Alexandra Cain, moderator, Listed@ASX: What are some of the most pressing cyber risks listed businesses face?
Zoe Thompson, director, cybersecurity and digital trust, PwC: There’s a much more dynamic, busy threat environment and the regulatory environment behind that is catching up quickly. So, boards need to think about their reputational and compliance risk and be across laws such as the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) that came into effect on 2 April 2022. The SLACIP Act amends the Security of Critical Infrastructure Act 2018 (SOCI Act). It outlines an enhanced cyber security framework for entities that operate systems of national significance and introduces a new obligation for responsible entities to create and maintain a critical infrastructure risk management program.
This means the company must be aware of the cyber risks it manages on a daily basis, confident communicating and reporting on them and able to attest to government about the way those risks are handled. Ensure there is an alignment across the enterprise including IT and other supporting systems and services about how cyber security is managed.
Peter Furst, cyber breach coach, Emergence Insurance: There has been a significant rise in ransomware over the past year, putting businesses of all sizes at risk. There’s also a growing sophistication from threat actors. This has become big business, with a diverse range of operators. Criminals even advertise jobs just like it’s a normal business. This increased sophistication has made them more able to exploit zero-day vulnerabilities, which is a threat that is not known until it happens and refers to the window of time to develop patches to address the vulnerability.
Phil Rodrigues, head of security, APJ commercial, Amazon Web Services: Customers I speak to in sectors like manufacturing and retail are increasingly concerned about ransomware. As a cloud provider, when I talk to customers about ransomware, I first discuss the importance of getting the basics right, like making sure their passwords are up-to-date. Then I progressively move up to more complex processes like how authentication systems are secured. Successful ransomware attacks happen because businesses don’t have good identity security. For boards, look at your company’s identity strategy and metrics around how you deal with identity-based attacks. Your identity is your success in a cloud environment; including your username, password and authentication credentials required to access virtual environments.
Phil Dawson, CEO and co-founder of Sovereign Cloud Holdings: We are recently listed and provide cyber threat monitoring technology to governments, including the Australian Electoral Commission, which oversees elections. We also provide a range of Infrastructure-as-a-Service services to government as well as to critical-infrastructure-sector organisations. This is important because the recent SLACIP Act amendment has now formally defined 11 critical infrastructure sectors including communications, data storage or processing, defence, energy, financial services and markets, food and grocery, health care and medical, higher education and research, space technology, transport, water and sewerage. Some of these sectors are being pulled into the regulatory regime for the first time.
Aside from ransomware, data destroying malware is a pervasive threat. Criminals are moving away from a smash and grab of your data and now have a secondary intent, for instance, understanding which businesses have cyber insurance and the level of their insurance.
Peter: We don’t encourage clients to publicly reveal they have cyber cover. Our approach as an insurer is to assist clients to have the most secure environment they possibly can. We also provide a 24/7 incident response service, so should a breach occur, a business can immediately get in touch with one of our specialists. Threat actors are becoming a lot smarter about what they target and use different ways to get information and on-sell those credentials to other threat actors to execute ransomware. Data protection is a growing concern.
Zoe: All businesses are a target and attacks and exploits happen all the time. In the news, it’s often suggested these things are really quick, similar to a mugging. But they can take months or years to coagulate and become apparent. So businesses have to be focusing on strategy and their tech options, including the applications, cloud and data sovereignty providers, insurance and training.
Boards could be tempted to throw a lot of money at this. But they need to do the thinking to understand what they need. That comes down to the crown jewels. Figure out the critical assets and services you need to run your business and the main threats and risks. If you do that, you can provide proper protections. We’re in an environment in which it’s a matter of time before you are the subject of an attack and it’s a matter of resilience and prevention.
Listed@ASX: So what’s changing in the threat environment?
Phil Dawson: Volume, velocity and value of data. Everything businesses do is online and uses data. The threat to the integrity of their data is existential. If a business gets hit hard or hit persistently, it is unlikely to remain in business. That has serious effects across the supply chain. The sheer volume of data in the market makes it more attractive to cyber criminals, so the whole business community must become more mature around cybersecurity.
Phil Rodrigues: The shift to working from home means organisations now have to handle access to data from a really wide range of locations and devices. Research that explored the views of 255 IT and business leaders by advisory firm ADAPT found about two thirds of CIOs and security leaders in Australia and New Zealand report they are going to refresh their cyber security strategy as a result of the pandemic. Just over half have more budget for cyber security. Trends aside, regulatory opportunities like open banking can help organisations to improve their security posture and make sure their data is secure and private.
Directors have a corporate and potentially individual responsibility to be aware of changing regulations and what they mean. For instance, under the new critical infrastructure legislation, the federal government has the right to step in if one party in the supply chain is putting the rest of the chain at risk.
Phil Rodrigues, Head of Security, APJ Commercial, AWS
Listed@ASX: What should listed businesses be doing to prioritise cyber security?
Peter: Directors need to proactively develop a cybersecurity strategy. All directors have a duty of care, so ignoring cybersecurity would be at their peril. Legislation now places higher responsibilities on directors across a broader range of industries and they must appreciate that.
Phil Dawson: Over the last 18 months, there has been a step change in boards’ understanding of cyber. They are increasingly aware of how important it is to have access to specialists on the board, whether that’s non-executive directors or advisers. But, while top-down strategy is one aspect, there’s also a cultural, bottomup perspective and a requirement for training and testing. There are lots of tools that can remind staff about not clicking on phishing or smishing links, which is a cyberattack delivered through SMS. But preventing penetration and compromise starts with cultural awareness.
Listed@ASX: How can boards be confident the cultural box has been ticked?
Zoe: That’s really hard, but it goes back to your assets and data. A cybersecurity incident may feel like an IT problem, but because of the way it affects people, it’s usually a human problem. So, you will need to involve your legal department and your media team and potentially restrategise. Boards need to approach this from an all-in perspective. A curveball is the huge skills shortage in cyber. The government has recently announced support in this area, but the skills shortage is not just a government problem. It’s an everyone problem.
Listed@ASX: What’s the lateral thinking approach to solving that? Is it hiring from overseas? Is it more technology?
Phil Rodrigues: ASX 200 companies start worrying about skills once they reach a certain level of maturity, because access to the right skills is how they can manage risks long term. The ADAPT research found 44 per cent of chief security officers said in-house security skills were okay but could be better and 40 per cent, a big chunk, said their cybersecurity skills are poor. When we talk to businesses about skills they need for the future, cloud and cloud tooling and cybersecurity are two of the top five skills they need by 2025. There’s a number of initiatives to help build the nation’s cyber skills. We invest in industry partnerships with the banks and provide fun and practical cybersecurity courses to hundreds of thousands of students across Australia with organisations like the University of New South Wales. Everybody is heavily investing in skills.
Zoe Thompson, Director, Cybersecurity and Digital Trust, PwC
Listed@ASX: Are there certain metrics or data boards should receive when it comes to cyber security?
Peter: The Essential Eight maturity model sets out the areas on which companies must focus. Boards should ask their CIOs about who has responsibility for this in the business and its progress in terms of application control, patching, multifactor authentication, restricted access and backups; anything that’s crucial for business continuity.
Zoe: I would pull in my procurement and contract team if I was a top-notch CIO. Look into the future and find out if important contracts include a clause that requires the other party to notify the business if they have a security incident or if they can’t supply. Consider the point at which the notification should happen and the conditions that need to be met for the contract to be broken. Talk to HR about critical asset operators and the people who touch crown jewel data and assets. Employee screening mechanisms and redundancy processes for certain roles are also considerations.
Listed@ASX: How can the board get comfortable the business is investing in the right tech?
Phil Rodrigues: When we talk about boards and what they need to know, it’s always a balance of transparency and priority. The security industry can be too transparent, with too many metrics, statistics and alerts. This can water down boards’ comprehension. Also, humans are not good at this. Evolution means we’ve become really good at not being eaten by wild animals. Over the last 100 years, we’ve gotten good at not being hit by cars, but we’re really bad at estimating cyber risk. So, when we talk to customers, internal execs, our own internal and external CEOs and our board, we train their instincts around understanding the biggest risks.
Phil Dawson: There are no silver bullets when it comes to tech. There is a range of steps you need to take to mitigate risk. It’s also essential to understand when you are legally required to tell your customer you have had a reportable incident in an IT world full of false positives. With billions of interactions occurring in every system every day, identifying the ones that are malicious can be fraught. So, talk with your trusted advisers, peers and the industry about the tech that works.
Peter: Putting in place a cyber incident response plan is a crucial step. Because when an event happens, knowing who is in charge and everyone’s role is vital.
Listed@ASX: How should a listed business communicate to the market if it has been the subject of an attack? What are the regulations and expectations?
Zoe: Be extremely cautious. Regulations require reporting entities to report to the Australian Prudential Regulation Authority, the Australian Cyber Security Centre or the Department of Home Affairs and a number of other organisations, based on the significance of an incident. So, first confirm you are actually dealing with an incident, which is lot harder than it sounds, because the timeframes for notification are very short. Also, rehearse incidents to get a flavour for how much time it takes your board to notify and sign off reports.
Phil Rodrigues: Security is not a dark art. It should be as transparent as possible. History has shown fast, accurate and detailed communication is best. Customers want to find out early what has happened. They don’t want to know later, guess what has happened or be given the wrong information. It’s perfectly acceptable to update the market on an ongoing basis. Canva is a great example. It had a very serious issue a few years ago and it was transparent about the attack and how it was being addressed. Years later, this case study is an example the industry can use to understand how to handle an incident from a technology, process and press perspective. It all helps the industry learn and mature.
Listed@ASX: What do investors want to know? Because this is part of their risk assessment when they look at a business.
Peter: Investors should want to know about how serious the board is about cybersecurity and resilience, and that the culture is one of transparency and preparedness for a cyber event. I would want to know the business’s maturity level, whether multifactor authentication is implemented, does it have offline backups of crucial data and whether a cyber incidence response plan is in place. Those things are crucial.
Listed@ASX: How’s that likely to change over time? Presumably as the sector matures, it’ll be easier to price risk, because there’ll be more knowns?
Peter: You’re not going to see insurers accept a risk without fully understanding it and how an incident could affect the policyholder’s likelihood of suffering an incident and the ability to respond to it.
There was an incident in the US last year that knocked out fuel supply on the east coast. The criminals likely got into the business through a VPN that had a simple password and into an account that had not been turned off, which belonged to someone who had previously worked for the business. This is a big company, with significant critical infrastructure. It beggars belief it did not have multifactor authentication and the principle of least privilege implemented so you only give access to information to those who need it to do their job.
The second someone leaves the business they do not need access to that VPN. This business had to pay a US$4.4 million ransom and suffer significant reputational change. A few weeks later, JBS Food paid a US$14 million ransom.
So vulnerabilities exist. Insurers are asking questions around companies’ strategic approach to cyber. When you see companies are thinking about this not as an IT issue, but as a business issue, they are able to respond much better when an attack happens.
Peter Furst, Cyber Breach Coach, Emergence Insurance
Listed@ASX: What’s your perspective on whether listed businesses should pay a ransom?
Zoe: The advice is not to pay and, even ignoring that, you don’t want to pay ransoms. Paying a ransom is a quagmire as there are ransomware payment levels. There’s a ransom to stop your data being sold on the dark web, one to get it back encrypted and another to get the key. Move forward with caution.
Phil Rodrigues: I’d caution against paying ransoms. It’s bad for your business and it’s bad for the ecosystem. Spend the money to put in place strong encryption and ensure your data is untouchable by ransomware.
Peter: I’d be nervous as a director if I was in a situation where prized data had not been backed up. Now from time to time, it does happen and companies are basically against the wall or under duress and ransoms are paid. But you are essentially funding a criminal enterprise and the instruments of crime provisions contained in Division 400 of the Criminal Code need to be thought about, as well as antimoney laundering and counter-terrorism financing legislation, and a range of Australian and international sanctions. It’s a dangerous game you don’t want to play when you could have avoided it by backing up your core data.
Phil Dawson: Some countries are looking at making ransom payments illegal, which means directors of businesses that pay them could be jailed. The argument is that this reduces the market for ransom attacks. Also, a consideration is if you pay one, you’re likely to be repeatedly attacked because you’ve proven that you will pay.
So, back up your data and undertake war-game exercises because you don’t want to be making these decisions under duress. You want to have an understanding collectively as a board about your position at that point. I can’t imagine that it’s an easy position to be in as a CEO or director of a business when that happens.
Phil Dawson, CEO and co-founder of Sovereign Cloud Holdings
Listed@ASX: How do boards know if they are spending enough?
Peter: As an insurer, we always come up against this fear that cybersecurity is a very expensive thing. But the fundamental things we’re talking about are not expensive. Implementing multifactor authentication does not cost anything. Making sure your systems are regularly patched doesn’t really cost anything. Figuring out what your key data is and having it backed up and regularly checked does not cost much. Having a principle of least privilege doesn’t cost anything. Once directors know that, security posture can be easily and vastly improved and threat actors will be more likely to go after other companies that do not have these things in place.
Listed@ASX: What’s the one message you want boards to take away?
Peter: Having the right mindset towards cybersecurity is core to your business. Understand the role data plays and its value so you can protect it.
Phil Dawson: Many boards are disconnected from their tech and not able to challenge aspects of technology in the way we’ve talked about today. Bring in advisers and apply diverse thinking to your cyber security strategy.
Zoe: If you are in an incident, it’s not too late to take the opportunity to learn in the moment. Know who your critical asset operators are and question them about their last cyber event and what happened. If you reach down from the board level and get to grips with what is happening in the business, you’re going to get some really great insights.
Phil Rodrigues: Boards, CEOs and other leaders have a big responsibility to set and manage the culture of their companies. It’s not technology that makes you secure, it’s organisational culture. Modern organisational culture means security is distributed across the business. Make sure the metrics are transparent and available all the way to the people at the top. If you’re on a board, if you’re a CEO or if you’re a leader, talk about security and help distribute and disseminate that security culture.
Related links
Download the “Listed@ASX” app - available from the Apple App Store and Google Play - or email listed@asx.com.au to request a hard copy of the magazine.