The digital age presents opportunities and challenges for businesses, organisations and individuals alike. Undoubtedly, those who prefer to be at the cutting edge of technological implementation reap the benefits of which there are many. However, those who prefer to refrain from implementing the latest technologies can find that they face some negative consequences of “digital disruption” which can vary in significance and importance. (The term “disruption” can be a bit misleading but it generally refers to the effects of digital change.) On the other hand, implementing the latest technologies does present significant exposure to Cyber Security (CS) threats, the sort that feature heavily in the media.
This article is the first in our Cyber Security Series which will discuss many aspects of this seemingly impossible labyrinth of information.
The extent of the problem
We have all witnessed the rapid expansion and implementation of digital technologies during the last 20 years. A combination of general criminal intent or malicious motivation and astronomical amounts of money in the offing, has led to an explosion in the number and sophistication of cyber attacks across global networks.
Several findings from the 2015 Cyber Security Survey across Australia’s major businesses uncovered:
- 50% of respondents experienced at least one incident of cyber threat in 2015
- 11,733 incidents affecting businesses of which 218 affected critical national infrastructure
- In terms of the significance of threats, ransomware was ranked the highest, followed breach of privacy and malicious emails.
In response to the Financial Systems Inquiry in 2014, the government listed CS as one of its top security priorities. The former Cyber Security Strategy is being reviewed through collaborative efforts between the public and private sector. A new or updated public strategy statement is expected to be released later this year.
While Australia is yet to enact any legislation, various regulators have certainly increased their vigilance regarding cyber resilience and surveillance.
Cyber resilience is much more than just preventing or responding to an attack. There are a myriad of issues that may be encountered varying from relatively minor email intrusions to complete system outages and extensive data theft. What is important is the ability to prepare for, respond to, adapt and recover from a cyber attack, whatever its form.
Whilst organisations have varying legal and compliance obligations, the following are common CS obligations:
- Establishing a CS risk management framework
- Enabling suitable people to act in the organisation’s best interests, with reasonable care and diligence
- Establishing “reasonable steps” to protect personal information
- Ensuring internal and external stakeholders are aware of its implications and safeguards
- Ensuring agreements with third party providers dealing with:
- business continuity
- compensation/insurance for cyber incidents.