Cyber security, a discussion for senior management
24 Jul 2018
CEOs and Board members need to become the first line of defence in protecting organisations from cybercrime, according to Terry Michael who is an expert in the field of cyber security. Cybercrime is getting harder to detect. Findings from the annual Allianz Global Corporate & Specialty (AGCS) report predicts the current climate of cyber attacks will intensify and grow more sophisticated this year. That means “cyber hurricanes” such as the 2017 WannaCry attack are tipped to accelerate.
Although business interruption remains the most feared threat to companies worldwide this year, in Australia respondents think cyber incidents are the primary risk, followed by business interruption.
Head of Catastrophe Risk Research at AGCS, Ali Shahkarami warns that greater interconnectivity will require tighter cyber security measures that make cyber insurance central to a risk management plan. Organisations will need to do some homework if they are to meaningfully address their risk exposure.
With new mandatory data breach liability laws, the gathering storm that has swept across the regulatory framework landscape in Europe and the US is now firmly on the Australian horizon.
Terry Michael is the CEO of TLM Cyber Strategy, a company who specialises in helping Boards to build and implement cyber and data security strategy and culture. Organisations across a range of industries who receive his cyber compliance and cyber investment advice range from individuals and enterprises, to investors across the globe. He encourages senior management to think more carefully about how they are measuring risk.
“Digital rights for Europeans are evolving quickly. In Australia, we are behind by about ten years. We know that the technology framework is changing, but the legal regulatory framework is an even bigger shift that is bringing in a whole new culture.”
Michael likens the gravity of change to the introduction of the occupational health and safety legislation reforms in the 1980s. In common-law jurisdictions, the Board and CEO will have a duty of care for the privacy of data and its safe storage.
In a similar vein to the Brundtland Report, released in 1987, organisations will need to apply ‘sustainable development’ to their cyber security measures. The Brundtland Report defines sustainable development as: “that (which) meets the needs of the present without compromising the ability of future generations to meet their own needs”.
If the Brundtland Report inspired ethical focus for corporations and government so that humans could build a safer and more civil society, then today’s leaders must apply the same principle to preserve something far more curious and intangible. When it comes to the issue of protecting personal data through considered cyber security planning and implementation, Michael is fearful that the majority of Board members are accountants and lawyers who are unable (or unwilling) to see how the regulatory environment is changing. Will they grasp the inevitable impact this carries for industries such as healthcare, in the next 3-5 years?
“No sector or industry is in shape yet, but there is a culture and leadership problem in Australia. The current Board culture is only about looking at things from the perspective of financial and operational risk,” he explains. “Hospitals don’t understand the size of the problem they’re about to confront.”
“Under the Privacy Act, all Australian companies collecting and storing customer data with off-shore Cloud service providers are legally responsible for its safe storage and can be prosecuted under Australian Privacy law and given hefty fines and penalties, regardless of whether or not this data loss has occurred outside of Australian national borders. The new amendment to the Privacy Act in February 2018, makes it a legal requirement to report that data loss to all affected Australian individuals and to the Australian Office of the Information Commissioner (AOIC) responsible for enforcing the Privacy Act. It’s meant to protect all Australian individuals’ privacy and ensure they suffer no financial or personal harm from the loss of their data.”
Rewind to May 2017, when the NHS in the UK suffered a major ransomware attack known as WannaCry. It triggered a worldwide cyber attack affecting 150 countries. The former chairman of NHS Digital, Kingsley Manning, admitted failures in simple software upgrades, and poor management in monitoring and revising cyber security improvements. But there were other systemic and shocking failures such as ignoring critical alerts to move away from vulnerable old software, and failure to manage firewalls or comply with any assessments around basic IT security best practices.
“The interconnectedness of data storage systems was a huge problem and allowed the attack to spread quickly. It shut down whole hospitals, there was the impact on patients and their treatment because files couldn’t be accessed, surgery appointments were cancelled, and it cost the taxpayer something like $100 million,” says Terry Michael.
Michael suggests that organisational leaders should figure out their problem, then decide how best to measure their cyber security risk. Leaders will find that this will position them to redesign their organisation to deal with such risk.
“With the growing risk of data breaches, we need innovative thinking beyond applying new policies and processes so as to embed key data privacy and security principles, and leave a lasting legacy of data privacy and security within stakeholder groups. The cultural challenge of building an innovative culture to address cyber security requires strong leadership from boards and innovation thinking at the coal-face”.
For those organisations wanting to implement innovation and support their project managers to drive, demonstrate, mentor and teach innovation, there are a couple of non-negotiable actions on their To Do List, according to Michael.
“All Board and senior management should know clearly WHERE their Customer Data resides, WHO has access to this Customer Data, and HOW, WHEN and WHY it is accessed. Without this clear knowledge the ability to mitigate and minimise data loss risks cannot occur.”
“Once they understand these clear requirements, they should implement new technology, processes, and a culture to secure customer data if they are to minimise the risk of a data breach or exposure to an internet virus similar to that of WannaCry.”
Michael has observed a gradual change in behaviour among industry leaders since the introduction of mandatory data breach legislation. Earlier leaders were comfortable with the notion that a cyber security insurance policy would cover them for financial losses and other damage in the aftermath of a data security breach, and now they are becoming proactive in managing their defence.
“Cyber insurance does not protect an organisation, executive or Board-member from reputation and brand damage that would occur from a major data breach. No insurer provides adequate cover for career damage for an executive or Board member who has lost their job. The introduction of Mandatory Data Breach Notification law in Australia aligns our country with other Western country statutory and legal frameworks. This will ultimately result in many C-Level executives and Boards facing professional damage when major data breaches are reported to the Federal Regulator, shareholders and banking/card payment schemes.”
Michael notes additional benefits from understanding cyber security performance throughout an organisation, and hopes some see opportunity for business growth.
“It will help the Board to drive a positive culture and measure successful organisational performance, and it will also improve areas of weakness in the organisation landscape”.
Developing and testing a cyber incident response plan should now form part of a broader business continuity plan. For organisations that rely on a large supply chain to support their operations, knowing whether or not suppliers are diligent in their own duty of care around cyber security matters could mean the difference between life and death for a brand and reputation.
“Cyber security risk can never be fully (100%) outsourced or handed over to suppliers and service agencies. All suppliers that are part of the organisation cyber security maintenance and incident response internal teams need clear contractual service-level agreements that document the supply chain services being provided. Senior management should make no assumptions where suppliers are concerned. During a critical incident response, if something falls between the cracks then teams may be left fumbling responsibilities during a key cyber event.”
Reviewing and managing relationships with suppliers is really more important than ever if organisations are to protect their data, client privacy, business assets, and their reputation.
“All suppliers that secure, handle, store, modify, or manage customer data need to have explicit contractual, Service Level Agreements (SLA) to ensure that data security risk is covered and shared. The SLA Contract agreement would easily double cyber security strength provided by suppliers to customer organisations.”
Michael explains that organisations should expect their suppliers to have their own critical incident response plans and regularly (weekly, monthly, annually) undertake audits (internal, customer organisation and independent external audits), reviews and practice exercises to address each type of cyber security event.
“They should provide the customer organisation with regular audit reports and information about organisation remediation activities they have taken to correct findings and to align themselves with industry best practice.”
With risks to data privacy and the threat of data breach activity now appearing internally and externally for organisations, hackers have more than just dumb luck on their side. The business of building and implementing the right cyber and data security strategy and culture is the job of all responsible CEOs and Board members who must absolutely consider themselves the first line of defence.
Terry Michael is an industry thought leader in cyber security risks and CEO of TLM-CyberStrategy. An alumni of Harvard Business School, he co-hosts Cybersecurity MeetUp Groups in Melbourne and Sydney (one of Australia’s largest cyber security groups with more than 1,000 members). Through Oxford University he is writing his thesis on cyber security, artificial intelligence, and machine learning, with a focus on how these underpin global growth, risk and investment. He works closely with Board members of some of Australia’s largest organisations, private and government, to help them excel in building the right cyber and data security strategy and culture.