Tim Daly, Group Manager Risk, Security and Service Management at AEMO, recently discussed cyber risks at the Sydney Women on Boards luncheon.

INTRODUCTION

Every organisation and every business is now reliant on technology. Therefore cyber security cannot be considered a risk in isolation or something IT ‘will deal with’, it must be considered a business risk and the board must be aware of, and actively pursuing, cyber risks. It also must be understood that cyber threats aren’t a discrete problem to be solved, rather, they’re a complex risk that need to be managed.

3 TYPES OF RISKS

Tim explained the three main types of risks organisations need to be aware of;

1. Accidental – human error mistakes, for example sending a confidential email to the wrong person
2. Non-targeted – organised syndicate of cyber gangs, for example receiving a ‘spam’ email allowing these gangs to connect to the individuals server, however this is not specifically targeted at them, it is more of a ‘gun-shot’ approach to cyber crime
3. Targeted – specific cyber threats to organisations or individuals and this may be conducted by disgruntled individuals or issue motivated groups. The primary reason for targeted cyber-crime is to gain access to sensitive intellectual property and/ or personal data.

Other elements that need to be thought about include:

Who is the threat?

• Individuals, issues motivated groups, cyber criminals, competitors etc.
• Capability
• Resourcing level
• Persistency

What is the point at which the attack occurs?

• Employee
• Their device
• System or application
• The network

What is the nature of the damage?

• Internal damage; theft of IP, business disruption, direct financial loss, physical damage.
• External damage; supply chain, employees, private customers.

Michael Shatter, RSM’s Director, Security and Privacy Services, went on to explain a further type of cyber risk, and that is executive impersonation fraud. Cyber criminals identify as someone whom you do business with and masquerade themselves as creditors or the like, and ask for payment to be made. Michael continued with a story of a construction client who unfortunately was privy to such a crime, and ultimately lost a significant amount of money. Michael went on to say that due to the electronic nature of business these days, robust internal controls and system checks such as picking up the phone and making verbal contact with known contacts for the purpose of clarification and/or confirmation can assist in preventing such hacks.

A question was raised from the group about Federal legislation and Tim responded that currently the House of Representatives are sitting on Mandatory Breach legislation. In essence Australia is making progress, recently announcing an Ambassador for Cyber issues, and Special Minister advisory roles to the Prime Minister on cyber security.

Tim went on to explain the different stages of a cyberattack and if there is a possibility to cease an attack with the only costs endured being time and resources, then this is considered a success. As soon as intellectual property is leaked, then this is when the stage becomes critical.

THE 5 KNOWS

In this critical stage it is vital to have a response plan. Tim mentioned Mike Burgess, Chief Security Officer at Telstra, and his ‘5 knows’;

1. Know the value of your data
2. Know who has access to your data
3. Know where your data is located
4. Know who is protecting your data
5. Know how well your data is protected

FAILING TO PREPARE IS PREPARING TO FAIL

Tim went further and explained the importance behind identifying the risks your organisation may be open to, and just because there is compliance measures in place, does not mean your organisation is secure. He then emphasised the importance of having a plan in place to swiftly respond should a cyber risk occur. It’s all well and good to have plans in place but they need to be tested. e act of testing out a cyber security risk plan enables the organisation to expose its flaws and make it vulnerable in a safe environment. As it is better to be exposed in a practise environment rather than in a real cyber threat situation.

A question was asked whether Tim’s Organisation, AEMO, ever engage hackers to ultimately test their systems and their response plan. His answer was yes, however he went on to explain that Microsoft have 24/7 teams in place who act as attackers, defenders and then the third dimension is a final team who are actively attacking both teams. Obviously this is not viable for all organisations, nor required, but Tim explained it’s an example that just shows how serious cyber risk is.

Another question was asked in regards to benchmarking or market standards when making comparisons of how organisations fare in regards to cyber threats. Tim went on to explain that AEMO use lead indicators as signals of risk, and researching into triggers that they can then pro-actively invest into to avoid major damage. The next stage of defence is threat intelligence, however Tim explained that there is no point investing into this technology if your organisation doesn’t have its hygiene factors in place, such as those identified in the ASD Top 4/35 (which can be found here). Tim explained that at AEMO a process they use is to set up ‘honey pot’ servers to detect potential threats.

Tim finished off the discussion by stating that leadership in cyber security enables the management of risk, and allows for opportunity and innovation to occur at a rapid rate. Furthermore it’s important to have some accountability throughout the business and to ensure the response plan is multi-disciplinary across the business.

This article was written by Michael Shatter, RSM Australia, and first published here.