Every day we read about cyber attacks on organisations and the enormous damage inflicted.
The number of attacks is on the rise and with organisations increasingly reliant upon cyber systems and storing large volumes of data, the consequences are growing.
In addition to direct financial damage resulting from lost and interrupted business, hacking may also cause significant reputational harm.
It’s not a case of “if” you get hacked, but “when”.
While the very real risk of cyber attack is prompting businesses of all sizes to take a closer look at their security systems, there’s an added incentive to be cyber resilient.
Cyber credentials in demand
As a commercial law firm representing many organisations across industry, we see our fair share of tender documents and requests for proposals.
There has been a marked increase in the number of these documents now requiring information from tenderers about their cyber resilience measures including data storage and protection.
This is not surprising given business exposure to system penetrations via third party suppliers.
In the United States, Target Corporation lost 110 million customer credit card and personal data records after hackers gained access via an external service provider.
Companies that store valuable data with third parties or provide third party access to their IT systems are rightfully wanting to know more about the security arrangements and practices of any business they engage.
As reliance on digital systems and business in the online world grows exponentially, the need for robust cyber resilience is not optional.
Suppliers that cannot prove their cyber systems and security measures are strong will be putting their business at serious risk and will be effectively closing the door on future work.
Taking on the responsibility
Many business owners, operators and directors delegate all responsibility for cyber security to their IT team without giving it too much additional thought themselves.
That approach is no longer an option.
The decision makers in any business and especially company directors have to take more responsibility for and interest in setting the cyber security strategy.
If a company suffers loss from a cyber attack and its directors have not exercised real diligence about the company’s cyber security, they risk being liable for a breach of their director’s duty of care.
Business leaders must have an understanding of key cyber considerations including:
- The company’s IT and data storage systems
- Risks and potential impacts of a cyber breach
- Protection, mitigation and risk management strategies
- Expertise, experience and capability of the IT operations team
- Internal reporting processes
- Cyber security and breach response and recovery policies and procedures.
The IT department of course still has a vital role to play in cyber security.
However, these matters need to also be part of discussions right across an organisation and instilled in workplace culture, from the frontline to the boardroom.
Building cyber resilience
Building and maintaining cyber resilience is a key tenet of risk management for virtually all organisations. On a typical risk matrix, realistically, the likelihood of cyber attack is medium to high and the impact or effect of a significant successful attack is high to extreme.
And it’s not just the external risk to safeguard against.
A high percentage of system penetrations come through lack of cyber awareness or poor and unsuspecting behaviour of people within the organisation itself.
This can include clicking on compromised email attachments or links, visiting websites that download malware and using out-of-date or easy-to-hack security settings.
The flexible working environment brings with it another layer of risk.
Resilience is built around the ability to prevent, detect, respond to and recover from a cyber attack.
It’s recommended that businesses undertake an audit of their preparedness and performance across these areas as well as practice disaster recovery plans, particularly in a mock cyber attack scenario.
Personally, I find it interesting that businesses practice fire drills regularly yet the likelihood of a fire is very low.
The opposite is true for cyber attacks.
Brett Cowell is Chairman of Adelaide commercial law firm Cowell Clarke.
Local News Matters
Media diversity is under threat in Australia – nowhere more so than in South Australia. The state needs more than one voice to guide it forward and you can help with a donation of any size to InDaily. Your contribution goes directly to helping our journalists uncover the facts. Please click below to help InDaily continue to uncover the facts.