Being aware and being prepared are essential tools for directors in protecting their organisations against increasingly prevalent cyber threats.
Abigail Bradshaw CSC, head of the Australian Cyber Security Centre (ACSC), which is part of the Australian Signals Directorate — the nation’s largest intelligence agency — says reported cybercrime incidents occurred every six minutes in the past year, compared with every eight minutes three years ago.
“That equates to about 94,000 reports of cybercrime being reported through our cybercrime reporting tool on cyber.gov.au,” Bradshaw told a recent AICD webinar. “We actually think, while that headline figure sounds crazy, it’s probably just the tip of the iceberg. It is not the full scale of attacks that are actually impacting Australians.”
She says the average cost of cybercrime increased by 14 per cent in the past 12 months and the cost to a business whose email has been compromised was on average $39,000. Three years ago, there were 19,000 reports of vulnerabilities in software. In the past 12 months, that number rose to 29,000.
The ACSC works with organisations to make them aware of vulnerabilities and endeavours to apply pressure on companies to ensure patches, or fixes, are available. “The number of times we see companies being compromised because systems aren’t patched is astronomical,” says Bradshaw.
The ACSC is not a regulator. Its partnership program has more than 110,000 members, building an ecosystem of cyber threat intelligence on the platform.
“It enables industry and government to share what we would call indicators of compromise, which can really empower businesses to defend their own networks,” says Bradshaw. “We prefer to prevent rather than respond.”
Planning is key
“We’re big supporters of having an incident-response plan that is regularly updated,” says Bradshaw. “If your systems are down, do you have access to all the contact information of people you might need to contact? If you have outsourced your ICT [information and communication technology] support, what are their response hours and their response timeframe? If you can’t pay people or invoices, that can lead to operational shutdown and can very rapidly bring the whole company to a great halt.”
Bradshaw advises that the incident response plan should be practised at least once a year. Then, when something happens, the organisation is prepared and decisions have been thought through at a time of calm, rather than a time of stress.
“Really focus on the practical steps you would take when an incident rolls out,” says Bradshaw. “Have a discussion at board level or among senior executives about what your position would be if you were asked to pay a ransom, so you are not having that discussion for the first time in the face of an incident.”
Become a partner
In Australia, the sorts of strategies that would have resolved 80–90 per cent of incidents that ACSC takes part in are:
- Having a good passphrase. For example, don’t use Password1234
- Identifying critical vulnerabilities and using patching
- Multi-factor authentication.
“If a threat actor is able to guess your password, or steal credentials, then having that multi-factor authentication may well be the difference between a near miss and your worst cyber day,” says Bradshaw.
She recommended signing up to join the partnership program and says the cyber.gov.au website has many resources, including some to help small businesses, in particular. Organisations need to realise that ICT is not cybersecurity and directors must do more to understand the threat environment and build resilience.
“As a board member or senior executive, you can no longer divorce yourself from the technology conversation. You need to be aware of its limitations to keep yourself cyber resilient, says Bradshaw. “Treat cybersecurity risk in the same way you would treat financial or legal or occupational risk.”
Recording available until 14 December 2024.
Find other AICD webinars here.
Latest news
Already a member?
Login to view this content