Is it time for chief information security officers to step away from the front line and take strategic stock of their organisation’s security posture?
Whither the chief information security officer (CISO) in 2019? Fighting fires on a dozen different fronts is all too often the answer for the high-tech professionals charged with keeping Australian businesses and organisations safe from incursions by hackers and cyber-criminals.
The job is no sinecure; in fact, the reverse. Cyber-crime is a real and rising threat and a serious danger to the health of Australian enterprises, according to PwC’s 2018 Global Economic Crime and Fraud Survey: Australian Report.
Almost half the organisations polled had experienced a cyber-attack between 2017 and 2018. Senior executives nominated cyber-crime as the most disruptive crime of the present day and the greatest threat to their growth prospects.
Their concern is borne out by the size of the bill that can come hot on the heels of a successful cyber-security attack.
Listed Australian property valuation firm Landmark White put the cost of a major customer data theft incident at $7 million, after hackers cracked one of its valuation platforms and obtained access to almost 140,000 customer records in early 2019.
Recent research from Frost and Sullivan suggests the potential direct economic loss incurred by Australian businesses as a result of cyber-security attacks and breaches could be as much as $29 billion a year, if fines, legal activity, remediation costs and reduced profitability are added to the tab.
According to the Australian Criminal Intelligence Commission, the direct costs are closer to $1 billion a year. That’s still a significant figure – and one CISOs around the country would prefer not to contribute to.
So, how can they look beyond the day-to-day security challenges and improve their employers’ security posture over the longer term?
Taking a ‘warts and all’ look at where the organisation is at, security-wise, is a good start. This includes probing for areas where visibility is poor.
Penetration testing, conducted internally or by an external consultancy if the budget permits, can highlight blind spots and other weaknesses in the network.
Only when there’s an accurate picture of how well – or poorly – the enterprise is currently protected, is it possible to determine how efforts should best be directed.
Get compliance ready
Making sure the organisation is ready to respond, if the worst occurs, should be a priority for all CISOs who are not confident they have it in hand.
Privacy watchdogs, in Australia and around the world, long lobbied for legislation with teeth – and now they have it, they won’t hesitate to use it.
Some companies have already experienced a hip pocket hit. They include Google, which in early 2019 was slapped with a 50 million Euro bill by France’s data protection watchdog for failing to gain consumer consent for its advertisement personalisation activities.
While Australia’s privacy laws give enterprises which suffer a significant data breach 30 days to advise affected customers and instigate remediation, the EU’s GDPR regime is far more stringent. It allows organisations just 72 hours to alert customers and the local regulator of a breach and it has the power to impose fines of up to 20 million Euros on those which fail to do so.
Yes, it’s half a world away but it’s legislation which can ensnare Australian enterprises that are careless or unlucky – the rules can be applied to any organisation which stores the data of EU citizens, regardless of where it’s domiciled.
Help staff to shine
Staff can be the weakest link in the cyber-security chain or the strongest defence against compromise or attack. CISOs stand a better chance of their being the latter if they instigate regular cyber-security training and strive to foster a culture which sees all employees alert to the dangers and mindful of how they manage and store data.
Giving IT and security staff technologies to help them do their jobs more efficiently is another way to beef up defences. Automated tools should be used, wherever possible, to handle time consuming and repetitive tasks; freeing up security personnel to focus their efforts on functions which call for human judgment and intervention.
Get the big guns on board
Cyber-security has ceased to be an IT issue. It’s now a whole-of-business concern. Engaging with the C-suite can ensure it stays top of mind for decision makers. Once so, securing ongoing funding and support for security initiatives becomes an easier proposition.
Time to act
As hackers and cyber-criminals continue to find new ways to circumvent defences and home in on weak spots on the attack surface, organisations must do more than respond apace. The CISO who strives to stay a step or several ahead, by taking a long-sighted approach to the protection puzzle, is less likely to see their organisation join the 2019 list of cyber-security statistics.