Greenwich CEO Roundtable September 2023: Cyber Security

Organisations across Australia and New Zealand increasingly fall victim to cyber-attacks, emphasising the importance of addressing cyber risk and safeguarding your business.

Recently, Greenwich hosted another successful CEO Roundtable event, bringing together business leaders and experts to delve into a pressing concern – cyber security. The event allowed these leaders to network and learn from cyber security experts Charlie Hales and Duncan Ayres of Waterstones Australia while gaining insights into how some of their peers address cyber security.

Here’s a glimpse of the key topics discussed in the CEO Roundtable event.

Cyber Security Statistics

Cybercrime in Australia has risen steadily over recent years. In FY21, approximately 67,500 reports were filed with the Australian Cyber Security Centre (ACSC). It equated to one attack every 8 minutes, representing a 13% increase over the prior year (FY20). In FY22, over 76,000 reports were filed, representing a 13% increase over FY21. It now equates to one attack every 7 minutes [1].

Cybercrime reports are more common in Australia’s most populous states. However, Queensland (29% of the nation’s total cybercrime) and Victoria (27%) experienced disproportionately higher rates of cybercrime when compared to New South Wales (22%) [2].

The Health Care/Social Assistance and Information Media/Telecommunications sectors were the hardest hit non-government sectors, filing 9% and 8% of total cyber crime reports in FY22, respectively. Government sectors with additional reporting obligations accounted for 34% of all cybercrime reports in FY22 [3].

Business Email Compromise (BEC) is becoming a standard and lucrative method of attacking businesses. BEC is where a hacker compromises an organisation via its email. BEC can be used to scam a business out of money, trick employees into revealing confidential information and be used as an entry point for hackers to move into higher-value targets within networks. Reported losses via BEC increased to $98 million in FY22 (an average loss of over $64,000 per successful BEC) [4].

The Importance of Cyber Security

The company board is responsible for ensuring the organisation has best practices to prepare for cyber security threats. The board is, therefore, liable for any breaches of data security that may occur under its watch.

Cyber Security is not just a technical issue; it’s a strategic one. Boards must integrate cyber security considerations into the organisation’s overall strategy. It includes allocating resources, setting risk tolerance, and prioritising investments in cyber security measures that align with the organisation’s objectives.

Here are the key reasons why the board’s cyber security responsibilities are so vital:

1. Protecting Employee and Customer Data

Any organisation’s first and foremost responsibility is to protect the data it holds, especially that of employees and customers. This data often includes Personally Identifiable Information (PII), which can expose sensitive information used to distinguish a specific individual, such as their full name, birthdate, address, driver’s licence number, etc. PII is often a target for cyber attackers due to its high value on the dark web.

In September 2022, hackers attacked one of Australia’s largest telecommunication companies, Optus. The breach impacted up to 9.8 million Optus customers. This data breach comprised customer names, birth dates, addresses, phone numbers, passport information, driver’s licence numbers, Medicare ID numbers and medical records [5].

Hackers published samples of the sensitive data online and would go on to demand $1.5 million worth in cryptocurrency. Optus would later be hit with a class-action lawsuit comprised of 1.2 million customers.

2. Financial Impact on the Organisation

Cyber Security incidents can have significant financial repercussions. Beyond the costs associated with addressing the breach, including legal fees, regulatory fines, and cyber security improvements, there’s also the potential loss of revenue due to operational downtime and customer attrition. Following a cyber security breach, the organisation is also likely to experience an increase in the premiums associated with its insurance policies.

According to the ACSC 2022 Annual Cyber Threat Report, medium businesses (defined by businesses employing 20 to 199 people) experienced the most significant losses from cybercrime incidences. The average loss reported by these businesses was $88,407. The average loss reported by large and small companies in 2022 was $62,233 and $39,555 respectively. These sums were 14% higher than in the prior year [6].

3. Reputation Management

A cyber security breach can irreparably damage an organisation’s reputation. Customers and investors expect their data to be handled carefully and secured from threats. A breach can lead to losing trust and confidence in your organisation, which can take years to rebuild.

In October 2015, large UK telecommunications firm TalkTalk was attacked by cybercriminals. The attack breached the details of over 150,000 customers. In addition to a £400,000 fine [7] and other costs associated with dealing with the incident, the firm suffered severe reputational damage and lost over 100,000 customers [8].

4. Potential Personal Liability

Board members themselves can be held personally liable if it is determined that they failed in their fiduciary duty to oversee cyber security. Lawsuits against board members related to cyber security incidents have become more common, emphasising the need for proactive oversight.

5. Operational Downtime

Cyber threats can disrupt an organisation’s operations, causing downtime and potentially significant financial losses. Boards must ensure that the organisation has effective business continuity and disaster recovery plans to minimise these disruptions.

In 2022, a medium-sized business in the Australian healthcare sector reported an attack on their business by a Sodinokibi ransomware group. The group encrypted the business’s critical files and prevented access to business-critical systems. The attack severely impacted the business’s operations. Despite the willingness of the victim to pay a ransom, the data took three months to restore and required engagements with a law firm, a third-party negotiator, and an insurance company [9].

Managing Risk: The NIST Cyber Security Framework

The National Institute of Standards and Technology (NIST) has developed a framework that helps businesses of all sizes protect their networks and data and better understand, manage, and reduce their exposure to cyber security risk.

This framework can be used to develop an assessment of the cyber risk profile of an organisation and inform recommended courses of action to mitigate these risks. The framework includes 5 pillars:

Sources:

1. Niek Dekker (Eftsure), Critical Cyber Crime Statistics in Australia 2023, Cybercrime Statistics, <https://eftsure.com/en-au/statistics/cyber-crime-statistics/#:~:text=Over%20the%202021%2D2022%20financial,financial%20year%2C%20every%208%20minutes>
2. Australian Cyber Security Centre, ACSC Annual Cyber Threat Report, July 2021 to June 2022, Cybercrime reports by state and territory, <https://www.cyber.gov.au/about-us/reports-and-statistics/acsc-annual-cyber-threat-report-july-2021-june-2022>
3. Australian Cyber Security Centre, ACSC Annual Cyber Threat Report, July 2021 to June 2022, Cyber security incidents by sector, <https://www.cyber.gov.au/about-us/reports-and-statistics/acsc-annual-cyber-threat-report-july-2021-june-2022>
4. Australian Cyber Security Centre, ACSC Annual Cyber Threat Report, July 2021 to June 2022, Business Email Compromise, <https://www.cyber.gov.au/about-us/reports-and-statistics/acsc-annual-cyber-threat-report-july-2021-june-2022>
5. Edward Kost (UpGuard), 13 Biggest Data Breaches in Australia [Updated 2023], 3. Optus, <https://www.upguard.com/blog/biggest-data-breaches-australia>
6. Australian Cyber Security Centre, ACSC Annual Cyber Threat Report, July 2021 to June 2022, Cybercrime loss by organisation size, <https://www.cyber.gov.au/about-us/reports-and-statistics/acsc-annual-cyber-threat-report-july-2021-june-2022>
7. Alex Hern (The Guardian), TalkTalk hit with record £400k fine over cyber-attack, <https://www.theguardian.com/business/2016/oct/05/talktalk-hit-with-record-400k-fine-over-cyber-attack>
8. AON, Reputational damage and cyber risk go hand in hand; customers leave, <https://www.aon.com/unitedkingdom/insights/reputational-damage-and-cyber-risk.jsp>
9. Australian Cyber Security Centre, ACSC Annual Cyber Threat Report, July 2021 to June 2022, Cost to victims of ransomware, Case Study: Australian healthcare organisation, <https://www.cyber.gov.au/about-us/reports-and-statistics/acsc-annual-cyber-threat-report-july-2021-june-2022>