The mammoth risks posed by a cybersecurity breach means leaders need to tackle the growing threat at board level, according to Australia’s Prime Minister.
Speaking in Washington, Malcolm Turnbull told the inaugural Australia-US Cyber Security Dialogue that cybersecurity needed to become an essential function across corporate and government.
“We must convince leaders, at board level and corporate sector and government levels, that cyber is one of their essential functions,” he said.
Cybersecurity is a leadership issue, not an IT issue
“As we are all acutely aware, a cyber attack or data leak from even a mundane business system, like email, can have a dramatic impact on an enterprise.”
Turnbull said many companies had CTOs and CISOs, who contributed technical knowledge and business acumen.
“The most obvious reason to value the role of a Chief Information Security Officer in board-level decision-making is the risk of cyber threat to your budget bottom line,” he said.
“Increasing the capacity for security staff to engage in conversations with senior decision-makers is absolutely critical when it comes to responding to a cyber incident.”
Turnbull added that CEOs and boards want succinct information, which is not always easy when dealing with IT security data – a change that could happen by inviting a cybersecurity expert into the boardroom.
It’s a stance MailGuard is right behind, as Australians increasingly fall victim to cyber scams ranging from phishing to ransomware. And email is cybercriminals’ foot in the door: with two-thirds of emails circulating the globe thought to contain unwanted content ranging from spam to malware.
At home, studies show one third of Australian businesses have experienced a cybercrime, with the average cost of an attack more than $276,000.
Ignorance is a dangerous option
Alarmingly, only 52% of organisations have a cyber security strategy in place, according to Grant Thornton’s International Business Report (IBR). That’s despite cyber attacks costing more than $300 billion globally in a single year.
“While breaches damage reputations, in the long term only transparency can grow trust,” Turnbull said.
“Kmart Australia actively disclosed a data breach late last year, and that transparency helped insulate it from more serious economic loss.
“Government also intends to lead by example by initiating frank conversations about our success and also about failures.”
SMEs are especially suscectable and while hiring a CISO is unlikely an option, there are many cost-effective options (from just a few dollars per staff member per month) available to offer cyber protection.
They can be put in place as an operating expenditure rather than a capital expense.
One attack is one too many
It usually takes just a single attack for businesses to realise they need better oversight.
And when it comes to cybersecurity, it’s dangerous to assume your IT manager is equipped to deal with the ever-changing landscape of online security threats.
“The provision of general, business-as-usual IT services – whether in-house or outsourced – isn’t cybersecurity, or a cyber strategy,” MailGuard CTO Jason Pearce says.
“They are not the same thing. Far from it.”
“While outsourcing can be inevitable – and work well – for some businesses, it’s vital that leaders ask questions, familiarise themselves with the policies in place, and find out will happen in an emergency.”
Is your business on the front foot?
Speaking in Washington, Turnbull said Australia possess an ‘offensive’ cyber capability, which meant an immediate capacity to respond to attacks.
“This option of offensive cyber response takes its place alongside options such as diplomacy, law-enforcement action, and sanctions, amongst others,” he said.
“Now, as governments, we don’t talk much about what this offensive capacity can do, nor how it can be carried out.
“Much as we acknowledge we have warships, submarines and fighter jets, we don’t detail their specific technical capabilities. Merely acknowledging their existence forms part of our national deterrence.”
MailGuard’s Jason Pearce agrees.
“Companies need to have a cybersecurity plan. It needs to be developed, understood and spoken about widely. Unless it is communicated broadly, it cannot be effective.”
It’s about more than money
The ramifications of a cyber attack are wide-ranging. They include:
- Productivity (especially in cases of ransomware, which can take a business offline for weeks)
- Emotional toll on victims and those affected.
Turnbull said the financial ramifications of corporate cyber attacks are complex, and not limited to a loss of shareholder value.
“Listening to the risk mitigation advice of your security staff is good business,” he said.
“But it is better business to also think broadly about the benefits of information security.”
Find more tips on cybersecurity by subscribing to MailGuard’s blog.
Keep up to date on the latest email scams by subscribing to MailGuard’s weekly update or follow us on social media.