The cyber-attacks on Optus and Medibank recently have brought into focus the devastating impact breaches can have on the reputation of any organisation.
The Optus attack, which was the largest and most high profile in Australian history, has left almost 10 million customers understandably livid that their personal information was stolen.
It is believed that the Medibank attack began when an individual with high-level access to the health insurer’s systems had their credentials stolen by a hacker, who then put them up for sale. Optus had an application programming interface (API) online that did not need authorisation or authentication to access customer data.
The reputational impact of both cyber-attacks will be felt for some time to come. They are a warning shot to Australian businesses that simply can’t be ignored.
Many CISOs will now be taking a closer look at their internal cyber education programs, among other things, to give staff the best chance of not falling victim to cyber-attacks that can severely damage their organisations.
Sarah Sloan, head of government affairs and public policy at Palo Alto Networks, and Matt Warren, director of RMIT’s Cyber Security and Innovation Research Centre joined CIO Australia’s Byron Connolly for a discussion recently on how Australian organisations can improve their cyber education programs. The panel discussion was held during the launch of Palo Alto CyberFit Nation program.
The cyber challenges that businesses face are widely known, a lot of them focused around human and organisational issues. The human aspect of cyber security awareness is such as a complex issue that hackers are looking to exploit from scam attacks to the spreading of malware such as ransomware, says RMIT’s Warren.
“We live in the new cyber normal that organisations are facing as they become greater targets for cyber-attacks. One of the key reasons for this challenge is that organisations cannot manage their increasingly complex systems and it is taking time for them to accept cyber security as a business risk rather than a technical one,” says Warren.
Palo Alto Networks’ Sloan says organisations across Australia are becoming more aware of cyber risks and the importance of educating staff, their customers and even students on how to mitigate these risks.
“Many companies are incorporating cyber security as part of their workplace curriculum and regularly test the effectiveness of that training, for example, via phishing email testing,” she says.
While doing this, organisations should ensure their cyber education programs also incentivise good behaviour, says Sloan.
“This could include rewarding individuals who identify all the phishing attempts and report them to the organisation’s security operations team. These simple measures can go a long way to creating a security culture and environment where people feel comfortable to come forward if and when they may click on that link,” she says.
When creating training programs, enterprises may also want to look beyond the ‘click’ to identify why an individual has taken certain actions and adjust their responses/training for those people accordingly, says Sloan.
“For example, did they click on the link because the content of the email has elicited a particular response or because they have been pressured by a sense of urgency?” she asks.
Governments across the world have behavioural policy areas – such as Australia’s Behavioural Economics Team within the Department of Prime Minister and Cabinet – to research why individuals do or do not take certain actions or respond to certain messages, says Sloan.
“Some of this thinking could be applied to the cyber security training and education space to help tailor messaging to particular individuals and ensure better security outcomes,” she says.
But Sloan points out that it’s important to remember that we are all human, we all make mistakes and it only takes one click.
“So if your organisation’s corporate cyber strategy is that all users will behave in a certain way or comply with certain policies, you really don’t have a corporate cyber strategy.
“Every organisation must look at preventative measures, ensure they can respond to threats in real-time and leverage automation, as well as understand their cyber security posture through the eyes of the adversary,” says Sloan.
Filling the gaps in cyber training
Cyber safety and cyber security awareness is something that should be taught from school level, says RMIT’s Warren.
He says the Office of the eSafety Commissioner does great work at schools raising awareness around cyber safety and maybe cyber security could be combined with that messaging.
Palo Alto Networks’ Sloan adds that the industry is certainly heading in the right direction with several programs helping to raise awareness of cyber issues while providing students with tools to protect themselves.
But more needs to be done to embed cyber security and technology across the school and university curriculums, she says.
“In the digital era, it’s important that all of our graduates – our lawyers, accountants, doctors and economists – understand cyber security risks, mitigations and how they are relevant to their professions.
“Raising awareness across faculties and disciplines will not only lead to better security outcomes, it may also lead to an interest in further study in cyber. This may help us with our cyber security skills shortage,” says Sloan.
However, there is a ‘pipeline problem’ at the school level, says RMIT’s Warren. If an undergraduate student starts studying cyber security in 2023, they will complete their degree in 2026, he says.
“The issue is that not all universities offer cyber security and it means that alternative courses such as micro-credentials, and other alternative pipelines need to be developed.”
Creating a cyber aware board
From a policy and legislative point of view, Australia has some great foundations to support and enhance cyber security awareness at the board level, says Palo Alto Networks’ Sloan.
There is a range of directors’ responsibilities when it comes to duty of care and diligence around cyber security, as captured in the Corporations Act. The Australian Government has also elevated cyber security risk to the board through a series of reforms to the Security of Critical Infrastructure Act 2018.
These reforms aim to enhance Australia’s national resilience by introducing varying security obligations across 11 regulated critical infrastructure sectors, says Sloan.
“One of the relevant obligations for directors under this Act is that regulated critical infrastructure assets may be required to report to the government annually as part of their risk management programs, which must address cyber security risks.
“This new obligation is expected to elevate cyber security to boards across Australia,” says Sloan.
From a guidance and education point of view, the Australian Securities and Investment Commission has issued statements on cyber guidance, emphasising the importance of active engagement by the board in managing cyber risk. The Australian Cyber Security Centre (ACSC) has also released guidance on questions that board members can ask about cyber security risk management.
RMIT’s Warren adds CEOs need to be aware of what cyber security is and why it should be viewed as a business risk.
“It is coming to the stage that lack of awareness is no longer an issue. CEOs and their boards also have to understand the complexity of the systems that their organisations are operating, and the risks associated with that complexity,” he says.