Despite what we might assume, Australian enterprises are serious targets for cyber attacks. We spoke to Andrew Bycroft of the International Cyber Resilience Institute to address the realities of the situation and how to combat it.
Hi Andrew, can you tell The Big Smoke’s audience a bit about your career so far and how you came to head up the International Cyber Resilience Institute?
My career spans almost 25 years of experience as a cybersecurity professional. For the first 18 years I was quite content working in the technical arena ensuring that some of the most respected organisations around the globe were deploying the latest and greatest technologies to combat cybercrime. There was one major problem with my career up to that point: I was living a lie; technology was not solving the cybercrime problem. In fact, quite the opposite was true. To appreciate the magnitude of the problem I tend to use an analogy because the actual forecasted cost of cybercrime is so mind-boggling it is difficult to comprehend. Today a two-litre bottle of milk can be purchased for around $2. By 2030, a two-litre bottle of milk would cost about $120 if inflation increased at the rate of cybercrime.
I came to this stark realisation as I was getting off a plane from a family holiday overseas. I looked into my daughter’s eyes. She was not quite two years of age back then. I wondered what the world would be like when she reached adulthood, if cybercrime continued to increase at such a rapid rate. That very thought chilled me to the bone despite it being a hot summer day. Then and there I made the decision to change the way I approached combating cybercrime and with four years of extensive research, I discovered that technology could solve a mere 30% of the problem. The other 70% was a psychology problem that spans entire organisations and the ecosystem in which they operate. It can only be fixed with the aid of the board of directors and executives. Over the past few years, directors and executives have come to face the wrath of failing to put the correct measures in place to combat cybercrime, making my discovery and resulting solutions I have developed timely. Creating a series of workshops, assessments and strategies, I launched the International Cyber Resilience Institute specifically to work with directors and executives empowering them with the knowledge and tools to reduce cybercrime to within their tolerance for risk, giving them peace of mind that the personal reputation they have spent their lifetime building will survive the worst cyber breach imaginable.
Your company meets the needs of the global market when it comes to cybersecurity. What is one thing you have noticed about Australian businesses and their views on their IT and security measures?
Directors and executives of Australian businesses are overly optimistic about their IT teams being the white knights that will save the day and protect them from downfall. Unfortunately, IT may put up a solid fight, but it is no match for the cybercrime pandemic. Many of today’s threats sail through the latest technologies, including those technologies leveraging artificial intelligence (AI). This leaves the next line of defence to the people. Even with comprehensive security awareness training, people can often be tricked and fall prey to cyberattacks. This phenomenon is one of many that demonstrates that the core cybercrime problem goes beyond the technology and relates to psychology. IT has expertise with technology; not psychology.
Some organisations have realised that IT does a fantastic job of helping reduce the operational risk that cyberattacks pose and have resorted to a secondary defence of business interruption and cyber insurance policies which help reduce the financial risk that cyberattacks pose.
Does that mean that directors and executives have a complete solution by combining IT and insurance to reduce the risk that cybercrime exposes the business to? Hardly. For directors and executives their personal reputation has been a lifetime in the making, yet in the blink of an eye, one cyberattack can completely destroy it. This is a problem that neither IT nor insurance can address. The former CEOs of Target and Equifax know from painful experience that reducing personal risk falls outside the domains of IT and insurance brokers.
What are the chances of any company in Australia being a victim to a serious cyber breach?
Australian organisations are very much a target for cybercriminals. Four factors align to create the perfect storm:
- a high number of always switched on and always connected smartphones per capita;
- a rapid adoption rate for the Internet of Things (IoT) in which anything with a computer chip inside it, from cars to refrigerators and televisions, will join the Internet;
- a false sense of security held by many directors and executives that there are far more important targets overseas and that they are almost untouchable; and
- the huge earning potential for the average Australian professional which is a direct reflection of the relatively high cost of living.
With these four conditions, cybercriminals see an opportunity for easy money with a moderate amount of effort and a low risk of being caught.
With attacks such as whaling, in which cybercriminals will masquerade as a CEO or CFO and request a monetary transfer to an external bank account to complete a deal; ransomware attacks hijacking computers and locking businesses out of their important corporate data unless they pay a ransom; and the rise of gaining access to business computers and then using these to mine for Bitcoins all providing viable sources of income for cybercriminals, this sets up any Australian business with at least one computer and some data it truly depends on to remain operational, to fall victim to a cyber breach.
Working with clients to help them navigate this space, what is the first thing most clients do when they suffer a breach, that you wish they would stop doing?
Most clients panic simply because they are not prepared. They have not anticipated what a cyber breach would entail and the lack of experience makes them react very spontaneously and emotionally to an incident. This reactive stance rather than a proactive one is not limited to small organisations – even those we entrust our money to, rely upon for clean drinking water and energy, and look to when we are unwell, typically fall into this reactive category. More often than not they do not have well-crafted crisis management plans, and of the few that do, most of those plans may cover what actions to take when a flood or fire hits, but fail to address a cyber breach.
There is a famous quote from Publius Flavius Vegetius Renatus: “In times of peace prepare for war.” This suggests that the best time to prepare for a cyber breach is prior to a breach as this will ensure that the response is thought out and developed using logic rather than emotion. When I run workshops for directors and executives I have them experience what it would feel like, emotionally, to be caught up in a cyber breach, and many of them quickly realise that being prepared earlier would have been far less stressful.
With a reliance on cloud services, how easy is it for cybercriminals to destroy a company’s assets – both commercially and personally?
There are two camps firmly entrenched when it comes to cloud and cyber resilience. There are those that say keep well away, and there are those which believe it is good enough. Of course, in reality, it is not that simple. The actual answer is “it depends”.
For a small organisation that does not have the process, people and technology to protect its assets, using a reputable cloud vendor will increase cyber resilience.
For a larger, well established organisation that has highly sensitive data that nation states or organised criminals would want, yet has mature processes, the best people money can hire and deep pockets for all the necessary technology, then cloud is likely not resilient enough.
Some things to keep in mind when leveraging cloud services:
- even if the cloud service provider chosen takes the idea of cyber resilience very seriously, the weak point is often the connection to the cloud. Why would a cybercriminal go and break into a secure cloud application when the computer used to access it is vulnerable and poorly protected? This is analogous to a bank robber attacking the person who has just taken a bag full of cash from a bank vault rather than trying to break into he vault itself;
- the privacy laws of the country where a cloud service provider hosts data are the laws which are honoured. Even if you may only operate in Australia, if your cloud service provider hosts data in the US for example, US privacy laws apply. Privacy laws in some countries favour the cloud service provider rather than the data owner; some countries have almost no privacy laws at all;
- if a cloud service provider goes bust, it is important you can get access to your data and move it to an alternative service provider;
- cloud service providers should have adequate levels of insurance – professional indemnity, public liability, business interruption and perhaps even cyber insurance;
- cloud service providers should be able to provide attestation that they have had a reputable and independent third party assess their cyber resilience.
Failure to observe these principles could enable cybercriminals to steal, manipulate or destroy your organisation’s data.
Do you think bigger companies face a higher risk than SME’s when it comes to cyber breaches?
I would not say that bigger organisations necessarily face more risk than SMEs. All organisations are exposed to cyber risk, and it differs in the type of cybercriminal that would typically be attracted to that type of organisation, as well as in the types of impact. Industry, geography and size all play a role in determining just how much risk an organisation may be exposed to.
Five elements are essential to achieving a state of cyber resilience which enables organisations to not only prevent as many cyberattacks as possible but also rapidly recover from those that slip through defences. These are culture, communications, processes, people and technology. Smaller companies tend to be better equipped with culture and communications, but larger companies tend to be stronger in the areas of process, people and technology.
Smaller companies would need to be more worried about financial impacts as they tend to have less cashflow reserves, whereas larger companies that are more established should be more concerned about reputational impacts.
Larger companies in industries with highly sensitive intellectual property should be more concerned about nation states and organised crime. Smaller companies are less likely to be specifically sought out and targeted but are likely to be the victims of opportunistic cybercriminals and script kiddies that are new to cybercrime and not as adept at gaining access to an organisation’s data and more likely to create a lot of collateral damage in the process. All companies face the risk of loss of customer data and should be aware whether they need to comply with the mandatory data breach disclosure laws that came into effect in Australia in February 2018.
Many businesses owners understand the risks to their IT and financial systems, but what about social media? How at risk are businesses when they use Facebook, Twitter and Instagram daily to connect with customers?
Whilst directors, executives and businesses owners are more familiar with the risk cybercrime poses to their IT and financial systems, many are starting to understand the need to protect their data in social media. The Facebook and Cambridge Analytica news from early 2018 was an eye opener for many directors and executives.
For businesses of all sizes, social media provides opportunities to provide highly targeted messaging to its ideal audiences and enhance its brand recognition in the process. Brand is amongst the top assets for any business. Like the personal reputation of directors and executives, company brand reputation can be built up over years yet can be destroyed in seconds, and depending on how much damage is done, may take considerable time to recover. Some of the important areas of social media to be aware of include:
- using weak passwords to protect social media accounts makes these accounts vulnerable to password guessing or cracking. Cybercriminals can then post whatever they like and can quickly taint any brand beyond repair;
- allowing third parties to manage social media accounts on your behalf. Sometimes third party marketing companies may take on the mundane and time-consuming tasks associated with identifying new followers and launching marketing campaigns. If their cyber defences are weak, this may enable cybercriminals an easy path into your social media accounts;
- installing third party applications that are malicious. Several Facebook applications have been known to harvest information from Facebook accounts which is then sold to the highest bidder;
- failing to change the default privacy settings may mean that posts intended for a closed or select audience may be broadcast to the world. Even accidental disclosure of information is regarded as a cyber breach;
- failing to read the terms and conditions of using social media. Did you know that most social media platforms own the data that users post?
How do you ensure you are ahead of the game when it comes to knowledge, considering how fast the climate is evolving?
Cybercrime and the methods for combating it are changing at breakneck pace, so much so, that research on what is working and what is not working needs to be continuously carried out. It is important to think about what would be the next logical step for cybercriminals by looking at their continual evolution. It is important to look at the weaknesses which have created war stories and allowed cybercriminals to prosper. Similarly, it is also important to understand the weaknesses that cybercriminals have exhibited which may have gotten their identities exposed.
One of the biggest problems many organisation face is that they have no way of measuring whether what they are doing now is effective, not just from a risk reduction point of view but also from an operational efficiency and return on investment point of view. Many organisations still see combating cybercrime very much as a cost rather than an investment.
Edwards Deming said “You can’t manage what you can’t measure”. It is key to ensure that risk reduction, operational efficiency and return on investment are measured in financial terms so that directors and executives understand how effective measures are at combating cybercrime. I know I am staying ahead of the game if I can demonstrate that the advice I have delivered reduces risk, improves operational efficiency and creates a noticeable return on investment.
What is one question you wish the C-Suite would ask a potential IT security interviewee prior to hiring them?
When interviewing a CSO (chief security officer), CISO (chief information security officer), CRO (chief risk officer) or a CIO (chief information officer) who will be tasked with combating cybercrime, it is important that this role will be able to align their strategy with that of the business and be able to provide clear communications as to the effective rollout of the strategy and be able to measure its progress, such that directors and executives can understand whether they are operating within a tolerable level of cyber risk.
In order to ascertain whether the person they are interviewing can meet those objectives, the question that needs to be asked is:
“How will you measure whether the actions you are taking to combat cybercrime are producing a return on investment?”
And finally, what do you predict Australian businesses will have to face over the next 12 months when it comes to their cybersecurity?
In June 2018 many high profile Australian organisations spent a copious amount of time assessing the impacts to their own operations and employees when a third party organisation and talent management cloud service provider they leveraged, PageUp People, suffered a cyber breach.
Over the next 12 months we are going to see more Australian organisations demonstrate that they failed to be resilient to cybercrime, and the effect that will have on all of those who are employed by those organisations; those who rely upon those organisations for products or services; and those who are shareholders or investors in those organisations.
Until a holistic approach is taken to improve, in order of significance, culture, communications, process, people and technology, more Australian organisations will struggle to combat cybercrime. We may even see a breach of proportions similar to Target or Equifax.
What is important for directors and executives to know is that even if the organisation they operate does not suffer a cyber breach, chances are that an organisation they depend upon may.
For directors and executives of organisations that are the casualty of a cyber breach, if they operate a small organisation, chances are the organisation will perish after a cyber breach; for a larger, publicly listed organisation, the organisation will survive and may even thrive once the negative publicity subsides, but the future and personal reputation of the directors and executives will be uncertain.