Navigating the Digital Age is a cybersecurity guide for company directors and decision makers. This introduction by Stephen Day highlights the importance of cybersecurity and why companies need to urgently think about putting preventative measures in place.
Why should I care about cybersecurity?
Chances are, while you read this brief article, there will have been thousands of attempts by cybercriminals to penetrate Australia’s banking and retail sectors, perhaps even your own business. And foreign intelligence services will have made several attempts to penetrate the networks of some of the nation’s biggest companies, as well as the government.
Australia is not at the head of the list of countries most subjected to intrusive cyberactivity — the United States probably owns that spot. But Australia is attractive to malicious cyberactors for a number of reasons.
- We are, relatively speaking, a wealthy people who do a substantial amount of our business online.
- We have valuable intellectual property in some specific areas of research.
- We have strategically important resources.
- We have some significant bilateral relationships and alliances.
There are three groups who pose a threat, including organised crime, foreign intelligence services, and issues-motivated groups. Sometimes the foreign intelligence service is aided by an insider. Sometimes the criminal or the issues-motivated group is an insider.
Organised crime is lucrative and operates globally. Long before most governments and businesses realised the value of their data, cybercriminals worked out that personal information and company data are commodities from which you can make money.
For the moment, Eastern Europe is the centre of gravity for global cybercrime. It is the most sophisticated and prolific region. But cybercriminals there are selling their tools and techniques to criminals from around the world. Their knowledge is migrating to the broader criminal community.
In late 2013, cybercriminals attacked a US retailer, Target. They stole around 70 million records that included the names, phone numbers, and personal addresses of Target customers. The details of around 40 million payment card numbers were also stolen. This led to the reissue of 21.8 million credit cards at a cost of around US$200 million. Several banks that incurred the cost of the reissue are pursuing legal action to recover their loss.
The criminals, meanwhile, generated an estimated US$53 million from the sale of stolen credit card details. Target’s profits were down 46% from the same quarter of the previous year. The company’s CEO and the CIO left the company.
Foreign intelligence services are the most sophisticated and best-resourced cyberactors. They do what spies have been doing for centuries: acquire sensitive diplomatic and national security information from other governments for strategic advantage.
They also target industry. In fact, their attempts against industry in Australia are more numerous than against the government. They are trying to obtain intellectual property, R&D information, as well as sensitive insider information about board decisions such as negotiating positions. They do this primarily for economic advantage, but there are other motivations as well.
In late 2014, Sony Pictures was subject to a cyberattack allegedly conducted by the North Korean state. Evidently the North Koreans were angered by a film produced by Sony, intended as a comedy, about a plot to assassinate a North Korean dictator.
In the cyberattack, important intellectual property was stolen and some of it selectively posted to the Internet, including the script for a not-yet-released James Bond film. Sensitive company data as well as personal emails of executives and clients, with confidential and embarrassing information, were leaked.
The attack included a destructive element that disrupted the Sony network for several weeks. The co-chairman of the film side of the business was invited to leave the company. As of last year, costs to repair the damage were in the tens of millions of dollars.
Issues-motivated groups seek to embarrass their target or attract publicity for themselves, or both. They do not need much sophistication to be successful.
Perhaps the best known, ironically, is Anonymous. But there are plenty of others out there, and it is common for them to work from within an organisation or to be helped by insiders.
The most publicised action by an issues motivated group was the 2015 breach of the ‘why-don’t-you-have-an-affair’ site, Ashley Madison, by some morally offended by the business.
Costs will take a while to become clear, but the CEO was invited to leave the company. (You may be picking up a trend here.) Evidently he believed that executives should try their own products. The legal fraternity have rolled up their sleeves for suits alleging breach of contract and negligence.
Five points are worth noting from the threat:
- There are real costs to companies from these compromises, costs associated with disruption, forensic efforts, lost revenue, reputation, and loss of executive and other valuable staff.
- It is clear that a cyberincident is ‘reasonably foreseeable’—an important conclusion for legal proceedings.
- It is not just about theft of data. The attack on Sony included a destructive element. If you can penetrate to steal, you can penetrate to destroy.
- Nation states are prepared to target industry to achieve strategic ends.
- None of the examples cited are from Australian business or government, and it is not because there are not any examples. There are plenty. There remains a reluctance to speak publicly about cyberincidents in many countries, including Australia. This needs to change. The nation needs to have an open dialogue to raise awareness of the threat and to swap notes on the best ways to deal with it.
The threat through cyber is present now. It is persistent, and it has real consequences.
If the functioning of your business rests on a reliable IT system, if you care about whether your customers can trust you with their information, if you care about your organisation’s reputation, if you believe in the competitive advantage that IP and R&D can deliver, then you need to care about cybersecurity.
Moreover, if you believe that safe, secure, and trusted networks are fundamental to the nation’s social and economic wellbeing and national security interests, then you need to care about cybersecurity.
What can I do about it?
The ‘what to do question’ is best tackled in several parts: three framing ideas, some questions to ask, and what to invest in.
First, dealing with risk of the cyberthreat is senior leader business. This is not something that should be left to your IT folks to sort out.
The solution is, in part, about technology. But it is primarily about risk management, culture, policy, and resource allocation. These levers are usually controlled by the board and the executive. So, effective cybersecurity requires senior leadership attention.
Second, cybersecurity is a team sport. To be successful against this threat requires an enterprise-wide approach.
It is no good if every department has the right approach, but the HR team, for example, do not; they will be the vulnerable point through which access to the enterprise can be achieved.
And there needs to be a partnership between businesses. Businesses with similar information holdings will experience similar targeting by malicious actors. Partnerships enable the exchange of information on developing threats and ideas on how to defend against it.
If a successful attack is prosecuted against online banking, then consumers’ trust in that form of business will degrade for both the victim bank as well as the broader online banking community. Cybersecurity should not be a source of competitive advantage; it is too important for that.
Third, cybersecurity is a process, not a product. There is no silver bullet that will make this problem go away, nor is there a one-size solution.
While there are some fundamental steps that everyone could usefully take—and all solutions should involve people, process, and technology—most organisations have unique circumstances with different risk profiles that are best addressed by tailored solutions.
Those solutions need review and adjustment to keep ahead of the evolving threat.
Read original article at: Businessinsider.com.au