Cybersecurity awareness growing but still not fully understood
Awareness of cybersecurity and online risks for businesses have increased markedly since the outbreak of the COVID-19 pandemic, but there is still a need to improve understanding and skills amongst business owners and directors.
Over the past 12 months, cyber-risk has started to be talked about at the very top levels of businesses, both board and executive.
According to the latest HLB Cybersecurity report, released this month, almost a half (47 percent) of C-suite executives globally are concerned or very concerned about the risks to their business from cybersecurity issues. In part, this heightened awareness has been driven by the increase in people working from home during the pandemic, creating a greater level of risk for organisations. This has triggered a shift in how companies view cyber-security and, perhaps more significantly, the likelihood of it affecting them.
Whereas previously it was treated as a technology issue and responsibility, now it is recognised as a critical business risk and is being taken very seriously.
While this is a step in the right direction, there remains a gap in the skillset of board members and directors in being able to appropriately assess the information they are receiving, and benchmark their organisation’s activities to industry standards.
Boards and management are now asking the right questions about what the business needs in terms of extra resources or system upgrades; however, they must also ensure they are equipped to fully understand the responses.
From a corporate governance perspective, executives can’t simply rely on what they are being told by others in the organisation – they need to be able to properly analyse and assess the information and make decisions on whether the steps being taken to protect the business from cyber-risks are robust enough and meet requirements.
As cyber-security continues to grow as an organisational threat, this gap in knowledge will become even more of an issue.
Cyber-crime has been steadily rising in recent years, particularly in Australia. Statistics from The Australian Cyber Security Centre Annual Cyber Threat Report 2020-21 show that it has increased by 13 percent between 2020 and 2021, with a cyber-crime reported every 8 minutes in Australia in 2021, compared with 10 minutes in 2020.
And reported crimes are likely to represent only a fraction of actual crimes.
Cyber-crime covers a gamut of activities, from an email sent by a purported Nigerian prince, to hacking the database of a financial institution to access personal details of millions of customers.
There are a few steps that businesses can take to help protect themselves from a cyber attack.
It’s vital to have a security framework in place to manage cybersecurity risks, and this framework should be benchmarked against security standards such as those available from the National Institute of Standards and Technology or Essential Eight
Maturity Model developed by Australian Signals Directorate, so that any gaps can be identified.
It is recommended that businesses conduct vulnerability assessment and penetration testing on a regular basis to identify cyber security exposures in their IT environment. It’s also critical to introduce, for instance, multi-factor authentication and adequate password protocols. In addition, with more people working from home, secure cloud-based technology, virtual private networks (VPNs) and encryption methods are essential.
However the most important aspect of any cyber-security protection plan is the human side. Businesses can have the most advanced and technologically sound security infrastructure in place but all it takes is one small mistake by an employee, and it can easily come undone.
Kapil Kukreja is director – risk, assurance and advisory at HLB Mann Judd Melbourne.