The rise in attacks, regulation and insurance premiums requires a more sophisticated risk management approach to cyber threats, according to Brian Smith GAICD, CEO of Slipstream Cyber Security.
“The past 12 months have been spectacular for cyber risks — ransomware in particular,” says Smith, whose company specialises in active defence against cyberattacks and incident response.
He notes that ransomware attacks have affected a larger number of victims than previous years, not all because of remote working. The impacts have ranged from banking and e-commerce disruption to complete shutdown of critical infrastructure and essential services.
Indeed, a ransomware attack in May forced the largest fuel pipeline in the US, Colonial, to temporarily shut down all operations — a move that led to unprecedented disruption.
Unfortunately, cyberattacks are indiscriminate and, particularly with ransomware, large and small organisations are equally at risk. However, as Smith explains, these attacks can be prevented with a proactive approach, some basic risk management and modest investment.
“There has been a worrying increase in cyber supply chain attacks, with major software vendors like Microsoft and Kaseya increasingly in the firing line” says Smith. “This has affected their customers and, in turn, the broader economy”.
The global pandemic and rush towards remote working for many organisations is exacerbating the risk.
“Digital transformation has happened quickly and with that comes a range of new security risks, although there is opportunity to actually address many long-standing security issues with a careful move to the cloud.”
The rapid rise in cyberattack claims has impacted insurers who are becoming more diligent in reviewing potential customers’ cyber risk, while premiums rise, exclusions grow, and policies become harder to get.
“The ability of organisations to shift risks onto insurers is quite uncertain now,” says Smith. “This means directors need to more carefully consider how they accept or transfer cyber risk, with quality managed services playing an increasing role.”
Rising threats have affected the cyber insurance market. Not only are insurers more diligent in reviewing potential customers’ cyber risks, but cyber insurance is also becoming more expensive and harder to get.
“The world is a very complicated place today,” says Smith. “There are geopolitical struggles facing countries that haven’t really presented for decades. Offshoring risks, data sovereignty imperatives and governments’ broadening definition of critical infrastructure must increasingly be considered.”
He says for many organisations, it is important to have trusted cybersecurity partners that are not influenced by foreign ownership or offshore service models.
“Organisations should understand these risks and seek to work with service providers that are genuinely onshore. Of course, this isn’t a requirement for every business, but certainly, the number of organisations needing this approach is increasing.”
Running a tighter ship
Regulation around privacy and cybersecurity has also increased dramatically in recent years — including the Privacy Act amendments, Australian Prudential Regulatory Authority requirements, Corporations Act amendments and the Security Legislation Amendment (Critical Infrastructure) Bill 2020.
“We find organisations generally need a lot of help and advice on how to navigate their increasingly complex responsibilities when investing in cybersecurity or responding to a security incident” says Smith.
“The result is that organisations need to consider previously unheard-of concepts like forensic readiness, data sovereignty and supply chain risk. It’s important boards continue their journey in understanding cybersecurity. But this needs to move beyond occasional consulting pieces, audits or penetration tests. These are important, but directors need to ensure they’re investing in active, 24/7 cyber security defence, not just static reports that provide occasional glimpses into security.”
Smith says security cannot be a set-and-forget process. It requires regular revision and investment and must be built into how directors govern organisations.
“The investment doesn’t have to be disproportionate to overall technology budgets, but it must be well-considered and address key risks. It must also be sustained or security will atrophy quickly, given the agility of hackers.”
Three steps directors can take, according to Smith are:
- Ensure cybersecurity is baked into governance structures, as with health and safety.
- Understand how their organisation is prepared for a cyber-attack, taking account of all its complexity including: operational disruptiona). operational disruption
b). reputational and social licence impacts,
c). communications and stakeholder management,
d). people and culture consequences,
e). contractual, legal and regulatory issues, and
f). costs, revenue and insurance impacts.
- Ensure their organisation has genuinely active cyber-defence, based on a dynamic and capable 24/7 response that keeps up with this complex threat.