For any organisation that falls victim to a cyber-attack this year, the ability to recover quickly and minimise reputation damage will be critical.
Sadly for Optus, we have a startling example of the reputation cost of a prolonged cyber-attack –$1.2 billion, according to Brand Finance Australia. This is an astounding figure that does not include the initial or ongoing cost of remediating the cyber-attack itself.
With the significant cyber events of last year still unfolding, there are three themes that Australian businesses should be considering in 2023: risk, resilience, and reputation.
A risk-based approach is critical for cyber security.
Australian business leaders are well trained in the art of risk. However, if businesses accept that it’s ‘when’ and not ‘if’ a cyber-attack occurs, detection and response planning needs to be in much better shape.
Cyber incidents are the number one risk in Australia in 2023 for the second year in a row, according the 2023 Allianz Risk Barometer, where ten years ago, cyber risk didn’t make the top ten.
From conversations I have with colleagues across the Australian economy, I’m confident cyber is on the risk radar of most executives and Boards. While this may be the case on a macro scale, it’s the micro that concerns me the most, with many businesses not understanding the full extent of their own vulnerabilities. This includes the threats most likely to target their organisation, and the true picture of the different points where an attacker can gain entry to a system.
Security is a critical protective measure to defend against known threats and reduce the likelihood of unknown threats. However, security in isolation is no guarantee of keeping malicious cyber actors at bay, as many Australian organisations and individuals can attest.
Analyse the risks. Mitigate the ones you know about. Plan and prepare for the ones you don’t know about.
We need to move from security to a culture of resilience, fast.
Cyber resilience is the ability to prepare for a cyber-attack, and detect, respond, and recover quickly once an attack happens. Securing your systems is not enough.
In the event of a cyber attack where systems are either offline of under the control of a threat actor, can your organisation continue to operate? Has your organisation considered the vexed policy matter of whether or not to pay a ransom?
According to the Australian Cyber Security Centre, once a security vulnerability in an internet-facing service is made public, malicious code can be developed by threat actors within 48 hours. In some cases, this can be just a few hours.
In the face of a cyber-attack, time is the enemy. Rapid detection and response measures are critical aspects of cyber resilience, and a key risk mitigation.
The average in-house IT team is simply not equipped with the resources or expertise to quickly detect and respond to sophisticated cyber-attacks. While engaging the appropriate expertise is undoubtedly a notable business expense, the cost pales into insignificance when compared to the potential commercial and reputation cost of a large-scale data breach.
A cyber resilient organisation will have a comprehensive approach to cyber security, a cyber and risk aware culture, and response and recovery measures in place – including a business continuity and cyber incident response plan that have been tested, rehearsed, and updated regularly.
Reputation costs will be higher than you think.
I believe most customers and suppliers will (eventually) forgive a data breach, provided reasonable security and resilience measures were in place.
What they are unlikely to forgive is any perception of being misled, misinformed, or worse, being the last to know. When a cyber breach occurs, uncertainty is sure to follow. There are countless examples from around the world of organisations that took too long to communicate the cyber breach or failed to prioritise their customers in the chain of events that followed.
And herein lies the message for CEOs across the country. In the event of a cyber crisis, and as the likely spokesperson for the organisation, you may find yourself in the media hot seat. It stands to reason that a person carrying that level of risk would be fully invested in their organisation’s cyber security planning. That must include an analysis of the reputation risks, and strategies to mitigate them.
There’s no shame in admitting a lack of understanding about cyber. It’s been poorly communicated and shrouded in secrecy for far too long.
So, if in doubt, consider asking your leadership team, ‘If a cyber attack occurs today, how quickly will we know, what is our response plan, and who comprises our crisis management team?’
Anything other than a swift and co-ordinated response should concern any Australian business leader.