In this series, we're going to be looking at the current cybersecurity threat landscape and sharing our insights on how best to prepare to respond to, and recover from, a major cybersecurity event.
In recent years, COVID-19 has presented the perfect conditions for cybercrime to flourish. With organisations around the world stretching and redeploying IT resource to accommodate mass remote working, and more recently, we've seen an unprecedented growth in state-sponsored attacks particularly in the wake of the Ukraine conflict.
Hitting the headlines just a few weeks ago, Australian telco company Optus, were subject to what was arguably the most significant cyberattack in Australia's history. The personal information of around 10 million customers was compromised in the attack, that's about 40% of Australia's population. It is not surprising that cybersecurity is the key focus under the New Zealand government's recently released digital strategy.
In theory, cyber risks are no different to any other risks that the Board needs to manage, but I challenge you to find any risk that is increasing exponentially, year on year, like cyber risks are. Most directors come from a background of Business, Financial, Accounting or Legal. They're not used to managing an IT function. To assist in this, I really encourage boards to get to know the IT department well, ahead of time. This will assist in managing the oversight function the boards need to exercise, and when the crisis does develop, it means that there's a good working relationship.
The Board of Management need to decide what cyber risks they wish to avoid, those they're willing to accept and those that can be effectively mitigated or transferred, for example, through insurance.
Cybersecurity plans and processes should be documented, embedded throughout your organisation and regularly updated and tested.
The vast bulk of cyberattacks rely on some form of human vulnerability, for example, credential harvesting using phishing, or social engineering or some other form of human error. Creating an organisation-wide culture of security is therefore, one of your best defences against cybercrime.
Increasingly, organisations that are subject to a cyberattack are seen as the perpetrators rather than the victim. This is particularly so, when relaxed security practices contribute to the cyberattack or resulting damage.
In our next episode, we'll be talking about how best to prepare for and mitigate against a major cyber security event.
To see the video of this episode, click here.