What two things happen when you leave your business open to cyberattacks?
The first is that your cyber-risk management strategy, technology and processes are called into question by your stakeholders, customers and the Australian government. And if found wanting, you could face severe consequences, financial and otherwise.
The second is that your business may simply not bounce back. It may lack the resilience and customer loyalty needed to recover from the damage done by a cyberattack (and this is assuming you’re lucky enough only to be targeted once). According to Gemalto’s study of 10,000 global consumers, when a company suffers a data breach and their privacy is compromised, more than 70% will stop using the service.
However, let’s look at these two scenarios a little more closely. Then discuss how to offset them.
The compliance consequences (and you are right to be scared)
The Australian Securities and Investments Commission (ASIC) takes its role as a watchdog and enforcer of risk management very seriously. They’ve launched and completed significant civil penalty proceedings in the Federal Court against both the unwary and the ill-prepared.
If you think it couldn’t or wouldn’t happen to you, then think again. After all, as a business, you are legally required to comply with ASIC’s strict legal, regulatory, and contractual cyber security and resilience obligations, and data breaches are a legally notifiable occurrence.
Two recent local cases bring home the everyday reality of not adequately protecting your people, customers, and technology.
The eye-watering cost of failing to manage cyber risk
Case 1 (done and dusted): In May 2022, one organisation’s failure to manage their cyber security appropriately, which resulted in repeat breaches, attracted a $750,000 penalty. That’s a considerable amount to try to recoup, and for many businesses, the fine alone, without the subsequent loss of customer loyalty, would be a death blow.
This financial services licensee was taken to task following a significant number of cyber incidents between June 2014 and May 2020. In one of the incidents, says ASIC, ‘an unknown malicious agent obtained, through a brute force attack, unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons.’ Ouch.
ASIC Deputy Chair Sarah Court said “These cyber-attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information. It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access.”
Case 2 (currently in the hot seat): In July 2022, ASIC held a fund services organisation to account for ‘multiple failures to meet the obligations of its Australian financial services licence, including a failure to meet organisational competence requirements.’
ASIC’s allegations include that the organisation failed to ‘have in place adequate risk management systems’ or to ‘have adequate resources (including financial, technological, and human resources) to provide the financial services and carry out supervisory arrangements.’
In this case, ASIC is seeking:
- Declarations and pecuniary penalties from the Court.
- An order for an independent expert to be appointed to review and report on the organisation’s systems, processes and controls.
- A requirement for the organisation to implement a risk management and compliance program once the report is received.
The date for the case management hearing for this instance is yet to be scheduled by the Court. But, if found liable, you can be sure that the resulting fine will result in a sharp intake of breath (and perhaps even a few tears) when announced. And the fallout from the loss of customer loyalty could be even more devastating.
So, if you’re not yet sitting up and taking notice of how you manage your cybersecurity risk by now, perhaps you should be. Because if it can happen to them, it can happen to you.
Can you recover? (Clue: Preparation, not cure)
Now, we sincerely hope you won’t ever be impacted by a cyberattack. But the sad statistical reality is that you are more than likely to be.
The World Economic Forum currently ranks cybersecurity failure as one of the top ten risks in terms of likelihood of occurrence. Frighteningly, if you are classified as a small business, one in eight of you won’t recover, ever. All of which makes cyber resilience and recovery a board-level priority, along with business continuity.
As part of their Annual Cyber Threat Report 2020-21, the Australian Cyber Security Centre (ACSC) offered this wise advice: “While the costs of impacts are difficult to quantify, the costs of remediation for a cybercrime or cyber security incident can be far greater than early and ongoing investment in prevention.”
We’d like ACSC to add ‘and cyber resilience’ to the end of that comment.
Your ability to be cyber resilient and recover to a business-as-usual state as quickly as possible is as essential as having the right cyber security solutions in place. It must be said, ASIC is also a big advocate of this approach, freely providing excellent information on good cyber resilience practices.
And to clarify up front, remember that cybersecurity and cyber resilience are not the same. So, here’s a quick recap of how they differ:
- Cybersecurity is how you protect your electronic data. It encompasses the processes, best business practices and technology solutions that you put in place to safeguard your systems and network.
- Cyber resiliency is your ability to prepare for, respond to, and recover from a cyberattack. If you’re cyber resilient, you’re better equipped to defend your organisation from attack, limit the impact on your systems and data, and keep on working during and after an attack.
Where and why does business continuity come into it?
Having an effective cyber business continuity plan is vital to the ability of your organisation to be cyber resilient. A business continuity plan and cyber resilience don’t work in isolation from one another but walk side by side as a team. Think Batman and Robin.
Your cyber business continuity plan guides you through the practicalities of survival at the moment of impact, and gets you out the other side, perhaps a little bruised – but alive and kicking – by providing:
- Clearly defined crisis management roles and responsibilities so everyone in the organisation knows exactly what they have to do and can simply get on with it – like a well-practised fire drill.
- A detailed IT security crisis communication plan and processes that outline all reactive measures and control efforts, so you don’t have to second guess ‘what next?”.
- The incident response actions needed to keep your data safe (and to make sure you don’t accidentally open your business up to a data breach while distracted by a disruption!).
- An up-to-date checklist of all IT-dependent applications, like your website and intranet, social media accounts, shared drives and collaboration platforms, and all your IT assets.
- And lastly, those all-important how-to instructions for secure access, security workarounds, and fail-safe backup systems ensure you have access (and can keep working) throughout the disruption.
Reducing the burden of risk management
As the cost and frequency of data breaches continue to rise, maintaining a tight focus on cyber resilience and business continuity is key to survival and ensuring legal compliance.
We believe that although the deluge of cybercrime can appear daunting, with robust, intelligent cybersecurity solutions and a top-down cyber resiliency strategy, we will all hold our own.