Most Australian organisations have come a long way on their respective cybersecurity journeys. And while there's a wide spread of maturity across corporate boards and the public sector, most organisations are consciously straightening their cybersecurity postures.
But the new risk is that, having started to harden their IT systems against attackers, boards may have figuratively clapped themselves on the back for a job well done and declared: “Mission Accomplished!”
The reality is cybersecurity threats are constantly evolving and any organisation that stands still is ultimately going backwards to become prey for criminals.
Flawed thinking underpinned by comforting myths is often at the core of failed cybersecurity strategies. If you think your cybersecurity is up to scratch—and there’s nothing more left to do—check yourself against this list of OBT’s Mythical Eight top cybersecurity myths to see if there’s more you should do to protect yourself—and your customers—from criminals.
Myth 1 – We’re not a target
While most leaders of enterprises and public sector agencies are resigned to being targets for cyber-criminals, many small to medium-sized businesses (SMBs) and not-for-profits believe they’re too small or inconsequential to be targets. Indeed, 43 per cent of businesses that fell prey to an attacker were SMBs, says the 2019 Verizon Data Breach Report. Criminals don't need even to know an organisation exists to target them. Cyber-criminals cast a wide net that indiscriminately catches SMBs along with enterprises and government. But unlike big organisations, SMBs don’t have the sophisticated systems, people training and processes to repel these attacks.
Myth 2 – We’re safe behind our firewalls
Build a great, digital ring-fence around your IT systems and you ward off all invaders. But what about your employees who log in while they’re on the road? How do you protect public cloud services that hold your critical applications and sensitive customer data or valuable intellectual property? Perhaps you exchange data with customers or suppliers on insecure networks? No longer are all your people, data and applications held inside a physical perimeter. Now, all your most important information—and the people who access it—is scattered across the internet and outside the protection of your firewalls.
Myth 3 – We do annual penetration tests
As organisations mature, they probe their systems to reveal security holes and flaws. And while penetration (“pen”) tests are worthwhile, they only report what’s wrong in hindsight. Telstra notes that 89% of businesses had undetected breaches in 2018. OBT recommends continuously probing IT systems to report incidents in near-real-time. And once business leaders have the information, they must act immediately. Response time is one of the top two challenges most businesses face. In Australia, response time is 200 to 281 days — potentially, nearly two years after an incident. Proactive organisations report how long it takes them to fix critical, medium and low-priority items to reassure customers and partners they value their data security.
Myth 4 – We don’t need to train (all) our people
The first, best and often last line of defence against cyber attack may be a trained and alert employee. Recent, high-profile cyber attacks on Australia’s critical infrastructure were linked to employees having insufficient training in areas such as assessing the authenticity of an email sender or clicking on a bogus link. Almost as bad is the organisation that trains only some employees. Criminals will exploit the weak link in your organisation and use them to step up and through your systems. If you don’t train all your people to the same, high standard, a criminal will get in.
Myth 5 – We have strong passwords
The low-hanging fruit is regularly rotating a password but employees may have scores of passwords to remember, so they just increment their base password. So, PASSWORD becomes PASSWORD2, PASSWORD3, PASSWORD4 and so on. Simplify your employees’ lives and strengthen your cybersecurity by removing the need to remember passwords. Single-sign-on logs in a user to all corporate systems. Add password generation and management (so the user won’t even know their password) and multifactor authentication (enter a secondary password from a trusted device such as their mobile phone) and your logins will be as secure as they can be.
Myth 6 – There’s no (more) budget for cybersecurity
A cybersecurity strategy must be weighed against risk of failure. For instance, the average cost of a data breach to an Australian business is $A3 million at a cost of $157 a lost record while 85 per cent of people won’t deal with a business that has poor cybersecurity and businesses report 2.8 per cent loss in customer numbers after an incident. On the flipside, hardening defences by restricting administrative privileges, enabling multi-factor authentication, and training staff may cost little to nothing in dollar terms. Also important is writing and enforcing cybersecurity policies (only a quarter of Australian businesses have one, says Telstra). Other tactics the Australian Government calls the ‘Essential Eight’ (we actually call them the “Basic Eight”!) that won’t cost a fortune are: apply security patches; block or restrict Microsoft macros, Flash, Java and ads; backup data at least daily.
Myth 7 – I’ll just pay the ransom; I have cyber insurance
We got hit but life goes on; I’ll just cough up the ransom, right? Wrong. Although this seems like a quick way to recover for comparatively small cost, in most cases criminals don’t release their victims’ data after receiving a ransom. Indeed, paying a ransom may expose you to more and higher demands as it becomes known you’re a ‘soft touch’. And while having cybersecurity insurance is a smart move, you wouldn’t risk burning down your house in the hopes the insurance would cover it. You may also be subject to Notifiable Data Breach laws, of which paying a ransom won’t absolve you.
Myth 8 – I already have a chief information security officer (CISO)
Congratulations! It’s a great start that means you’re serious about cybersecurity. Do a happy dance. Now, realise that cybersecurity is the responsibility of everyone in the organisation. Your CISO will keep you focused but they only see what happens inside your organisation and they have finite bandwidth. This is especially true if your CISO is also chief financial officer or chief information officer, which may distract them from their core duties with tasks outside their area of expertise. Oracle NetSuite research recently found 71 per cent of CFOs ranked data security as their top concern while 33 per cent have had a cyber attack. A trusted partner amplifies and extends the CISO’s capacity and capability while updating them on the threat landscape, empowering them to safeguard critical IT systems better than they could alone.
Bonus round – More myths that need busting
My data isn’t valuable – All data has value. Consider securely deleting or not collecting data if you don’t need it to reduce potential for exposure.
I trust my people – Not all attacks are from external actors and even good employees mess up. Negligent workers account for a quarter of data breaches while targeted and malicious insiders account for a further 19 per cent of incidents, Australian CISOs believe.
IT will handle it – Cybersecurity is a challenge and responsibility for every person in the organisation, its partners and customers and strategy must be led from the CEO and the board, which are ultimately legally liable.
Technology will protect me – Although there are very good tech solutions, strong cybersecurity is primarily culture and policy.
Our cloud provider protects us – Although default settings of most public clouds are better than nothing, their safeguards protect themselves. Their customers are still responsible for their own security decisions.
We implement the ‘Essential Eight’ – The Essential 8 (which we like to call the “Basic Eight”) is a starting point and requires vigilance to ensure the business is alert and responsive to changes in the threat landscape.
If satisfied you’re not susceptible to any of the Mythical 8 (and none of the six in the bonus round), congratulations — you’re a unicorn who has cybersecurity by the horn. Otherwise, it may be time to reevaluate your strategy so your business and customers are safe from criminals. Contact OBT for a free consultation to assess your cybersecurity posture.