Mitigating cyber risk begins in the boardroom

With large scale cyber attacks and data breaches now the new normal for businesses and governments alike, just building a higher and stronger fence won't keep you safe.

Large-scale cyber attacks and data breaches are the new normal for businesses and governments alike. If there has been a recurring global news story over the last two years in the security sector it has been the constant drum beat of highly public data breaches affecting tens of millions of customers.

This includes examples such as the attack on retailer Home Depot, where a data breach compromised the credit card data of some 56 million customers; or financial giant JPMorgan Chase & Co, where hackers compromised information on more than 83 million customers.

The attack on US retailer, Target last year, claimed not only 40 million credit card details and as much as 110 million bits of customer data - but also the job of its CEO, Gregg Steinhafel, who resigned in May as a direct result of the breach. Of these high-profile recent examples, the JPMorgan case is perhaps the most troubling, and not only because the bank runs one of the most expensive and sophisticated security practices in the world.

From kids hacking video game downloads, organised criminals targeting financial services organisations to state-sponsored theft of trade secrets and terrorists targeting critical infrastructure, no company or organisation is immune to cyber-attacks.

The cost to any victim of an attack that has been splashed across international news websites is huge.  Not only are there immediate remediation costs related to fixing the breach, but there is immense reputational damage.

Those who believe being located far away from hackers located in Russia and China or that having traditional IT perimeter defence makes them immune are kidding themselves. In Australia, we are far from immune. Government sites are attacked regularly, the Reserve Bank and the Federal Parliament’s websites, are recent examples. At any one time, there are approximately hundreds of thousands of vulnerable IP addresses in Australia and some of these are major corporations. 

Cybercrime can’t be prevented at the perimeter of today’s large, complex and networks. It is unfortunate, but companies need to abandon the illusion of “100 percent security” for their IT operations.  It is simply no longer realistic to believe that it is possible to build an impenetrable electronic fence.

If you have something valuable to an attacker - like customer personal information or Intellectual Property - it is likely your company has been attacked unknowingly.  Simply being connected to the internet makes any organisation a target. Sophisticated cyber-criminals have rendered traditional perimeter defences like proxies, firewalls, VPNs, and antivirus and malware tools ineffective.

Sophisticated security requires organisations to detect threats from inside the firewall and to track threats as they develop.  Cyber-criminals have not only evolved the highly sophisticated means by which they breach a perimeter, but also how they conceal within the corporate network. Companies must also guard against insiders, who abuse their access rights in order to manipulate and steal data.

Attacks often remain undetected until it is too late.  On average, it takes 230 days before a breach is detected and at that stage, the damage is already done and sometimes irreparable.  If an attack can be detected early, the consequences can be minimised. Responding quickly to attacks is only possible if boards of directors and executive teams fully understand the risks the company faces ahead of time.

In our hyper-connected world, cyber-attacks are an unavoidable problem. Whilst you can’t wish the problem away, it can be managed.  The key is to approach cyber security and risk management through a governance-led, information-driven approach. Directors need to understand how threats are evolving, evaluate the degree of risk at any one time.

Information-driven cyber intelligence allows directors to assess, manage and minimise the risks. By identifying and characterising cyber threats and assessing the vulnerability of critical assets and operations, companies can better identify ways to reduce those risks and strategically prioritise measures. 

Boards must adopt a proactive approach to protecting their companies, systems, processes and data. Cyber security is no longer just about building a higher and stronger fence.  It is now critical to use smarter tools inside the corporate perimeter as well. 

Craig Richardson is the chief executive of Wynyard Group.