Improving your cyber attack response
Australia’s technology, media and entertainment, and telco (TMT) companies have cyber front and centre as a significant source of risk. In this regard, the sector is ahead of the game compared with most other local industries. Yet, according to EY’s Global Information Security Survey 2017-18 (GISS), TMT companies may be focusing on the wrong cyber priorities. It’s time for boards to step in to ensure cyber controls are working.
The TMT sector is more vulnerable to cyber attacks than other industries due to its:
- Intensely data-driven nature – Many TMT companies exist largely in the cloud, and are data rich, meaning an increased requirement to understand where data is and a need to protect it using good patch management and strong password governance. When this is overlooked, things can go badly wrong. Today, 79% of TMT companies believe their customer information is the most likely target for cyber criminals.
- Geographic reach – As regional and global players, TMT businesses are subject to multiple data privacy regulations, including the EU’s General Data Protection Regulation (GDPR) Regime, which comes into force next month. GDPR, which affects any organisation that comes into contact with EU customer data, will impose severe fines for even minor breaches. Those failing to comply with the new regime will be liable for penalties of up to 4% of their worldwide corporate turnover, or €20million, whichever is greater.
Investing in response not prevention
According to EY’s Global Information Security Survey 2017-18, TMT companies are planning to increase their cyber security budgets by 10% in the next 12 months. But this is not enough. TMT executives believe their companies are spending less than half of what is necessary to reach acceptable levels of security.
But it’s not just a question of finding more money, an equally important issue is where these funds will be invested. TMT organisations around the world are spending the vast majority (90%) of their cyber budgets on preventing attacks from happening. Typically, only 10% of their cyber budget is being spent on incident response.
This is a gross imbalance of security spending. Prevention is important, but it’s now commonly accepted that it’s impossible to stop a determined cyber attacker from succeeding. In fact, 43% of TMT companies say they are unlikely to be able to even detect a sophisticated cyber attack – let alone prevent it.
TMT companies must invest equal amounts of their cyber security dollars to minimise the impact of an attack when it happens. The damage from a sophisticated cyber attack will be far worse for those without a well-defined and regularly tested cyber response action plan.
Moving cyber control to the board
Typically, the control environment around cyber resides with the CIO or CRO. but until it gets regular attention from the board, the issue is not going to get the traction it needs. The launch of the Office of the Australian Commisioner (OIAC) Notifiable Data Breaches (NDB) scheme on 22 February 2018 has already prompted some boards to re-evaluate their duty of care when it comes to cyber security. As a priority, directors now need to ask management – and get satisfactory answers to – the following questions:
- What is our most valuable information?
- Where is it housed and what are the controls surrounding it?
- How often are we monitoring and testing those controls?
When it comes to testing, TMT companies should be running regular attack simulations. Cyber events are very dynamic. Systems become infected and rendered inoperable very quickly. This is not just about “Can we bring the systems back up?”, but “How does the whole organisation respond?” For boards to have confidence in cyber controls, the whole company needs to practice and rehearse different scenarios.