How directors can help their organisations manage the growing risks of cybercrime was discussed at a recent panel event hosted by the Australian Institute of Company Directors and CSC. Zilla Efrat reports.
Information technology is an opportunity and a major risk to businesses. But while many directors feel intimidated by it and prefer to leave it in the hands of the computer "geeks", no board can afford to ignore IT and its risks.
One risk is the escalation of cybercrime. A breach could damage a company’s reputation and brand and cost it millions. Well known companies like Sony and Dell were recently attacked by hackers who stole the personal details of millions of customers.
But cybercrime could even threaten national security – the parliamentary computers of Prime Minister Julia Gillard and some senior ministers were reportedly hacked recently and thousands of emails accessed.
In its Internet Security Threat Report, Symantec revealed that the volume and sophistication of cyber-attacks through the internet jumped by 93 per cent in 2010 compared with the previous year. It also noted more than 286 million variants of malware in 2010.
With cybercrime risks expected to escalate further with the advancement of mobile technologies, social media and cloud computing, how can directors help their organisations manage this growing concern? This was the topic at a recent panel event hosted by the Australian Institute of Company Directors and CSC. An edited extract of the discussion follows.
Graham Burdis: What do we mean by cyber security?
Gordon Archibald: Cyber security is about people processes and technologies. At CSC, we call it cyber confidence. This has a lot to do with trust – can you trust the person that you are dealing with? Your partners, supply chain, clients or employees?
Jim Dickson: How do you balance that with the fact that we want our members or clients to be able to amend their data online and keep it up to date? Members expect to be able to do that and we want to allow that because it reduces costs. But there is a huge risk. CPA Australia, for example, has 135,000 members all around the world and many in high risk countries. Is there a silver bullet?
Archibald: There is no silver bullet. The approach we take with our customers is to understand and clearly define what the risks are when introducing new technologies or systems. And, also to understand what the business drivers for this are and their risks. Then we look at the controls. Controls involve people, processes and technology. An issue is that corporations historically have governed via policy. But this is inadequate given the evolving threat landscape. So we need to have continuous monitoring across the controls that relate to situational awareness. The risk levels of new technologies like personal iPads and mobile phones are relatively low at present, but you still have to be pretty cautious about these. As the volumes of these devices increase and corporations start to use them more, the focus will be on them and we will see more areas of data compromised by these devices. It comes down to risk versus business benefit and you need to clearly understand that risk. If you accept it, move forward.
A lot of corporations manage risk quite well, but then there is a compelling event that changes the policy. These days, the event can be spilled across the newspapers, as we have seen with companies like Sony, RSA, Lockheed Martin and so on. The onus is really on directors and boards to make sure the policies are accurately defined, that they understand the risks and that they put the right controls in place. Policy is one control, but you also need to have visibility and assurance about what is happening.
Nigel Phair: I don’t like the term IT security. It’s one dimensional and almost like putting it in a box where you leave it to someone else to look after. This is a total organisational-wide responsibility. Convergence is critical. People want to bring their own applications and devices into the workplace and you need to be able to integrate this with policies, procedures, training and education.
Burdis: What are organisations doing to counter these problems?
John Barriga: It’s an individual process. When you look around, the first thing you notice is that staff bring their own telephones to work and know exactly how to hook them up to any network because they have the knowledge to easily find the configuration of the system, and know how to replicate it across to different devices.
It’s amazing how businesses can quickly lose security controls. To address this, we are undertaking constant analysis to understand what new policies we can put into place, what’s available, how we can use new technologies (e.g. GPS systems), and how secure we can keep the data.
We are also looking at whether the legislation allows us to take data collections and data systems further from a security perspective. There are challenges there and, we are trying to identify the unknown.
For example, the security concern on our retail side is always focused on loss of credit card and customer data. But that’s the ‘known’ and that’s what we get audited on. It’s the unknown that’s the problem. You see, the problems in some foreign countries where people have phones and access to social media with ability to perform some form of electronic attack in Australia. We also need to adapt to new speeds of information accessibility.
When September 11 occurred, I was in an environment where there was a systems lock down and the flow of information was very slow. Now look at the recent tropical cyclone in Queensland. The flow of information happens instantly over social media. It is now so easy to lose information across the cyber world.
Reviews are not just about policy. We have touched on governance, but governance and rules can only take it so far. We have control over the devices the company owns, but what about personal devices? For example, I have seen a 19-year-old in a business who managed to link her iPad to her work phone to get onto the Internet. Simple innovative ideas are happening on a day-to-day basis that is difficult to keep up with.
Peter Howman: Several organisations engage hackers to see if they can break through their systems. This is fine for the tools of today, but the attackers and systems are advancing so quickly that you can test today, but will that be relevant tomorrow?
Phair: I am a bit jaded with that. They call it penetration testing. I know the people who do this and there are some good ones and some bad ones. They will often find something and often that is a way of getting some consulting hours. There will always be vulnerability somewhere. Whether you should be testing depends on which industry you are in and if you are carrying customer or financial data. This then leads to the question of why you are carrying that data and if you are, it should be encrypted.
Deborah Robinson: We have put in a series of controls to minimise our risks. Our controls are around the firewalls, encryption, automatic timeouts, incorrect access code locks, last login time checks, password requirements and data limits on accounts. We use specialist firms to look after our computing needs. They also do this for other credit unions. By pooling resources, we can put more money into this area to address the risks and have experts in place.
Phair: That’s great. But technical controls will never win the day. It’s good to tick that box, but it’s such a decreasing slice of the pie when it comes to online security.
Howman: What you are monitoring changes quite quickly. Are you still able to understand what is going on? Are the attackers using different ways to get in?
Archibald: Looking at historical point solutions put in place to address a particular business problem, deployed in isolation and not integrated with other controls, no longer works. We need to have a top-down approach and that starts with governance and includes an enterprise-wide security strategy that looks at all aspects, including your people, security awareness training, policies and the technical and physical controls.
We tend to find a lot of organisations already have controls in place to mitigate these types of risks, but that these are quite often poorly deployed and not fully utilised. You need to understand your current state and what’s relevant to you in your business and then map your future state. Some of that will be technology. Some will be processes and some will be controls. You also need to have continuous monitoring of data, including patching, anti-virus software and compliance. Many organisations have systems with default and weak passwords, or systems that aren’t patched for known vulnerabilities. This all means systems are not "hardened" and they don’t know what devices are connected to their enterprise. You need to get the basics right. Improve your visibility and assurance across the business and be proactive with security. It’s always better to protect than to react.
Burdis: That’s from management’s perspective. What about me as a director? How do I know this is really happening in my organisation?
Archibald: At a director level, it’s really about setting governance and policy and letting the executive management – the chief information officer (CIO), the chief security officer – implement the strategies.
As a director, you need to have visibility and assurance with confidence. It is about understanding the state of your security, where you are in the strategy and planning, and being able to make changes as your business changes so that you know at any time what you need to do next to protect your environment. You may acquire a company. You may move to another country. You may move offshore to a cloud even within your own country. What do these risks mean to your business and how does your strategy need to change? A point-in-time security strategy will not work. It needs to be a living program.
The board wants to know: How can we have confidence in our business? Is my executive team managing security appropriately? What’s my threat and vulnerability? What incidents have we had? What is our compliance like? Are we agile? Can we react to an incident? Can we trust our partners?
We need to keep it at a confidence level for boards and then empower the executive team to provide the board with the information it needs and in a format that makes sense. Compliance sets a good benchmark but it doesn’t equal security. You find many organisations have a lot of regulations, policies or standards that need to be adhered to. They have an audit, fix some things up to get past it and then there’s another audit.
We advise boards to move from an audited organisation to an assured organisation. You need to have continuous controls-based monitoring and move away from manual reporting and just ticking the box for each thing you have done. Many government departments, for example, have all these recommendations around compliance, but the board doesn’t know if these were implemented until the next audit. If you have continuous monitoring, you know. There are also some benefits for the board. You can reduce your costs for audits, have that visibility coming back up and know on a very regular basis that your policies are being set and standards implemented.
Howman: You also have to look at what information you want to make available to the public. Some organisations want to be transparent. How do they then isolate that from the information they don’t wish to be transparent to the public?
Phair: I’m not sure it’s a decision you can make. Your employees might be using social media to talk about you. You just have to accept that more information is going to get out into the public domain.
Howman: I agree. Sites like Facebook have become sounding boards and a lot of it just permeates. The information often gets twisted and turned, and malicious, and after a while, it’s no longer really true.
Phair: I think Facebook, Google, et al, have a lot more to be responsible for. They use the good parts to pump advertising at you – that’s really what it is all about – but their responsibility is minimal. Facebook, for example, doesn’t even have an Australian or Asia-Pacific-based safety adviser to deal with law enforcement and other issues. It’s very US-centric.
Archibald: We are starting to see legislation and regulations, especially in the US and Europe, that put requirements on boards to disclose data breaches, especially around people’s individual documentation and privacy. We are leaning towards the same sort of things in Australia. That obviously needs to be very carefully managed. If you have a data breach, the board needs to get the legal team involved. You have to work out how far you communicate that to your partners and clients. If you don’t communicate that, you could be putting your customers at risk – for example, if credit data is leaked, their credit cards could be attacked.
Phair: The first data-breach legislation came out of California in 2003. It’s been embraced by most US states and in Europe. About three years ago, the Australian Law Reform Commission recommended that we needed data-breach legislation. I bang on about it whenever I get a chance. It’s critical to have the legislation to build trust and confidence.
Barriga: Let’s forget about cyber security for a moment and talk about physical security. As a board member, you don’t look at a report that says how many times they locked the front door. You want to know that your staff members are safe, so you request a safety report. It’s no different with cyber security. You don’t ask for information on how many times the firewall has been patched or that the penetration test has been done. You just want to know that your data is safe and sound. Why talk to boards about security? I think this is a weakness as executives tend to only report on competition, costs and safety. That’s where the executive or CIO need to understand they are not there to present technology. They are there to present the value of the technology and its functions.
Phair: To me, reputation is everything. It is the "front page" test. If you have a physical breach at your office because someone didn’t lock the front door, it probably won’t make the front page. If you have a data breach, it will make the front page and that’s why the issue has been elevated in interest.
Barriga: It’s also not just about the email system failing or the website being down. What keeps you awake at night is someone coming in, electronically, copying your data, and it’s not until six months later that you find out that a competitor or someone outside the organisation has been using your data to cause harm. You are six months too late to investigate.
Phair: There is also the old chestnut of the insider attack, which is the big sleeper that people refuse to look at sufficiently. It’s about whether your staff, clients or contractors have access to your systems, are taking USB sticks home at night, emailing stuff out, putting it on a CD or you haven’t yet taken their access rights away.
Burdis: Do boards spend enough time on cyber security?
Dickson: Cyber security is an important responsibility and it needs to be given priority with other essential agenda items.
Phair: They need to spend their time in a non-technical way. I think that has always been the proverbial IT problem – that IT is not really part of the business and the type of people that work in IT broadly are not good communicators.
Barriga: Remember, it can take six to 12 months to develop a comprehensive competition strategy, but IT changes every few months. So it’s not a matter of spending too much time on it, but also being flexible and adaptable – knowing what you were thinking about three months ago may not apply today.
Howman: It’s management’s job to keep on top of the technology changes. The board is not going to do that. I take advice from our CIO and expect our CIO to be across the threats and know how to deal with them. What we do as a board is attend to policies and how to improve them.
Barriga: What’s also important is the quality of the CIO. Historically, they have been the IT person who moves up the ranks. Sometimes, they can be bad communicators because they talk "technical" speak. Some don’t have a commercial focus and don’t talk about risks. And then the board doesn’t get information that is relevant. Boards are also changing and now include more younger people. The key security questions come up straight away now. So on the question about how much does a board need to be involved – and it is coming with the next generation. The technology they use at home and their own security fears are what they are going to bring back to the board. I am already experiencing that. I put a proposal forward and they ask questions that would not have been asked a year or two ago.
Howman: You have a board meeting every four to six weeks. The board packs and your time are focused on core business. Then you have this thing on the side that could damage or even close your business and it is very technical. What should the board look at? It has to be something simple to understand and which can tell you that your processes are right. You’d spend a very small amount of time at a board meeting on this.
Burdis: But it could go wrong. Should it become more of your business?
Phair: Naturally I am biased, but I would say yes, only because it’s so critical to every part of your business. The important thing is your response if things go wrong. What has management planned? Will it have talking points for the media? What will go on the website? What will your government relations people do if the minister rings?
Howman: Many organisations don’t have a response plan in place. If you are on Twitter, you have to respond very quickly. You have to have someone authorised to respond who understands the organisation and what it is prepared to say.
Phair: People are going to twitter about your organisation whether you have that person or not. So you have to address this anyway and quickly. The security of the South Australian Government’s medical laboratory, Medvet, was recently breached. About two days later it put a message on its website saying it was looking into it. It was a great example of how not to respond.
Archibald: The response plan needs to have clearly articulated activities and responsibilities assigned. There needs to be a technical stream around service restoration and a management stream around the legal aspects and communications, and communicating up to the board.
Robinson: I am quite encouraged about what the Government is doing in this area. Together with the Australian computer emergency response team (CERT Australia), it has a huge focus on cyber security. There is a cyber security operations centre. It is working with business and internationally. It is modelling best practice. It’s not just business that has the focus on this.
Phair: CERT Australia is a good idea, but it’s still getting up and running. It is taking over from AusCERT, which was at the University of Queensland. It will produce vulnerability reports, which you can get for free now. A bunch of vendors will give you all that stuff.
You also have the Cyber Security Operations Centre in the Defence Signals Directorate (DSD), which is focused on government departments. The latest DSD report sets out the top 35 vulnerabilities organisations could encounter. If they just looked at the top four, something like 85 per cent of their problems would be gone. And companies are still not doing that.
Archibald: From what I have seen, it is a lack of investment in controls and a lack of visibility about what is happening in the business. There is an assumption that policies are being implemented and a lack of understanding about what the threats actually mean.
Phair: To get back to the Government’s response. It runs National Cyber Security Awareness Week. This is great, but it’s one week out of 52. It’s like having "safer Tuesday afternoon driving". We have to get a lot more fair dinkum. Everything is about end-user compromise and trust, as far as I am concerned. Having one week of ministerial announcements followed by a website to cover the other 51 weeks is not right.
Dickson: What about other government departments and agencies?
Phair: Government agencies that hand out payments need to think more broadly than just their systems. They need to look at their client base and how their customers could be duped out of their personal details. There are so many scams out there. They need to look at more than their infrastructure being secure and adjust their controls to address them.
Howman: As a director that’s more important to me – to understand what attacks may be happening to our organisation and its customers that involve us and how we can address that. Some sort of report on that coming to the board would be of interest.
Archibald: A program can go so far, but people are a major issue when it comes to security.
Burdis: Can you give an example of this?
Archibald: Say someone senior was going to a conference and put this on Facebook. While at the conference he got an email he thought was from his office saying some changes needed to be made to his presentation and they needed his password and other details to access his account.
Another typical example, called "No Tech Hacking", is discussed by Johnny Long. He was presenting at a defence conference and asked the participants: "Who can tell me what the blue sticker means on the cars outside?" "That means you work for the CIA," he was told. "What about the green sticker?" "That means you work for the CIA but are in a special group." The participants were telling him stuff about the CIA that was meant to be confidential. What if he had taken photographs of some confidential papers in the car with a green sticker? He would now know those belonged to an executive person at the CIA.
Phair: A simple question I ask those who are on LinkedIn or Facebook is: "How many of you have friends you have never met?"
Burdis: What about the communications when the worst happens? We have seen some bad responses.
Phair: The big one is United breaks guitars. It’s one of the most visited videos on YouTube. Members of a band were sitting on a plane watching the ground staff chucking their guitars on the tarmac. Their guitars were broken, but United said they must have been broken beforehand. So they did a YouTube parody that went viral and had more than 10 million hits.
Burdis: How does a board deal with that? We have talked about a planned strategy. Is it possible?
Howman: In a generic sense it is, but I think on the specifics, it’s not. That’s where you need your spokesperson to understand the business and what to say and when. Often it’s best to keep it short and sharp. You also have to be careful you are not saying too little, so you have to balance that as well.
Phair: It’s where you say it, as in the platforms, and who you say it to. It depends on what business you are in and whether you have a government relations team. You have share-price issues and stakeholders to consider. I would be using Twitter, for example, to get the message out there quickly.
Archibald: It’s important to understand the effect of the breach before deciding on how much information to release. You also have to understand the company’s responsibilities both legally and morally to customers and other stakeholders before making that judgement. This really needs a lot of thought because if done wrong, it will affect your business.
Sometimes you may not be required to communicate to the outside world. You have to decide where that decision will be made and how it will be analysed. When it’s severe, the board needs its legal and marketing and communications teams to be involved.
Burdis: What is an advanced persistent threat and how can organisations deal with it?
Archibald: Let’s starts with what it’s not. It’s not advanced malware. It’s not social engineering. It’s not the zero-day attacks. It’s not the missing patches. These are all tools that can be used for an advanced persistent threat.
The attackers could be a nation state or cyber criminals that are highly skilled. They understand the security controls we have in place, the weaknesses and organisations’ monitoring and responding processes. They want to remain unknown and undetected. They want to move by stealth. If it takes them one month, six months or 12 months to get through to your business, they will take the time to target what they want. They are well supported financially.
The challenge for organisations is to have the ability to better identify anomalous activity within their environments and improve their protection. You also need highly skilled people to help you recover.
If you are compromised in one place, they may have already attacked other systems. So you need to have visibility throughout your enterprise to see where else this is happening.
A major defence business I am aware of shut down for one week to recover all of its business because that was the only way it could be sure it had addressed the problem.
Vendors also need to get more proactive and give us controls that are not reactionary and which are able to see anomalous activity.
Robinson: Do you think the law is keeping up with cybercrime?
Phair: Yes, but law enforcement isn’t. The laws we have are sufficiently technology neutral and they correspond with the Council of Europe Convention of Cybercrime. But it’s all about the end user and trust and confidence.
If your car has been broken into, you feel confident going to a police station to report it and know they will do something about it. If you go to a police station because you have suffered a phishing attack or been hacked into, their eyes will just glaze over and they will not know what to do. They don’t have the resources.
Chief technology officer for CSC’s Global Security Solutions division
John Barriga MAICD
General manager and chief information officer at ActewAGL
Jim Dickson GAICD
Director of CPA Australia and deputy chair of International Federation of Accountants’ Compliance Advisory Panel
Peter Howman GAICD
Chief operating officer at Defence Housing Australia
Nigel Phair GAICD
Analyst on the intersection of technology, crime and society and author of two books on the international impact of cybercrime
Deborah Robinson FAICD
Director of Service One Credit Union
Graham Burdis MAICD
Director of Burdis Marsh Partners
Already a member?
Login to view this content