information as they fear it might poorly reflect on them.
Dr Carolyn Patteson, head of CERT Australia, the national computer emergency response team, says that cyber incident reporting benefits everyone:
“We often have tip-offs from organisations or sectors that have identified suspicious behaviour on their networks. We then put out general advisories that alert other businesses to be prepared for specific types of attacks.”
“The intelligence we provide back to the business community is collated and cannot be traced to any individual organisations. Trust and privacy are an important part of encouraging greater reporting and these are very high priorities for us.”
For example a large Australian financial institution contacted CERT Australia after discovering a number of spear-phishing attempts that were after customer information. CERT Australia was able to investigate and alert other financial institutions of the risk within hours.
Ultimately, better sharing of information about cybercrime makes Australia?a harder target and a safer place to? do business.
Making cybercrime a part of risk management
There are four major threats when it comes to cybercrime – most of which aren’t understood properly by organisations both big and small:
- Organised crime groups typically look for cash or information to sell and go after credit card details or personal information. They will often target and blackmail high-level executives using spear phishing techniques.
- State-sponsored groups are quite different. They are looking for business information – strategic plans, pricing, M&A activity – that might advantage businesses in their country. They might install software that sits in the background monitoring your activity or gathering data for months before it’s detected.
- The term hacktivist refers to activists that use computer hacking to further their aims. This group is particularly difficult to deal with as their motivations are varied. They might have a specific social, environmental or political agenda, or they may just be trying to be a nuisance. Typically their goal is to disrupt or disable your organisation’s digital network.
- Internal threats are one of the most dangerous as your own people hold ‘the keys to the gate’. And it’s not just the disgruntled or dishonest that pose a threat: crime gangs often target vulnerable employees then bribe or extort them to carry out cybercrimes from within an organisation.
While there are specific tactical ways to deal with each of these threats, the real challenge for executives is to take a holistic, business-based approach to cybercrime. This means firstly elevating cybercrime above the IT division and incorporating it into your whole-of-organisation risk management framework.
One of the most important questions a CEO can ask is: who’s in charge of cyber security? If the answer is only the CIO, then you may have a problem. Cyber security is a fundamental ?part of risk management. It should operate across the breadth of the organisation and report directly to the top.
The other critical element of cyber security is thorough planning ?and preparedness: Plan ahead, plan thoroughly and review your plan regularly because you will come under cyber attack.
Importantly, the plan should consider a range of scenarios and questions that go beyond technical responses to a cyber attack.
For example, have you thought about your fiduciary duties to shareholders? Do you need to inform the ASX or issue?a trading halt? What do you need to tell customers? Will the media be interested? If you’re in an M&A situation, when do you need to inform the target board? What’s your escalation plan? It’s critical that you think about these things before a cybercrime occurs.
What to do?
There is always a price to pay for convenience, and in this case it is greater vigilance in return for the benefits ?and opportunities presented by the exploding digital economy. And just as organisations have adjusted to risks in the past, so too can they adapt to the new and growing risk of cybercrime.
But it will require a revision of our current thinking. Business leaders need to:
- Lift cyber security out of the technology department and into the executive team and boardroom
- Understand the different categories of cybercriminals, understand their motivations and the tools they will likely use to attack your organisation.
- Set the tone from the top and determine how cyber security fits with strategy and culture
- Plan ahead, plan thoroughly and review plans regularly.
- Ensure plans are aligned across the organisation.
Above all, organisations must share information about what incidents are occurring and how they are responding – cyber security isn’t a one-player game. It’s everyone’s business.