Awareness of cybersecurity and online risks for businesses have markedly increased since the outbreak of the COVID-19 pandemic. Although this is positive news, there is still a need to improve understanding and skills in organisations.
Our experience has revealed that over the past 12 months, cyber-risk has been repeatedly discussed by the very top levels of businesses, both board and executive.
This observation supports the latest HLB Cybersecurity report, released this month. According to report findings, almost a half (47 percent) of C-suite executives globally are ‘concerned’ or ‘very concerned’ about the risks to their business from cybersecurity issues.
In part, the heightened awareness has been driven by the increase in people working from home during the pandemic. Remote working has created a greater level of risk for organisations. This change has triggered a shift in how companies view cyber-security and, perhaps more significantly, the likelihood of it affecting them.
Although organisations are taking a step in the right direction, there remains a gap in the skillset of board members and directors in being able to appropriately assess the information they are receiving as well as benchmarking the organisation’s activities to industry standards.
Cyber-crime has been steadily rising in recent years, particularly in Australia. Statistics from The Australian Cyber Security Centre Annual Cyber Threat Report 2020-21 show that it has increased by 13 percent between 2020 and 2021, with a cyber-crime reported every 8 minutes in Australia in 2021, compared with 10 minutes in 2020.
What is even more troubling about these statistics is that reported crimes are likely to represent only a fraction of actual crimes. Cyber-crime covers a gamut of activities, from an email sent by a purported Nigerian prince, to hacking the database of a financial institution to access personal details of millions of customers.
Learning to ask the right questions
It is imperative that boards and management ask the right questions about what the business needs in terms of extra resources or system upgrades. In addition, it’s imperative that they are equipped to fully understand the responses.
From a corporate governance perspective, executives can’t simply rely on what they are being told by others in the organisation – they need to be able to properly analyse and assess the information and make decisions on whether the steps being taken to protect the business from cyber-risks are robust enough and meet requirements.
Security recommendations for boards and management
There are a few steps that businesses can take to help protect themselves from a cyber attack. Firstly, it’s vital for a business to have a security framework in place to manage cybersecurity risks. The security framework should be benchmarked against security standards so that any gaps can be identified. Good points of reference are the National Institute of Standards and Technology or Essential Eight Maturity Model developed by Australian Signals Directorate.
We usually recommend to clients that they conduct vulnerability assessments and penetration testing on a regular basis. These actions will help identify cyber security exposures in the business’s IT environment. It’s also critical to introduce:
- multi-factor authentication and adequate password protocols;
- secure cloud-based technology;
- virtual private networks (VPNs);
- encryption methods; and
- regular staff training.
The last point noted on the list, is the most important aspect of any cyber-security protection plan. Training for all staff on a regular basis, and running frequent tests, is vital. A business can have the most advanced and technologically sound security infrastructure in place but all it takes is one small mistake by an employee, and it can easily come undone.