Bystanders beware of the malware

By Jonathon Geddes

It seems like every day that we’re alerted to a new cyber attack across the globe, crippling businesses, embarrassing governments, and leaving customers and the wider community short-changed.

And, despite the increasing need for improved protections and more effective processes to counter cyber crime – along with a burgeoning industry offering cyber security solutions – Australian organisations have never been more vulnerable.

To say that we live in an ‘information age’ is understating our insatiable need for web access at work and at home – and it’s driving an ever-increasing demand for data. Indeed, reports claim 90 per cent of internet data has been created since 2016. Each day across the world:

  • 269 billion emails and 22 billion texts are sent;
  • 3 billion Facebook messages are posted and 5.75 billion posts are liked;
  • more than 4 million hours of content is uploaded to Youtube;
  • 656 million new Tweets are published; and
  • 67 million Instagram posts are uploaded.

When you consider that most modern-day homes boast an impressive ‘digital ecosystem’ including smart TVs, air conditioners, fridges, headphones, baby monitors, laptops and mobile devices, you appreciate why the number of these products is expected to rise from 10 billion in 2015 to 34 billion by 2020, including 24 billion Internet of Things (IoT) devices. It also explains why our data footprint is forecast to grow tenfold by 2015, from 2016 levels, with 81 per cent of Australians accessing the internet daily and 56 per cent more than five times a day.

All of this highlights our increased vulnerability to cyber crime.

The Australian Cyber Security Centre’s 2017 threat report revealed that 7,238 cyber security incidents hit Australian businesses in the last financial year, a rise of 15 per cent, while 734 were attacks on “private sector systems of national interest and critical infrastructure providers”.

Once seemingly confined to government agencies, today’s cyber terrorists don’t discriminate, attacking businesses of all sizes and individuals’ homes, as seen with the WanaCry ransomware attack that has locked more than 300,000 computers across 150 countries since May, confronting users with a $300 payment to restore their files.

Luke Dembosky, a former US Justice Department official who oversaw some of America’s biggest cyber security cases, spoke at a Melbourne Press Club cyber security event recently on how company brands are being destroyed and leaders held liable for failing to manage cyber crimes – a matter once forgiven by the public as an unavoidable risk of doing business online.

The days of the IT department being solely responsible for cyber security are gone.  Organisations and their leaders who who fail or choose to delay the disclosure of a cyber attack are, rightly, subject to intense criticism and, sometimes,  to market and regulatory scrutiny (Yahoo had a two-year disclosure delay). Investors, regulators, employees and customers are demanding greater transparency of cyber breaches and accountability for managing cyber risks, as demonstrated with pending class actions against Yahoo and credit-reporting agency, Equifax, after hackers plundered the personally identifiable information of 143 million Americans – about 40 per cent of the US population.

These are staggering numbers and, with that in mind, it’s right to ask what actions can businesses take to manage the operational and reputation impacts in the face of more frequent, more sophisticated and more severe cyber incidents?

As Dembosky reiterated to the Melbourne media community, digital systems are at the heart of every business and, therefore, cyber security has to be a top priority for the C-suite and boards. And, this is logical considering today’s agile and flexible workplace principles and arrangements, where work is what you do, not where you are. It begs the question: How many home and mobile working networks are sufficiently robust to ensure guard against cyber attack?

A recent study revealed that 19 per cent of the world’s top 2,500 companies now have a designated executive to lead their digital agenda, up from six per cent in 2015. Australia is leading the way in the Asia-Pacific through chief digital officers (or equivalent) being appointed in 40 per cent of companies. But, alongside an effective organisational structure to meet cyber security objectives, IT policies and risk-management systems, companies must also evolve their crisis management plans. That calls for simulated exercises based on various breaches and response mechanisms to ensure there are clear processes and roles to deal with cyber breaches. Investors demand it; the public expects it.

As web usage among consumers and business internet reliance increases exponentially in the coming years, so too will the sophistication levels when it comes to new forms of cyber attack.

And, while it’s incumbent on business leaders to protect the bottom line and governments to alleviate potential sovereign risk, it’s also critical that they put cyber security at the top of the agenda when it comes to their issue and crisis management planning.

Standing by just doesn’t cut it any more.