MinterEllison’s Perspectives on Cyber Risk 2020, launched today, has highlighted the need for business to get on the front foot with its cyber security management.
Completed in November 2019, prior to COVID-19, the research shows there has been a decline in business understanding on how to best respond to a cyber attack. There was a drop of 35% to 20% year on year.
“Even without the COVID-19 event, there was already a signal for action. Now we believe it’s time for to put cyber risk management front and centre – from board level and throughout the organisation,” said Paul Kallenbach Cyber Security Partner at MinterEllison. “The increase in attacks during the first quarter of 2020 and the increased pressure of the COVID-19 situation makes this even more important.”
He pointed to the report findings showing that phishing and email fraud were still the most common cyber incidents, together accounting for 71% of all attacks.
“The frequency of attacks is also rising and that’s troubling,” said Mr Kallenbach. “Our Report findings show an increase in the number of organisations more frequently attacked, with 14% those surveyed attacked more than five times (up from 5% last year).”
Cyber Security and COVID-19
MinterEllison also says COVID-19 has shone the spotlight on the Report findings that business does not have a good understanding of how best to respond to cyber attack.
“COVID-19 caught many businesses by surprise,” says Mr Kallenbach. “With the increased pressure of offsite workforce management, in many cases, current security and measures have shown weaknesses, and are not geared to cater for large scale remote access and WFH practices.”
He said: “COVID-19 highlights the critical dependency of almost all organisations on technology. However, with so many employees now working from home, remote access weaknesses may constitute a threat to core business operations and stability.”
Mr Kallenbach highlighted the point that together with the increasing number of cyber attacks COVID-19 impacts had also emerged and heightened the risk levels. These included:
- Changed IT landscape for business – triggered by working from home (WFH)
- Spike in own device use - workers using their own devices with apps and platforms that may not be approved
- Resourcing issues - stretched business systems and IT departments
- Budget management - budget cuts to costs and projects
He said business needed to understand what best practices are required to prevent a cyber attack and how to respond if attacked.
“This is a time for action and leadership. Poor understanding of cyber security and an inability to mitigate cyber risk will leave directors and organisations exposed to heightened legal and reputational risk and regulatory scrutiny. Further, changes in staffing increase the likelihood of processes and delegations being misunderstood, misapplied, or deliberately circumvented. The move to new operating models increases the likelihood of failure of untested or outdated risk controls. Cyber criminals are exploiting the situation by disguising malicious websites as sources of credible public health information, making organisations even more vulnerable.”
Cyber Risk Management Actions
To mitigate this increased level of risk, MinterEllison says organisations must review their business continuity plans and carry out revised risk assessments.
They should also implement and regularly test robust cyber security governance arrangements, update technical controls, and ensure staff are informed and educated in cybersecurity risk and practices.
“It is also likely that staff will begin using current technology in new and unexpected ways, including engaging with new technologies without the requisite approvals,” said Mr Kallenbach. “However, organisations should not overlook their usual technology internal assessment processes, including consideration of data sovereignty, confidentiality, security, privacy, specific regulatory regimes (such as the prudential standards) and sanctions laws requirements.”
MinterEllison Cyber Security Best Practice Prevention
- Develop Cyber Resilience - develop and implement a cyber resilience strategy which is regularly updated
- Design Data Breach Response - develop and implement tailored data breach response, business continuity and disaster recovery plans, which are regularly tested and updated
- Deliver Training - regularly train all staff (not just IT staff) in order to embed a culture of cyber awareness and data protection across the organisation, and to ensure that everyone understands their roles and responsibilities in the event of a cyber incident
- Include Privacy & Security Assessments - undertake privacy impact and security assessments when planning to adopt AI, big data solutions, or other new technologies
- Focus on Governance and Ethics - develop governance and ethical guidelines and frameworks for the use of data having regard to the prevailing technological, regulatory and business environment
- Embed Cyber in Business DNA - capture lessons learned and monito global developments in privacy and data protection to continually assess and improve the organisation’s cyber posture and embedding the right processes and awareness in the culture.
Methodology – MinterEllison Perspectives on Cyber Risk 2020
MinterEllison’s fifth annual cyber security survey was completed by more than 122 legal counsel, Chief Information Officers, Chief Operating Officers, Data Protection / Privacy Officers, Board members, IT specialists and risk managers of ASX 200 and private companies, government agencies and not-for-profit organisations. Just over half of respondents came from organisations with more than 1000 staff.
We issued the same survey to all participants. Participants responded to questions about cyber security roles, responsibilities and attitudes within their organisations. The survey was conducted during November 2019.