Cyber security has become big news – and with good reason. So what are the key foundational areas that business leaders need to seriously consider to avoid becoming the next weakest link in their supply chain?
Business leaders are being asked more and more about what they are doing to tackle cyber security. Those who don’t take cyber security seriously are today’s biggest business risk factor – the weakest links in the supply chain and a potential anchor to business productivity.
After major global ransomware attacks – WannaCry and NotPetya – hit a number of local businesses earlier this year, we recently heard the cautionary tale of a local defence subcontractor infiltrated by a hacker.
This incident, which made worldwide news, concerned a small engineering firm of about 50 employees, with just one IT staff member. That could describe a great many Australian businesses. This incident should therefore set off alarm bells for many business owners.
They may have thought “my business is too small to attract the attention of hackers” – but that is a myth. Small or large, everyone is a potential target and nobody can presume themselves safe.
I recently visited the Australian Signals Directorate to hear a presentation including the following:
- 75% of major cyber security threats facing large Australian businesses involve ransomware.
- Australia ranked second highest in the world for the number of ransomware detections in 2016.
- One third of Australian businesses have been subject to Distributed Denial of Service (DDoS) attacks.
- DDoS is also used in conjunction with ransomware.
- A recent ransom operation demanded 20 Bitcoins, (AU$97K) to stop DDoS against an email service.
- Cyber adversaries are increasingly stealing IP and conducting industrial and economic espionage.
- It is estimated that USD$700 billion in raw innovation is stolen from US companies each year.
These sorts of incidents are just the tip of an evolving cyber iceberg. If businesses do not act, it is only a matter of ‘when’ and not ‘if’ this will happen to them. So what are the key foundational areas that business leaders need to seriously consider to avoid becoming the next weakest link in their supply chain?
Foundation 1: Cyber leadership and culture
A modern mantra in the business world is that cyber security is a boardroom issue. But what does that really mean?
While the forthcoming mandatory data breach notification law has good intentions behind it, we suspect that many businesses will likely treat this as a compliance issue. That would be a pity.
Rather than mere compliance with an inscrutable mandate, companies would do better to take cyber security seriously as a business discipline.
Like OH&S, if you treat cyber security as an internalised management discipline rather than merely as a compliance task, you stand a better chance of making it part of your organisational culture.
And there are good business grounds for doing so:
- i) Poor cyber security costs money.
When a cyber attack occurs, a company’s operations could be disrupted, leading to lost time in production, repairs, potential regulatory fines, legal costs, and insurance premium increases – not to mention the very real costs of customer reactions and reputational damage.
There is another emerging financial implication of cyber security too: the ability of companies to raise capital. Consider the recent data breach of worldwide consumer credit reporting agency, Equifax, which saw its share value plunge by 24%, wiping out approximately 18 months of share price growth.
- ii) Supply chain selection.
Cyber security is increasingly becoming a key selection criteria of business partners in contracts and tenders, locally and overseas. This is most obviously the case in suppliers to the defence sector, but it is becoming commonplace among large primes in many fields.
iii) Social licence to operate.
Companies or industries with an indifferent attitude to cyber security incidents may increasingly find that this does not win fans among consumers or politicians, particularly if there are privacy breaches to explain.
To draw on the example of the Equifax case, the entire credit data industry is now subject to more regulatory scrutiny.
Foundation 2: Cyber education and skills
If businesses can put the right leadership culture in place, the second cyber foundation they need is workforce capability.
The first skills issue that usually springs to mind in this context is the need for the IT skills to understand what cyber security technology and services are relevant to the business.
But cyber security is more than just the IT department, and we are only as strong as our weakest link. This means good cyber hygiene across the entire organisation.
The Australian Signals Directorate has developed Strategies to Mitigate Targeted Cyber Intrusions in support of the Australian Government and also industry partners. And as a start they recommend the implementation of the Top 4 mitigation strategies as a package to prevent at least 85% of targeted cyber intrusion incidents.
There is also an opportunity for Australia to build a more innovative and competitive industry in cyber security itself. AustCyber (also known as the Australian Cyber Security Growth Network) has been tasked with this responsibility.
But this industry’s success will be hamstrung without access to strong technical and foundational skills in cyber security. This starts with better coordination of Science, Technology, Engineering and Maths (STEM) activity in our schools, and continues with the government’s innovation initiatives in the VET sector and improved practices around work integrated learning (WIL) for both undergraduate and research students in higher education.
Closer connections between universities and business will also lead to better equipped graduates – which leads on to my final foundation for cyber security.
Foundation 3: Collaboration and partnerships
In responding to modern cyber security threats, it is critical that collaboration is encouraged in a safe environment where businesses can share threat information without being punished.
Traditional forms of regulation have been criticised for being inflexible and slow to respond to rapidly evolving threats. Governments tempted to over-use these regulatory sticks need to consider a different approach.
Cyber crime is also a global issue, requiring governments to work together more frequently – while managing their different values and approaches to issues like privacy and national security.
The fast pace of technological change also forces companies to rethink their business models. Some businesses realise that they may not be able to offer everything the customer requires in-house. Developing new capabilities themselves can be expensive and risky; partnering can be an attractive alternative.
In Ai Group’s surveys of Australian CEOs and leading Australian innovators, we have found that Australian businesses are collaborating to innovate more frequently than is often recognised – but that we are still well behind most OECD countries on this front.
Governments can play a role by improving the incentives for collaboration in public sector research funding, and maintaining stable support for innovation overall. And researchers can help bridge the cultural divide with business and ensure their approach to IP encourages partnerships rather than undermines them.
But the clearest path to better collaboration is for businesses to learn the practices of those who already collaborate well. As our research shows, these businesses make collaboration a process that is carefully considered and iterated for success.
Ai Group is encouraged by evidence of progress on each of these key foundation areas. The Federal Government has recently launched its International Cyber Engagement Strategy, and we are pleased to see global issues like digital trade and cyber crime included as priorities in this Strategy.
Taking action on these three cyber foundations – cyber leadership and culture; education and skills; and collaboration and partnerships – will help industry take the next step.
This is an edited version of a speech delivered to the Australia-Israel Chamber of Commerce (WA) in Perth on 3 November by Ai Group chief executive Innes Willox.