Cyber strategy revisited: 2022’s new M.O.

With cyberattacks rapidly increasing in prevalence and sophistication, experts say it’s time for organisations to take specific steps to develop a risk-based approach to cybersecurity.

At the end of a recent board briefing on cybersecurity by Microsoft Australia’s national security officer Mark Anderson, a director asked him a question that made him stop and think: how is it possible, they asked, to know when enough money has been spent on cybersecurity measures?

“He was basically asking me, ‘What do we need to spend in order to make this problem go away?’,” says Anderson. “On the surface, it sounds like a simple question. But cybercrime isn’t a problem you can simply buy your way out of. Even the world’s largest organisations and governments with eye-watering budgets are still being successfully attacked.

“Don’t get me wrong — more money allows you to buy the best tools and capabilities. But it doesn’t provide guaranteed security. There are so many other factors at play.”

How, then, should boards assess the level of investment needed to tackle the problem? It is estimated that cybercrime cost Australian businesses an estimated $33 billion last year. According to a report by the Australian Cyber Security Centre, these losses were the result of 67,500 instances of cybercrime — and the actual figure may be far higher than the official number reported.

Anderson believes an investment in cybersecurity should match an organisation’s risk appetite. If the appetite is low, then a significant investment in people, processes and tools is required until the leadership team feels comfortable that all reasonable steps have been taken to minimise risk exposure.

Be specific about risk

Due to the rapid digital transformations that organisations around the world are undergoing, the cyber threat surface has expanded. This has provided impetus for the uptake of a risk-based approach to cybersecurity.

“For a long time, organisations have relied on compliance-based approaches as a way to measure their cyber readiness,” says Anderson, acknowledging that compliance remains useful to show a level of cyber maturity. “It’s a standard others can relate to, which is important today when communicating your role in securing the supply chain to customers and suppliers.

“However, compliance standards aren’t necessarily specific to your organisation. A standard may be specific to your vertical, but not specific to the threats your business may face in that particular industry.”

When developing a risk-based approach, on the other hand, organisations start by identifying and prioritising cyber risks in order of importance.

What can’t you live without?

A cyber incident could range from something inconvenient that weakens profitability, to a catastrophic attack that wipes out operational finance systems and erases all backups. Predicting the severity of a potential attack is impossible, says Aaron Bugal, global solutions engineer at Sophos.

“For many businesses, anticipating what threats are going to be coming out next is a bit of a fool’s errand,” Bugal says. That’s why organisations need to focus on what is important to them. “What could they not live without, such as if a line of business application went down, or a revenue stream stopped? What would be their next play? How would they regain the confidentiality, integrity and availability of any compromised information?”

Experts say cybersecurity is so integral to business operations, it should sit with financial and regulatory risks in the enterprise risk framework. “Cybersecurity is sometimes glossed over because it’s perceived as being too technical, or it’s seen as an IT problem,” says Nick Lennon, country manager at Mimecast Australia. In 2022, insists Lennon, a higher level of education on cyber risk is needed at the board level.

Anderson agrees, pointing out that in a major cyber event, the technical response from the IT team is only a small part of the overall solution. “There will be people dealing with the press, informing regulators, working with law enforcement, communicating to customers that their data may have been lost or stolen, and dealing with cybercriminals who are trying to extort your business,” he says. “The actual response is a whole-of-business response, with a raft of people involved.”

Prevent now or pay later

Calculating the return on investment of cybersecurity measures is inherently difficult: it involves contemplating a hypothetical cybercrime that didn’t occur, due to the defences that were put in place. However, Lennon contends that investing in upfront protection is likely to lead to far better financial outcomes than having to pay a ransom and deal with the fallout of an attack.

“While we tend to think of investment in cybersecurity as a necessary evil, I encourage people to see it as a business benefit,” urges Anderson, who points out that a strong security posture can provide a competitive advantage. “An organisation that invests in cybersecurity and does its best to protect the supply chain is more attractive to potential customers and suppliers.”