In 2023, most senior executives, including Chief Executive Officers (CEO), Chief Financial Officers (CFO) and Chief Risk Officers (CRO) recognise cybersecurity risk as an important item on their agendas. Company Boards across the world want to know how successfully their organisations can handle cybersecurity related risk.
Since the Optus, Medibank and Latitude Financial breaches in Australia, the organisations down under have started considerable cybersecurity investments. If the organisation is regulated, the Regulators come back (usually) annually to validate the business resilience reached in the areas of cybersecurity. Whether it is from Essential 8 perspective, ISO27001 perspective, GDPR perspective or just in general risk perspective.
The question that gets asked every time a funding packet is approved for a Chief Information Officer (CIO) or a Chief Information Security Officer (CISO) – “How will you demonstrate the Return on Investment (ROI) from a cybersecurity risk reduction?”. Trust me, I have been a CIO/CISO and I know.
The answer to that question is not binary, as cybersecurity risk management requires continual focus and attention. It’s a journey, not a destination.
“Risk based strategy”- it makes perfect sense
In order to reduce the cybersecurity risk for the organisations, the Executive Leadership Teams (ELT) must identify and focus on the parts of cybersecurity risk to target. More precisely, the multiple components of cybersecurity risk must be recognised and prioritised for the business. While this approach to cybersecurity is complicated, best practices for attaining it are developing.
Think of the cybersecurity risk as no different to any other operational risk. Its no different to the Health, Safety and Environmental (HSE) risk or financial risk for an organisation. The repercussions are no different. These include (but not limited to):
- Financial;
- Operational;
- Productivity;
- Reputational;
- Physical (if your organisation has Industrial Control Systems & SCADA); and
- Regulatory (if your organisation is a regulated entity).
Did I hear a question, “Where should an organisation start?” – that’s an excellent question!
Maturity based approach is a good starting point. Remember “Rome wasn’t built in one day”. Get started with some fundamentals. Here are top three (3) strategies from Cyber Ethos’s perspective.
1. Get eyes on the glass
Remember from a cybersecurity perspective, “if you can’t see it, you can’t manage it”. Establish yourself or get a service provider to provide your organisation with a service called Security Operations Centre (SOC). Here you will have someone watching your organizational network and environment on a 24x7x365 basis. As part of this service, someone will assess, monitor, and remediate the cyberattacks that happen in your environment, even when you are sleeping. This is an absolute must. Remember cyber criminals don’t sleep so why should you?
2. Multi Factor Authentication
Did you know that credential reuse (usually obtained by a successful phishing) is responsible for 81% of breaches. As a result, multi-factor authentication (MFA) is an important tool in your arsenal. MFA, a very effective tool for validating the identity of someone attempting to access your systems, generates a high level of friction for the cyber-criminals while causing little delays and disturbance to legitimate users. If you use social media (Facebook Instagram etc), Webmail (Google Mail, Outlook mail etc.), Government services (GovID, QLD Gov etc) or your online banking platform (ANZ, Commonwealth Bank, Westpac, NAB etc.), the concept of MFA shouldn’t be foreign to you. So, if you are ready to protect your personal data and identity, why won’t you apply the same rigour for your organisation’s data?
3. Do YOUR bit for Cybersecurity
Do you believe that national security is everybody’s responsibility? If yes, then why do you think cybersecurity is only IT’s responsibility? There is enough data based on research that indicates that when the entire organisation shares the same view about cybersecurity, cybersafety and cyber threats, it automatically enhances organizational cybersecurity posture. Some common tips to follow include:
- Be mindful before you click on any suspicious link/email;
- Do your mandatory all staff cybersecurity training annually;
- Make your passwords long, complex, use alphanumeric and symbol. Remember Password1 or 123456789 is not a very complex password; and
- Embed cybersecurity as part of the Enterprise Risk Framework
And if you are one of the top 1% organisation in Australia that has implemented the above mentioned strategies, reached Level 2 or Level 3 in your Essential 8 maturity, comply with various legislative privacy requirements (e.g. PCI DSS – if you store credit card in your systems, GDPR – if you have EU nationals as your customers and/or State and Federal Privacy legislations), you need to initiate your developing a Cybersecurity Strategy that keeps you ahead of the curve.
