Technology-enabled crimes, such as online fraud, identity theft and scams are now an undeniable part of our digital existence. The average number of digital devices connected to the internet in the average Australian household is 13.7 according to recent reports from nbn™. Reports relating to technology enabled criminal activity aimed at every day Australians are on the rise each year (over 45,000 reports to ACORN in 2016) and are affecting us much more on a personal level. Cyber Safety is an important life skill. Our kids now receive training on Cyberbullying in schools, and ICT acceptable use policies are distributed for parental acceptance when kids start kindergarten. This has changed dramatically over the last 5 years and we are certainly not finished yet.
What of the business front? Are we more protected from would-be cyber criminals in our sophisticated corporate networks? Recent reports and studies (such as the ASX Cyber Health Check) would suggest we are on the right trajectory, but there is work to do. We are dealing with an often sophisticated adversary, capable of larger, more targeted and arguably more interruptive Cybercrimes like Ransomware, credential harvesting malware and social engineering attacks such as the very successful Business Email Compromise. These are not new issues, and by now I would like to think that most Australian businesses have Cybersecurity on their roadmap, but not in isolation. We need to be considering Cybersecurity aligned to our other important risk issues like financial risk, reputational risk and information risk.
It is fair to say that if you don’t have a plan, you are not even in the game and if you haven’t started your cyber journey, then there is no better time than right now. It’s up to all of us to help make Australia a hard target, all the way through the supply chain whether we are a large listed company, or a small medium enterprise.
So where do you start? Try our 4 Steps to Resilience (depicted below) and make sure you seek out continued guidance from the Australian Cyber Security Centre and the state based Joint Cyber Security Centres.
Four steps that take Cyber Resilience from theory to practice
Know your current state
An honest assessment of current capability is required when setting an informed cyber and information risk strategy. A highly effective starting point is conducting a cyber resilience risk assessment across the full enterprise spectrum.
Do not ignore the technical
Yes, the management of cyber risk is a business issue, but there is a technical component that cannot be ignored. There needs to be a plan to deal with both, that aligns the technical aspects up to the enterprise risk language and framework. The ASD essential 8 is a fantastic starting point.
Patch the ‘human’ element
The majority of cyber attacks on business are directed at people. We need a people strategy and a program that embeds them as a key part of our defence plan. We need to teach them and train them regularly.
A practical plan to respond
A written incident response plan is mandatory, but knowing how that plan works in the heat of the moment and who will take control of the different aspects will be invaluable in helping to avoid unnecessary surprises.