ATTITUDES TOWARDS CYBER SECURITY ARE CHANGING
Given the increase in cyber security attacks, organisations without a Security Manager will find it is the CIO who holds the key to building a company’s resilience against future threats.
Traditionally, the potential for a cyber security attack was seen as an IT or information security risk. As cloud technologies and digital transformation continues to revolutionise Australian businesses, cyber security attacks are increasingly viewed as a strategic business risk.
For the CIO, this means bringing together different parts of the business to ensure all staff are working together to prevent cyber security attacks and collaborating to build a greater level of resilience against such threats.
This attitude shift towards collaboration is coupled with CIOs also recognising that no level of security is impassable.
“There is no such thing as 100% security,” says David Morrison, General Manager - Governance, Risk and Compliance at Loop Secure. “However, by working with your risk management team and internal stakeholders, you can strengthen your defences against cyber security attacks”.
“This is not only about preventing and protecting your company against attacks. It’s working together to have the right strategies and infrastructure in place to support your ongoing business transformation.”
The Australian Government is also playing its role, by protecting personal information through the Notifiable Data Breaches (NDB) scheme that came into effect earlier this year (under the Privacy Act 1988). This scheme protects individuals and consumers, and establishes requirements for companies in responding to data breaches when a breach is likely to result in serious harm to any individuals whose personal information is involved.
Morrison says that companies need to be aware of the scheme and their obligations.
“If you have an annual turnover of $3 million or more, you may be required to notify individuals potentially impacted following a breach,” he says.
While the Australian Government continues to establish requirements for businesses through the NDB scheme, nothing highlights to CIOs the need for greater security measures more than the attacks themselves, which are becoming more prevalent.
Last year’s WannaCry ransom attack affected an estimated 200,000 computers across 150 countries. With many companies shutting down for a week, some groups estimate the economic losses from the cyber-attack will reach up to $4 billion.
“The risk to your IT systems translates to financial and reputational risk for your company, where the trust and reputation you spend years building can be quickly eroded. This emphasises the need for companies to take the potential impact of cyber security attacks seriously,” says Morrison.
Attacks such as this increasingly make cyber security a greater focus, with companies starting to take a more proactive approach to threat intelligence.
This approach starts with adopting the mindset that a security breach is a possibility, and working with the right stakeholders on risk management and prevention through training and overhauling processes and controls.
Companies can also take a proactive approach by performing scenario based analysis of what could go wrong in the event of a cyber attack. Understanding what your key assets and critical systems are, and what can go wrong, allows you to truly understand what your security requirements are and prioritise risk remediation tasks.
This starts with understanding ‘what does our normal look like?’ and then ‘what would our abnormal look like?’. For instance, what does a one-week interruption to our business services look like?
Looking at this from both an IT systems and strategic perspective through internal collaboration allows you to put the right plans in place to act accordingly in the event of a security breach.
To learn how to build a cyber-resilient enterprise, download our whitepaper and executive guide here.