The recent pandemic has changed the way a lot of us work and communicate with each other. In particular, it has accelerated business digital transformations such as working from home, and highlighted the increasing prevalence of data breaches. Data breaches affect us all and can cost our business millions. As we steadily emerge from stringent lockdowns and restrictions, now is the time to consider what our business might look like in COVID-Normal.
In Australia, we have seen a systematic response to the pandemic through careful immediate and forward planning with built-in flexibility to respond to new challenges presented by the virus.
Our response to cyber security should be no different.
Ultimately cyber security aims to prevent the technical exploitation of vulnerabilities. Simply: keep the right people in, keep the wrong people out.
Cyber security can be complex and daunting, particularly for those of us who miss the good old ‘locked safe’ approach to data protection. And there are many ways to go about it. Here’s my five tips for what you can do right now to reduce your cyber security risk.
‘Cyber Security by Design’ is a phrase I use to describe a comprehensive approach to cyber security. The phrase is inspired by Dr Ann Cavoukian, former Privacy and Information Commission of Ontario, Canada, who developed the concept and roadmap for ‘Privacy by Design’ which is now used worldwide for privacy compliance.
So, what is it?
‘Cyber Security by Design’ or CSD is a way of proactively managing risk by embedding good cyber security strategies into the design specifications of our technology, our business practices and our physical infrastructures.
Let’s be honest: there is currently no way to completely protect our systems. Even an air-gapped system is vulnerable to internal intrusions and physical theft.
CSD is about layering the measures we use to minimise risk and designing this in a way that is tailored to the individual business needs. We do this by understanding what we are trying to protect, and why we are trying to protect it.
And just like our plans and our response to the virus, we need an approach that has inbuilt flexibility to deal with whatever comes next.
A cyber secure culture starts from the top down. It needs to be on our board’s agenda as a regular item (if it isn’t already).
Then comes the systematic approach to meet the immediate threats and the future threats.
One thing our recent changed working conditions has taught us is that cyber security is not just a matter for the IT department. We are all responsible. We all need to know this.
Our businesses all have compliance obligations, some more so than others. It is imperative to understand what these are and how cyber security fits in.
On average, a cyber attack costs a business a total cost of $3.86 million – from detection and escalation, to lost business, notification to regulators and customers, and ex-post response. (Data courtesy of ‘Cost of a Data Breach Report 2020’, Ponemon Institute and IBM Security).
This figure does not include cost of reputational damage, which can be incalculable.
Investing in compliance and investing in an appropriate cyber security approach to meet that compliance, is an investment in business longevity, productivity and sustainability.
Passwords: Passphrases are generally easier to remember and the longer they are, the higher the complexity, which ultimately costs an unauthorised intruder more in dollars and time to crack. Compare this with a highly complex password that users generally have difficulty remembering but are easier for an unauthorised intruder to penetrate.
The Australian Cyber Security Centre provides a range of guidance passphrases, including their guide on Creating Strong Passphrases that are complex and are easy to remember.
Patches and updates: Updating our systems as soon as these are available reduces the window of time for the exploitation of vulnerabilities.
Persistence: Cyber security comes easier to some than others. This is where continuous training and education are essential.
We saw from the Sony Playstation case in the U.S. that traditional liability policies are unlikely to respond to a claim related to a cyber attack.
Enter stage left: Cyber liability insurance – a tailored insurance which usually offers comprehensive cover for liability and expenses associated with a cyber breach. Depending on the policy, it may include network outages, malicious code, and cyber-extortion.
Whether it is needed or not will depend on the risk profile of the business; remembering of course that it is not a solution, but rather part of the steps we can take to minimise our cyber security risk.
Our COVID-Normal will have an increased focus and reliance on technology. This aligns with our Government’s plan to be a leading economy in the next ten years by capitalising on the adoption of online technologies kickstarted by the pandemic.
With this in mind, our cyber security takeaways are:
For details of all our COVID-19 tips and updates, visit the Gadens COVID-19 Hub.
Authored by:
Michael Owens, Partner
Kelly Marshall, Director