02 Risk

How to prepare for inevitable cyber attacks

Cyber attacks are one of the most significant and persistent risks facing organisations globally. With the continued evolution of ransomware attacks and ongoing IT system vulnerabilities, boards and management need to focus on their level of cyber resilience. The risk of cyber attack is not an “if”, but a “when” issue.

McGrathNicol’s recent ransomware survey, undertaken in conjunction with YouGov, found approximately one third of the Australian businesses surveyed had been subject to a ransomware attack. Of those who fell victim, approximately 80% elected to pay the ransom with an average ransom payment of just over $1 million. It is clear that damage to a business’s brand and reputation are not the only costs to consider. Boards and management teams must prepare early and iterate their response plans, in order to recover quickly and “stem the bleeding” after a ransomware attack.

In 2022, we will likely see an increased focus from regulators and the government in response to a heightened global risk landscape. Most industry sectors have had breaches which have caused significant disruption and, in many cases, harm to individuals.

The Federal Government’s response will see proposals to further amend the Security of Critical Infrastructure Act 2018, with a focus on enacting a framework for risk management programs, declarations of systems of national significance and enhanced cyber security obligations. These changes will likely affect many businesses as “critical infrastructure” is defined as including the larger supply chain that supports traditional critical infrastructure providers. We also expect to see new mandatory reporting requirements introduced which will affect many organisations that traditionally have not needed to report attacks.

Ongoing education can help reduce cyber incidents. However, through our extensive incident response experience, the most common root cause of a cyber incident has been the exploitation of a misconfigured, outdated, or vulnerable security control. Developing a robust process to ensure security controls have been configured correctly, tested regularly and patched to the latest version should significantly reduce the chances of an organisation becoming victim to a cyber incident in the coming months.