The recent cyber breaches at Medibank and Optus again show just how critical strong cyber security is for all organisations, for the economy as a whole and for each of us as individuals.
The Optus incident represents one of the biggest data thefts in Australia’s history with up to 10-million customers potentially having had their data stolen or compromised.
It’s little wonder then that cyber security is consistently cited as the number one issue keeping Australian company directors awake at night.
In fact, a cyber-attack was reported every eight minutes to the Australian Cyber Security Centre in the 2020–21 financial year, a 13 per cent increase on the year before.
To help organisations proactively guard against this increasing level of threat, the Australian Institute of Company Directors (AICD) and the Cyber Security Cooperative Research Centre (CSCRC) have joined forces to develop a practical framework to support directors in governing cyber security risk and building organisational resilience.
Bringing together more than six months research and extensive consultation, the Cyber Security Governance Principles are designed as a practical guide for directors of organisations of all sizes; from major corporates to small-medium enterprises and not-for-profits.
Consistent feedback from AICD members reveals that directors are highly motivated to deal with the issue of cyber security risk and governance, but up until now there has been a gap in practical support that provides them with the tools to engage with management, ask the right questions and proactively promote a culture of cyber resilience.
Case studies included in the Principles reveal how challenging a cyber security event can be for boards and directors to oversee due to the speed at which these events move and the very real potential they have to cripple an organisation to the point of insolvency.
Directors need to be setting the tone from the top in promoting a cyber resilient culture and probing and challenging management on risk controls. When it comes to cyber, there is no place for a set and forget mentality.
At its most serious, a cyber incident can cripple an organisation’s operations and reputation. And the fallout of a cyber incident often has a very long tail.
Directors and experts that we engaged with on the Principles strongly conveyed that there is no excuse for not being well prepared for a significant cyber security incident. Such is the threat, and its changing nature, that most organisations will likely experience a significant cyber or data theft incident.
Comprehensive planning must include a strategy for how and when the organisation will communicate with affected customers, employees and government. This is not the time to be making it up on the spot.
Without clear roles set out prior to an incident, confusion ensues. Defining clear roles is a foundational component of building effective cyber resilience. Bad actors aren’t just targeting large organisations. Small businesses and not-for profits also present a ripe target for attack.
The Principles seek to assist the directors of these organisations by providing low-cost and simple practical steps that will result in immediate benefits to their cyber defences.
It’s important for us to take the lessons of Medibank, Optus and other serious cyber incidents and use them to strengthen our collective hand.
Combatting this common enemy requires us to collaborate and we can all learn from each other. Rather than using cyber resilience as a form of competitive advantage, there’s an opportunity here to cooperate and build resilience.
We see our Principles as an important contribution.
Rachael Falk is the chief executive officer at the Cyber Security CRC. Mark Rigotti is Managing Director and Chief Executive Officer at the Australian Institute of Company Directors.
Do you know more? Contact James Riley via Email.
Laudable as they may be nothing in these principles will stop the current onslaught of breaches until such time as institutions implement effective authentication that prevents phishing attacks. We have been writing to Australian Institutions for years and the net result no action to implement the technology we have available to fix this issue. Now Australian Institutions are paying the price for this shortsightedness.