‘Cyber risk is no different than any other risk’
With a number of recent data breaches and other incidents, cyber security will remain a key issue for organisations across a range of sectors moving into 2023 — but there are a number of things boards can be doing to mitigate risks.
As part of the King & Wood Mallesons 2022 Digital Future Summit, the Cybersecurity – Today and Tomorrow panel discussion revealed what organisations could and should be doing moving forward to better protect themselves from cyber security risks, as well as what frameworks they should be establishing.
To continue reading the rest of this article, please log in.
Create free account to get unlimited news articles and more!
The panel was moderated by KWM partner Cheng Lim and delved into what organisations and boards can do to protect themselves against cyber security risks in the current landscape — particularly following the Optus and Medibank data breaches.
Andy Penn, chair of the Cyber Security Industry Advisory Committee and former Telstra chief executive, said that as COVID-19 accelerated the adoption of digital technology, that adoption, unfortunately, and inevitably, results in increased malicious activity and cyber criminals.
“100 years ago, if you wanted to rob a bank, you actually had to turn up at the bank and physically rob it. Now you can do it from the other side of the world; you can do it digitally. And unfortunately, there [are] no consequences. Because a lot of these activities, a lot of this malicious activity comes from nation-states and jurisdictions where we don’t have any jurisdiction and, frankly, where it’s coming from, and not really interested in working with the Australian Federal Police or otherwise. And so, you’ve got all these sorts of dynamics happening.
“And I think the big thing for boards, as I mentioned earlier, is if you could spend a bit of time immersing yourself in the topic and distilling it down to some of the conceptual points. And then just approaching it very simply, and not letting it get dragged into all of the complexity of the technical jargon,” he explained.
“The issue is, you can’t necessarily, you know, operate on the basis, you’re going to guarantee that the risk never manifests. But what you can do is ask yourself the question, have I taken every reasonable step that is expected and is practical? And can I look myself in the eye and say, we’ve done all of that in the event that something does happen, we’ve also got a plan in place, how to deal with it. And to me, cyber risk is no different than any other risk.”
In addition to actually taking reasonable steps to understand cyber risk, Cyber Security Cooperative Research Centre CEO and co-author of The Five Knows Rachael Falk said having a third party come in to audit an organisation’s cyber security practice can also be extremely helpful in preventing breaches.
“It’s incumbent that companies, depending on the size and the resources, do adequately invest and understand the risk proportionate to their profits and what they need to do. So, there is an element of the section 180 corporations law duty, but I will also argue, and this, unfortunately, or fortunately, has not been litigated in Australia. But I would argue that, you know, when it does come, and it will come that the court will take that section 180 lens, and they will look also at that tortious lens of duty of care. So, did you take reasonable steps, this was reasonably foreseeable in the circumstances, did you do all things reasonably necessary to protect the company?” she said.
“The best chance your board and your leadership team have of understanding how we sit within our range, get a third-party audit, [have] people come in and test every important aspect of your organisation. Mistakes happen; you can have the most well-oiled machine, and mistakes will happen, because we’re humans, and sometimes we just do things [we didn’t need to]. And it can result in major breaches.”
For Catherine Brenner, chair of Australian Payments Plus and board member for NED, Scentre, Emmi, and The George Institute for Global Health, having these reasonable steps and organisational training in place is a means of “self-defence”.
“All the things that we rely on our services and our IT team, or the patching the firewalls, encryption, admin rights, the essential eight, and then the auditing of having someone else marking your homework. And then the final element of that is this active defence piece, which is the monitoring and the detecting and the hunting and the responding quickly,” she said.
“Knowing what you have, why you have it, and where it is, having the conversations to determine what data is most valuable or sensitive, or as some people refer to it as your crown jewels. It’s treating your data like its nuclear fuel, you use it for its intended purpose, and you extract the maximum value from it; you store it really carefully and appropriately. And when you’re required to dispose of it, you do it meticulously.”
Moreover, it’s of the utmost importance for boards to be across these issues — as directors are all “equally liable”, according to Mike Hawker, chair of Bupa and board member of Westpac, Washington H-Soul Patterson, and the Museum of Contemporary Art Australia.
“I don’t think you can have a one person on the board that can deal with all the technology issues of all cyber security issues. I think you’re better off having people come in who are experts in different parts of that field, to help you navigate and understand what is going on in terms of how you need to set up your data, how you democratise it, all the elements of collection, trying to put all the capabilities around it to meet all your requirements from a customer point of view, and from how you use it internally and from a regulatory point of view,” he explained.
“The other thing I would say is that, if you’re just starting on this journey, the first thing you do is find out what you think is the data you might have, which is the most critical if you lost it, and work on that first and then work out from there. Because I do think that you can materially change the risk if you can find the critical data and have it encrypted and have some processes around being able to access it, which you can now vide and focus on that materially reduces your risk. This is not going to go away; this is only going to get more sophisticated.”