Defining cyber risk. A view from the directors chair.

Tim Daly, Group Manager Risk, Security and Service Management at AEMO, recently discussed cyber risks at the Sydney Women on Boards luncheon.

INTRODUCTION

Every organisation and every business is now reliant on technology. Therefore cyber security cannot be considered a risk in isolation or something IT ‘will deal with’, it must be considered a business risk and the board must be aware of, and actively pursuing, cyber risks. It also must be understood that cyber threats aren’t a discrete problem to be solved, rather, they’re a complex risk that need to be managed.

3 TYPES OF RISKS

Tim explained the three main types of risks organisations need to be aware of;

1. Accidental – human error mistakes, for example sending a confidential email to the wrong person
2. Non-targeted – organised syndicate of cyber gangs, for example receiving a ‘spam’ email allowing these gangs to connect to the individuals server, however this is not specifically targeted at them, it is more of a ‘gun-shot’ approach to cyber crime
3. Targeted – specific cyber threats to organisations or individuals and this may be conducted by disgruntled individuals or issue motivated groups. The primary reason for targeted cyber-crime is to gain access to sensitive intellectual property and/ or personal data.

Other elements that need to be thought about include:

Who is the threat?

• Individuals, issues motivated groups, cyber criminals, competitors etc.
• Capability
• Resourcing level
• Persistency

What is the point at which the attack occurs?

• Employee
• Their device
• System or application
• The network

What is the nature of the damage?

• Internal damage; theft of IP, business disruption, direct financial loss, physical damage.
• External damage; supply chain, employees, private customers.

Michael Shatter, RSM’s Director, Security and Privacy Services, went on to explain a further type of cyber risk, and that is executive impersonation fraud. Cyber criminals identify as someone whom you do business with and masquerade themselves as creditors or the like, and ask for payment to be made. Michael continued with a story of a construction client who unfortunately was privy to such a crime, and ultimately lost a significant amount of money. Michael went on to say that due to the electronic nature of business these days, robust internal controls and system checks such as picking up the phone and making verbal contact with known contacts for the purpose of clarification and/or confirmation can assist in preventing such hacks.

A question was raised from the group about Federal legislation and Tim responded that currently the House of Representatives are sitting on Mandatory Breach legislation. In essence Australia is making progress, recently announcing an Ambassador for Cyber issues, and Special Minister advisory roles to the Prime Minister on cyber security.

Tim went on to explain the different stages of a cyberattack and if there is a possibility to cease an attack with the only costs endured being time and resources, then this is considered a success. As soon as intellectual property is leaked, then this is when the stage becomes critical.

THE 5 KNOWS

In this critical stage it is vital to have a response plan. Tim mentioned Mike Burgess, Chief Security Officer at Telstra, and his ‘5 knows’;

1. Know the value of your data
2. Know who has access to your data
3. Know where your data is located
4. Know who is protecting your data
5. Know how well your data is protected

 

FAILING TO PREPARE IS PREPARING TO FAIL

Tim went further and explained the importance behind identifying the risks your organisation may be open to, and just because there is compliance measures in place, does not mean your organisation is secure. He then emphasised the importance of having a plan in place to swiftly respond should a cyber risk occur. It’s all well and good to have plans in place but they need to be tested. e act of testing out a cyber security risk plan enables the organisation to expose its flaws and make it vulnerable in a safe environment. As it is better to be exposed in a practise environment rather than in a real cyber threat situation.

A question was asked whether Tim’s Organisation, AEMO, ever engage hackers to ultimately test their systems and their response plan. His answer was yes, however he went on to explain that Microsoft have 24/7 teams in place who act as attackers, defenders and then the third dimension is a final team who are actively attacking both teams. Obviously this is not viable for all organisations, nor required, but Tim explained it’s an example that just shows how serious cyber risk is.

Another question was asked in regards to benchmarking or market standards when making comparisons of how organisations fare in regards to cyber threats. Tim went on to explain that AEMO use lead indicators as signals of risk, and researching into triggers that they can then pro-actively invest into to avoid major damage. The next stage of defence is threat intelligence, however Tim explained that there is no point investing into this technology if your organisation doesn’t have its hygiene factors in place, such as those identified in the ASD Top 4/35. Tim explained that at AEMO a process they use is to set up ‘honey pot’ servers to detect potential threats.

AUSTRALIA’S GOT TALENT

A member from the group raised the issue of the current talent availability and questioned whether universities are promoting the skills required for cyber risk roles. Tim started off by stating that there is definitely a skill shortage, and it is hard to retain staff due to overseas companies poaching top Australian talent in the industry. Tim continued that lateral thinking is required to fill entry level roles a lot of the time no experience or specific technology degree is required, more importantly having the attitude and aptitude for analytics is enough. e Australian Information Security Association is trying to bridge the gap with educational courses, as well as promote diversity within the industry. However recruiting talent is an ongoing challenge for the industry.

Tim finished off the discussion by stating that leadership in cyber security enables the management of risk, and allows for opportunity and innovation to occur at a rapid rate. Furthermore it’s important to have some accountability throughout the business and to ensure the response plan is multi-disciplinary across the business.

Further reading - ASX Cyber Health Check for ASX 100 Companies - Click here