Last week saw the ASX publish its first Cyber Health Check Report. The report provides a valuable insight into the cyber-security attitudes and practices of the boards of ASX 100 companies.
It's no secret that cyber security is a real, and ever growing, risk faced by companies. Notably, 62% of the companies surveyed said that the level of attempted malicious cyber activity against their company has increased in the past year, and 80% of them expressed the view that cyber risk was likely to increase in the short term.
Perhaps most significantly, the report acknowledges that, while most companies in the ASX 100 think that they are "doing ok", there is an acceptance that there is more to do. If this is true of large, well-resourced companies, one expects the majority of Australian businesses to be faring no better.
Notification obligations
Amongst other things, the survey behind the report posed questions with respect to the attitudes and practices of organisations when it comes to cyber breaches.
Whilst 80% of companies reported having a clear understanding of their cyber breach disclosure obligations, the survey was conducted before the recent introduction of mandatory data breach notification laws which will take effect by February 2018.
That being so, all organisations need to consider how these legislative changes will impact upon their business. This should extend to the steps that need to be taken to ensure that your policies, practices and procedures are adequate to meet the growing threat posed by cyber-attacks, particularly having regard to the new statutory notification obligations.
Hope for the best, plan for the worst
Prevention is, of course, the best defence against a cyber-attack. Despite this, only 42% of the well-resourced ASX 100 companies surveyed expressed confidence that their organisations were properly secured against cyber-attacks.
The average cost of a cyber-crime against an Australian company is more than $5.6 million per incident. This fact alone highlights the importance of having a robust, tested cyber breach response plan.
However, the report revealed that 35% of the companies surveyed had no such plan in place, or have a plan which remains untested. It seems likely that the percentage of companies falling into this category outside of the ASX 100 would be higher.
These statistics are a stark reminder of how important it is for organisations of all sizes to reconsider their current plans or, if one does not exist, to consider implementing one.
While many organisations might not yet have been the subject of a cyber-attack, this does not mean they are immune from the risk. Complacency in the face of action being taken by others may actually make an organisation more of a target, particularly if the inaction of the organisation is easily apparent.
When one weighs up the relatively modest cost of having an appropriate plan in place against the cost and drain on the organisation's resources that will be suffered in responding to an attack when there is no plan in place, the implementation of a robust, tested plan becomes a no-brainer.
Preparing your plan
A robust plan will generally have been prepared with input from all levels and functions of the business, from the board room to the employees on the shop floor. No longer can it be restricted to those in the IT department. Organisations of all sizes must be confident that:
- the plan they have in place addresses the often unique risks associated with their business;
- staff are appropriately trained so that they can spot a cyber-attack and know their role in responding to such an attack;
- they have dedicated sufficient resources to supporting the plan (notably, no organisations reported having overspent on cyber security); and
- the plan evolves with changes in legislation, business practices and to address new types of cyber-attacks.
In preparing a robust plan, organisations should also be mindful of their limitations from a technical perspective. The report highlighted that just 7% of directors clearly understood "the cyber security of the broader ecosystem in which the company operates" and 63% said that their "understanding of the biggest IT security exposures is limited or non-existent".
These limitations, and the constantly changing regulatory landscape, highlight the need for businesses to obtain appropriate external legal, IT and public relations support when preparing their plan. Obtaining such support will assist businesses to identify any blind spots and to ensure that they are as well prepared as possible for any cyber-attack or data breach.