Senior decision makers within organisations must accept accountability and assume responsibility for the security protocols put in place to bolster cyber defences, according to Somerville CEO Craig Somerville.
Despite regular media reports of large-scale malicious cyber attacks, many Australian company directors remain oblivious to the steps they should be taking to improve the readiness of their organisations.
Designed to cause disruption or elicit financial gain, the attacks are increasing in both number and sophistication. In reality, it’s a matter of ‘when’ rather than ‘if’ any organisation will become a victim.
The issue was highlighted recently with the release of a discussion paper by the Department of Home Affairs. The paper called for comment on proposed governance standards designed to improve cybersecurity risk management practices in listed companies and other large organisations.
The discussion paper highlighted three key areas of action. These included setting clear expectations of how organisations would manage risks, increasing transparency and disclosure requirements, and protecting consumer rights.
Further action required
While this initiative should be applauded, it unfortunately does not go anywhere near far enough. The discussion paper raises the possibility that any new guidelines would not be mandatory and compliance left up to individual organisations. It also highlights that guidelines would be ‘principles based’ rather than prescriptive.
If Australian organisations and citizens are to be better protected from the serious damage that can be caused by cyber attacks, far more needs to be done. Penalties need to be in place that ensure the issue receives the required level of attention from board members and senior managers and required initiatives are undertaken.
To improve the readiness of Australian organisations for cyberattacks and ensure IT infrastructure are robust and secure, a number of key steps are needed. These steps include:
- Create a comprehensive framework:
A concrete set of practical steps needs to be created that clearly explains all the measures an organisation needs to take to become resilient to cyber attacks. This framework can build on existing guidelines such as the ASD Essential 8, NIST, and ISO27001, but must contain far more detailed guidance.
- Educate board members:
All board members need to understand the content within the framework and the responsibility they have to ensure it is implemented. Some board members tend to think that, as long as they have anti-virus software running and a firewall in place, their infrastructure is secure, yet clearly there are many further steps that need to be taken. Being unaware of the extent of the threats and what is required to counter them is no longer an option.
- Allocate an IT security budget:
Implementing an effective IT security infrastructure requires the allocation of funds. The board must ensure that these are available and match the level of activity that is required within the organisation.
- Don’t rely on insurance cover:
Some boards mistakenly believe that any losses incurred after a cyber attack will be covered by insurance. However, many policies will reject a claim if evidence cannot be shown that comprehensive protection was already in place.
- Conduct constant reviews:
The cyber threat landscape is continually evolving and new variants are emerging all the time. For this reason, the measures an organisation has in place today may not be sufficient tomorrow. Take time to regularly review the situation and make adjustments where required.
- Educate staff:
Responsibility for security does not end at the board level. All staff in an organisation need to be educated about the threats they might encounter and the steps they can take to mitigate them.
- Conduct public awareness campaigns:
As well as creating guidelines, both state and federal governments should mount widespread communication campaigns to ensure members of the public understand the cyber security risks being faced. The campaigns should highlight the nature of the threats and the practical changes to online behaviour that individuals can take.
By following these steps, Australian organisations can be much better placed to withstand cybersecurity incidents when they occur. Time spent addressing the challenge today can prevent significant losses and disruption tomorrow.
Craig Somerville is the CEO of security services provider Somerville.