From ransomware attacks to phishing scams, cybercriminals are using increasingly sophisticated methods to steal data and disrupt operations. Australia’s leading cybercrime experts share advice for boards determined to keep their organisations a step ahead of the threat.

    The cybercrime threat landscape continues to escalate as predators become more opportunistic and numerous, according to the 2023 Global Threat Report by global cybersecurity leader, CrowdStrike. There is worrying evidence that adversaries are increasingly targeting cloud environments, with cloud exploitation increasing by 95 per cent in 2022. The number of cases involving “cloud-conscious” threat actors has almost tripled.

    A key metric in cyber defence is called “breakout time”. This denotes how long it takes for an adversary to move laterally from one host to the next. An average of 12 minutes has been shaved off the breakout time of last year.

    “We’re now talking about less than 90 minutes for a cybercriminal outfit to make a lateral movement within an organisation,” says Fabio Fratucello, chief technology officer for Asia-Pacific and Japan at CrowdStrike.

    “Directors therefore need to be thinking about their organisation being able to undertake the process of alerting, detection and response in less than that time.”

    Legal implications of a successful attack

    Following high-profile cybercrime incidents against Optus, Medibank and Latitude Financial, regulatory bodies the Australian Securities and Investments Commission (ASIC) and Australian Prudential Regulation Authority (APRA) have reaffirmed their position that cyber resilience is a responsibility of the board.

    “The government is even considering obligations on directors specifically addressing cyber risks,” says Cameron Whittfield, a partner at Herbert Smith Freehills (HSF) who specialises in digital law, cybersecurity and emerging technologies. He notes that the idea has been floated by the previous government, although without success.

    Recent legislative reforms reflect a stronger focus on the role of the board in cybersecurity. The Security of Critical Infrastructure Act 2018 (Cth) requires boards to approve an annual report relating to an entity’s risk management program, while APRA’s Prudential Standards also deems the board accountable.

    “While largely untested in the cyber context, there remains a risk that liability is sheeted back to individual directors,” says Whittfield.

    “This could be through breaches of director duties, shareholder derivative actions and direct or accessorial liability.”

    Directors could be pursued personally through “stepping stone liability”, where a breach of directors’ duties is established by a failure to prevent the organisation breaching the Corporations Act 2001 (Cth), or a similar law.

    Given that breaches of disclosure laws are a common trigger for class actions, they are also a potential basis for stepping stone liability to highlight a breach of directors’ duties in the event of a material cyberattack.

    “This is certainly an area to watch as we all look to navigate an increasingly complex cyber legislative minefield,” says Whittfield.

    From a legal liability perspective, the scrutiny of an individual director or the board is more likely to focus on the period before a cyberattack, rather than while it is taking place.

    “Cyber risks are now accepted as ‘reasonably foreseeable risks’ that directors ought to consider when making decisions in the best interests of the company,” says Carolyn Pugsley, managing partner for corporate and regional head of practice at HSF.

    Questions could be raised as to whether directors acted with due care and diligence in identifying and responding to cyber risks. Pugsley cites failing to allocate resources towards a necessary upgrade of IT systems as an example of falling short.

    Directors are likely to have a lesser role during the incident response phase. However, its overall effectiveness will impact the degree of reputational damage done. Boards therefore need to assure themselves that an effective incident response plan exists, says Pugsley.

    Effective planning is critical

    Organisations must invest proactively to defend against cyberattacks.

    Many organisations take a reactive approach to cybersecurity, rather than looking at how to proactively invest for protection, says Pieter Danhieux, CEO and co-founder of global security company Secure Code Warrior, a global software development security company.

    “Even today, a chief information security officer (CISO) often needs to push for a seat at the boardroom table,” says Danhieux. “They also contend with dispelling the notion that cybersecurity is a cost centre rather than a must-have in defending the company’s digital assets and reputation.”

    In managing the risks posed by cybercrime, directors should consider the reasonableness test when assessing their planned level of action. “This is important because risk reduction steps that would be deemed reasonable today are very different from what they were 10 years ago,” says Scott Hesford, director of solutions engineering for APAC at BeyondTrust, which provides identity and access security. “Different companies within an industry may also have different risk appetites.”

    Hesford recommends creating an organisation-wide crisis management team with representatives from each department, including the audit and risk committee, the legal department, marketing, sales and senior management. “In this way, all aspects of cyber risk can be assessed and each part of the organisation made aware of its particular role both in mitigation and response,” he says. “The team will also learn how cyber risk planning can deliver business benefits that extend well beyond improved IT security.”

    Assessing the threats

    Boards should take a broader perspective that encompasses resilience.

    The threat posed by cybercrime is so complex and vast that traditional concepts of security risk management are inadequate, says Kris Lovejoy, global security and resilience practice leader at IT infrastructure services provider Kyndryl.

    “Conventional security risk management assumes that an adversary can be kept out or, at worst, quickly detected and removed,” she says.

    Lovejoy calls on boards to take a broader perspective that encompasses resilience. This includes efforts to anticipate and plan recovery from cyberattacks.

    She advises that best practices to manage threats are to:

    • Reconsider the role of the existing security team. Create a cyber resilience function that manages various forms of cyber risk in a more integrated way. Avoid IT silos.
    • Embrace a“resilient by design” philosophy. “As teams design new digital services, assess new products and vendors, ask how does this change our cyber risk?” says Lovejoy.
    • Leverage third-party sources to help you identify new threats and monitor the regulatory landscape.
    • Obtain third-party assessment of your ability to anticipate and withstand a cyberattack.
    • Create escalation protocols for how and when the management and supervisory board should be notified and engaged in cyber incidents, such as ransomware payment decisions.

    Should a ransom be paid?

    The Australian Cyber Security Centre (ACSC) received almost 500 ransomware-related cybercrime reports in 2020–21. Globally, the proliferation of ransomware is attributed to the Ransomware-as-a-Service (RaaS) model becoming more prevalent. However, some positive news is that the rate of ransomware attacks declined in Australia in 2022, with 70 per cent of organisations surveyed reporting an attack, compared to 80 per cent the year before, according to the Sophos State of Ransomware 2023 report.

    As organisations step up their defences, cybercriminals are responding with new tactics. The “leak and lock” ransomware attack involves leaking out some information before locking it, so as to add extra pressure to an affected business.

    “An organisation will have a number of competing pressures and company directors will ultimately need to decide what is best for the organisation,” says Fabio Fratucello, CTO for Asia- Pacific and Japan at CrowdStrike.

    “They will need to weigh up the risk to the customers from downtime, and the risk to the market for shareholders,” he says.

    Fratucello recommends testing the decision in advance of any ransomware attack occurring. Do this regularly, as risk profiles will change over time.

    “Create a drill scenario that mimics the situation,” he says. “Try to understand the pressure of having a range of elements at play. What are some of the conditions that may make you doubt your decision?”

    CrowdStrike’s guidance is not to pay the ransom. The inherent risk of paying is that it draws an organisation into facilitating criminal activity, which can have dire reputational consequences. There are also no guarantees that the data will be restored even once a ransom is paid.

    Of all the various cyber threats that exist, a ransomware attack has potentially the most catastrophic impact because it can be costly to restore data and the reputational damage either way can be severe. For that reason, Fratucello urges directors to do everything possible to avoid having to decide whether to pay a ransom. “Even if we just look at it from a financial position, an organisation is much better off spending the money on building its capabilities in incident prevention and response.”

    Solutions to protect a business

    Innovative products are available to help an organisation improve its security posture. However, the most critical thing a board must get right is its approach to security culture and data management, says Daniel Sekers GAICD, chair of cybersecurity solutions company Votiro. “Culture is set at the top and filters down to the rest of the organisation. If that culture lacks the right tone, then often the rest of the company won’t get it right.”

    The first step for a board is to understand what kinds of data sit within the company. What data is held by third parties such as lawyers? Obtain their policies and procedures on data protection to ensure it meets minimum requirements.

    Next, assess the value of the data and the associated risks of a breach. “As a business, you need to assess what that data is worth,” says Sekers. “How much do you need to invest to protect it? If it is being stored, does it need to be encrypted? Hackers are out there searching for ways to create a data breach. It’s pure economics for them. They need to look at how much they can sell that data for online.”

    When evaluating which solutions are appropriate, consider “defence in depth” — a strategy that leverages multiple security measures to protect an organisation’s assets. “You don’t have to secure everything to the highest level, but the most important bits of data are worth spending more time and money on getting right,” says Sekers.

    Conversely, if data is no longer needed, invest in its safe deletion. “Get it away from the servers and don’t make it part of your risk profile,” he says.

    Building director knowledge

    Safeguarding businesses from the evolving cyber threat landscape requires four broad activities, according to Jay Hira, founder at MakeCyberSimple and director of the ISACA Sydney Chapter (ISACA is an international professional association focused on IT governance). These include prioritising cyber hygiene, making a risk-based investment in cyber, and embracing emerging technologies and a greater focus on resilience.

    “Boards can’t govern what they can’t measure,” says Hira. “Establishing appropriate cybersecurity metrics, and regular communication of these metrics back to the board, allows them to keep a finger on the pulse and provide guidance where necessary.”

    Safeguard your business with four key steps:

    1. Cyber hygiene includes activities like vulnerability identification, having a solid patch management process, cyber awareness training for staff and contractors, and robust endpoint detection and response capabilities.
    2. Risk-based investment in cyber includes prioritising investment according to the risk. “Bring controls closer to the high-value assets, rather than the conventional castle-and-moat approach to cybersecurity,” says Hira.
    3. Leverage emerging tech in the form of AI and machine learning to further augment cybersecurity capabilities to enhance detection and automated response.
    4. Invest in robust incident response capabilities and prepare a crisis management team through regular crisis scenarios. “Build resilience by recognising that our cyber teams are fighting an unfair fight,” says Hira. “They need to get it right 100 per cent of the time, whereas the adversaries only need to get it right one per cent of the time to deliver a knockout punch to the business.”

    This article first appeared under the headline 'Cyber threat landscape’ in the August 2023 issue of Company Director magazine.

    Latest news

    This is of of your complimentary pieces of content

    This is exclusive content.

    You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.