A must for regulators, executives and boards
Despite Australian titles and Investments Commission was hit by a cyberattack just over a year ago, along with several other high-profile ransomware attacks in recent years, many local organizations – public and private – remain vulnerable to cyberattacks increasingly sophisticated and constantly proliferating.
The immense challenge posed by cyberattacks and ransomware will only get worse in 2022, forcing governments, industry bodies, organizations of all kinds and sizes, regulators and policymakers to act decisively or to face serious ramifications, such as loss of income or the removal of those who are complacent.
Cyber threats and ransomware are becoming a digital scourge, as as COVID-19 continues to disrupt the entire economy, more and more organizations are forced to allow information to be shared remotely and across the value chain.
At the same time, the pandemic has accelerated organizations’ reliance on technology and the adoption of data-driven applications, which generate more data to manage and protect, increasing risk and fallout. to be affected by ransomware.
This is a perfect storm for attackers, who continue to profit from this disruption and the proliferation of data, with attacks on the financial sector – for example – increasing by 238% globally at the start of the pandemic ( according to VMware Carbon Black).
The cost of a data breach now exceeds $1.59 million, or 38% of the total cost of a breach, according to IBM and the Ponemon Institute, with ITIC research finding that IT downtime costs now over $300,000 per hour for 91 percent of organizations, demonstrating why no organization can afford to be “down” or offline due to a cyber attack. And that’s before their brand reputation comes into play.
So how can organizations ensure business continuity when they are constantly generating more data, whether by choice or necessity, in the age of ransomware?
The answer lies in adopting a “cyber-resilience-first” mindset, which starts with organizations understanding that data management, as a core element of data compliance and risk management, needs to move from an IT concern to a board and management priority. Just as cybersecurity has become a priority for boards and executives over the past five to ten years.
This change in approach and thinking is crucial because business continuity, now and in the future, will depend on an organization’s ability to become cyber-resilient.
What is cyber resilience and why is it important? Simply put: it is the concept that an organization can consistently deliver the desired results despite adverse cyber events.
If cyber resilience becomes the goal, the focus is on doing business securely, which is helping to change the way governance and data protection issues are addressed; and that a security posture must address.
This approach will not only help maintain business continuity and avoid disruptions to their customer offering, but it will also allow organizations to minimize risk and meet regulatory expectations.
Like many other governments around the world, various Australian governments and their agencies have responded to increasing cyber threats and the need for data governance by rightly refining regulatory frameworks and increasing requirements for protection, privacy and data security of all organizations.
The Australian Prudential and Regulation Authority (APRA) is making great strides to encourage a greater focus on data governance and cyber resilience, which includes their recent announcement requiring “…a number of general insurers to review the strength of their risk management frameworks in light of recent issues with business interruption (BI) insurance.
Similarly, the Australian Cyber Security Center (ACSC) and the Australian Information Commissioner’s Office (OAIC) are now among the leading such bodies in the Asia-Pacific region.
With OAIC implementing the Notifiable Data Breach Act and Program in 2017, and ACSC continues to update its “Eight Essentials Maturity Model,” which serves as the foundation for cyber threat mitigation strategies . These initiatives, while excellent on their own, should serve as a springboard to encourage adoption at economic scale and focus on building cyber resilience.
However, adopting a “cyber-resilience first” approach by private and public organizations is not the sole responsibility of government, organizations must prioritize it within their own leadership and governing boards. administration, be it ministries or a private company.
Especially considering that cybercrime is evolving and mutating at a much faster rate than mandated government initiatives, legislation and regulation. However, while APRA’s latest Insight report, titled Improving Cyber Resilience: The Role Boards Should Playemphasizes that more actions need to be taken by organizations at the function, leadership and board level:
“APRA’s observations from the CPS 234 assessment and its oversight activities found little evidence that boards actively review and challenge information provided by senior management on cyber topics.
“In many cases, APRA has observed that management reporting on information security to the board is not fit for purpose and unlikely to facilitate meaningful discussion. For example, APRA has identified that some boards do not receive information about the effectiveness of information security control testing. »
This is alarming given organizations’ varying legislative and regulatory requirements for governance, storage, and data protection, not to mention that Gartner’s 2021 board survey found that regulatory compliance risk was considered the highest source of business risk internationally.
It also demonstrates the clear need for organizations and their leaders, both at board and executive level, to come together in a collective approach or philosophy to meet their data protection obligations.
Gartner also predicts that over the next three to four years, more than 40% of boards will have a dedicated cybersecurity committee overseen by a qualified board member, up from less than 10% today.
However, organizations simply cannot wait three or four years to prioritize cybersecurity and data protection beyond their IT or security teams, if they are to meet regulatory expectations, respond effectively to cyber threats and ensuring business continuity.
Tomorrow’s winners and losers will be decided by those who can best leverage their data to capitalize on the insights it provides, while adequately governing and protecting it.
Adopting a cyber-resilience approach is fundamental to business continuity and economic competitiveness in the digital age, where data is every organization’s most valuable and vulnerable asset.
The challenge for Australia is to get our organizations, their leaders and boards, their governments and regulators to collectively strive to make cyber resilience a core organizational attribute.
Derek Cowan is Director of Systems Engineering for Asia Pacific and Japan at Cohesity.
Do you know more? Contact James Riley by email.