Constant vigilance

A cyber breach involving personal information can inflict significant damage on an organisation’s reputation as a data custodian. Experts weigh in on the most effective strategies for keeping information safe.

In the wake of two high-profile cyberattacks against Optus and Medibank that exposed vast quantities of customer data, directors are understandably on alert as to the possible repercussions if their own organisation were targeted. With technology changing rapidly and the nature of attacks becoming more sophisticated, directors must consider whether their cyber incident action plans are up to date and if their data and privacy defences are robust.

“The reality is that organisations today are operating in highly complex environments — and complexity is the enemy of robust security,” says Collin Penman, CISO and security practice leader at Kyndryl Australia and New Zealand. “What this means is that there are many factors that are leaving gaps in organisations’ environments that can and are being exploited.”

Common exposure points include complex architectures within cloud-migrated environments, remote connectivity, multiple security point products, the rapid stand-up of solutions without security, as well as the ongoing skills shortages that can lead to less than ideal cyber hygiene.

Like any other risk

Nathan Wenzler, chief security strategist at Tenable, emphasises that data security is a continuous, whole-of-business process. “You will forever be managing cyber risks, just as you do legal and financial risks,” he says. “You will adjust as the threat landscape changes, the technology changes, the laws change and your own business changes. That’s why you adopt a risk management approach to it.”

Wenzler says many organisations still think about data security in binary terms — that it is either secured or unsecured. In actual fact, the question of a breach is always one of likelihoods. “Unfortunately, even if you can check every checkbox of a regulation and you manage to hit perfect audit responses for all of your privacy requirements, it is still possible that you’ll suffer loss in a data breach. It just can’t be absolute.”

IT security firm Mimecast recently published its State of Ransomware Readiness report, which found that 70 per cent of Australian cybersecurity leaders have reported more attacks than the previous year. One in five sustained six or more attacks — more than in any other country surveyed.

Mimecast Asia Pacific vice-president Nick Lennon is hearing anecdotally that Australian organisations are increasing their cybersecurity spend as a percentage of their IT spend. This echoes the AICD-Australian Information Security Association joint study, Boards and Cyber Resilience, which found that in the past year alone, three in four directors reported increased investment in cybersecurity. A third said it had increased “significantly”.

Lennon is also noticing more frequent conversations about the way Australian businesses are handling personally identifiable information (PII). “The question being asked is why the [data] was being held in the first place,” he says. “We’ve definitely seen that conversation pick up as a result of some of the incidents of high- profile breaches in the past few weeks.”

He notes that until recently, the default position among most companies was simply to retain all data, even after it became obsolete. “If there is no regulatory need to hold the data and it isn’t generating a better service or outcome for consumers and customers, the data should be deleted,” he says. “We’re seeing more organisations being comfortable with the removal of data because they see holding it as a risk. We’ve seen in the recent cyber incidents that there are negative reputational risks to keeping it indefinitely.”

He believes that reducing data storage will become a big focus, and especially as Australia brings its consumer data privacy laws more into line with the GDPR (general data protection regulation) introduced in Europe in 2018 and includes “the right to be forgotten”.

“New privacy regulations will dictate what data is to be retained and what data is not,” says Lennon. “We’ve already got guidelines in many industries.”

In areas such as health, for example, guidelines by the Office of the Australian Information Commissioner (OAIC) exist regarding implied and explicit consent for collecting personal information and the process of de-identifying personal information where necessary. Peloton Cyber Security founder and CEO Scott McKean recommends that the control measures put in place be commensurate with the size of the organisation and the value of the data.

Technology is advancing in the ways that data is identified and classified, which is making it easier and faster — but it remains a complex area.

One option is for companies to retain the metadata to acknowledge that a former business relationship existed, while removing the identifiable content to prevent the possibility of it ever being stolen.

One of the difficulties that companies will need to overcome when undertaking a “search and destroy” of data is duplication. “Often the challenge is knowing how far the data is permeated through the organisation,” says Lennon. “There might be many copies of that same document in six different applications. It could also be in communication platforms like email, or collaboration tools.”

As cloud storage has become more cost- effective, there has been little incentive to delete data permanently. According to Lennon, deletion can actually be costlier, because the process can be extensive and needs to be managed, as opposed to simply doing nothing. “We’re definitely seeing more conversations around this,” he says. “Ultimately, it comes down to the executive feeling comfortable they don’t need the data. Historically, they’ve kept it because they could.”

Beyond compliance

Organisations that treat data protection with the gravity it deserves will likely be perceived favourably by the public. According to Wenzler, merely adhering to compliance requirements may not be enough to avoid a major breach.

“As responsible stewards of customer data, you have to make the smart business decisions around what’s the best way to protect it — even if that means going above and beyond the regulations,” he says. “We’re seeing a trend in customers demanding better security from corporate businesses that they interact with on a day-to-day basis, whether it’s retail, hospitality or the automobile industry. People are getting fed up with having their identities stolen and having to get new credit cards all the time.”

Wenzler says that businesses that are on the front foot and put up the most robust defences enjoy better relationships with their customers and build stronger long-term loyalty.

“Quite frankly, data protection is a marketing benefit. You can tell your customers that you take them seriously, value their business and are protecting their family’s personal information.”

What is a notifiable data breach?

When personal information is lost, or if it is accessed or disclosed without authorisation, it is considered a data breach. Affected individuals must be notified if it is likely to result in serious harm and the organisation in questioned is subject to the Privacy Act 1988 (Cth). In this case, the Office of the Australian Information Commissioner (OAIC) must also be notified.

AICD launches cyber governance principles

On 22 October, the joint AICD-Cyber Security Cooperative Research Centre Cyber Security Governance Principles were published with a launch panel discussion held on 24 October. The principles are intended to fill an identified gap in practical guidance available to Australian directors to effectively oversee and engage with management on this rapidly evolving risk.

Data theft is the main issue keeping Australian directors awake at night, according to the AICD’s most recent Director Sentiment Index survey. Yet the materials available for boards to oversee cyber threats were until recently in short supply.

“We developed the principles because we identified a gap in the market,” said AICD Head of Policy Christian Gergis GAICD. “There was a lot of guidance for management teams and technical experts around managing cyber risks. However, there were very few resources pitched to the board level in terms of how boards can get more confident that their organisation is as resilient as it could be.”

“Cyber is an emerging risk for directors today and it’s moving incredibly quickly,” said panelist Melinda Conrad FAICD, a director of ASX, Ampol Australia and Stockland Corporation — and a member of the AICD Corporate Governance Committee. “Regardless of the size or nature of your business, knowing where to start can be quite daunting.”

Along with a detailed 50-page document on the cyber principles is a checklist for directors of SMEs and NFPs, plus a summary. Governance red flags are signposted throughout.

“Optus and Medibank have indicated that it’s not a matter of if, but potentially a matter

of when a cyberattack will occur,” said panelist Rachael Falk MAICD, CEO of the Cyber Security Cooperative Research Centre (CSCRC).

“A cyber strategy is incredibly important for knowing what your cyber posture is today, where it should be in the future and where your vulnerabilities lie. It involves identifying key digital assets — where they are, who has access to them, and who is protecting them.”

John Mullen AO, the current chair of Telstra, is the former chair of Toll Group, which is the subject of a case study in the principles. During the launch, he shared his experiences when Toll was hit by two major cyberattacks in 2020.

“I carry the scars of the Toll experience, which certainly taught us a lot,” he said. “I don’t think we necessarily had the best cyber protection in the world, but it certainly was up there with most companies. The first lesson we learned is that pretty well everybody is vulnerable. It would be hubris to think otherwise.”

Mullen added that dealing with the day-to-day impact was so challenging, there was no such thing as being over-prepared for it. “We couldn’t track and trace shipments from which customers were invoiced. Our entire inbound revenue stopped, but the costs of 40,000 employees kept running. As a director, my focus switched quickly to a solvency discussion.”

Toll had teams working around the clock, speaking to banks, shareholders and and other stakeholders. The company ultimately recovered from the breach.

What information should you keep?

“The answer depends on where your organisation is based geographically and your industry,” says Nathan Wenzler, chief security strategist at Tenable. Companies with remote employees based overseas may be subject to the regulations and privacy laws of that local jurisdiction, so it is critical to involve legal counsel when making decisions about what data to retain or discard. “It can change very dramatically, even with just one employee based overseas,” he says.

How should it be protected?

“People who interact with data need absolute clarity around how that data should be handled and shared, both internally and externally,” says Scott McKean, CEO and founder of Peloton Cyber Security. “Take a top-down view
of the risks, rather than a bottom-up view of controls. That will inform where you should focus your efforts.”

What basic minimum security is necessary?

“If organisations don’t have basic cyber hygiene practices in place — and many don’t — then they won’t be able to adequately close these gaps and protect their data,” says Collin Penman, CISO of Kyndryl Australia and New Zealand.

As a baseline, he recommends that organisations should be familiar with the “Essential Eight” — baseline mitigation strategies published by the Australian Cyber Security Centre. Penman recommends knowing how the organisation is tracking against each of the guidelines, with a roadmap in place to achieve the maturity level suitable for the environment.

McKean says that he rarely sees privacy impact assessments being carried out by organisations, despite the many benefits it can bring. He believes that while there are a variety of frameworks setting out the minimum level of security required, the need for a robust cyber safety culture remains paramount.

“If we assume that at some point every organisation will experience a breach — the focus will be on how it is detected, contained, eradicated and then recovered.,” he says. “This is so much more about people, processes and culture than it is about the tools.”

Lack of formal oversight on cyber at board level

Although most Australian directors regard cybersecurity as a high- priority issue, a lack of formal oversight at a board level hampers the resilience of Australian businesses, according to a recent member survey by the AICD in partnership with the Australian Information Security Association (AISA).

The Boards and Cyber Resilience study found that 72 per cent of the 850 directors surveyed agree cybersecurity is a high-priority issue for their board. Yet only 53 per cent had a formal cybersecurity framework or strategy in place. Only 36 per cent of SME directors have one, while 45 per cent have an informal strategy. At listed companies, three out of four have a formal framework.

Worryingly, 89 per cent of directors acknowledged their businesses have characteristics making them especially susceptible to a cyberattack, such as holding sensitive customer, client or member data, or providing a service to government. NFP and government sector organisations were more likely than private businesses to have vulnerable characteristics, due to the sensitive nature of the data they hold (94 per cent and 92 per cent, respectively).

The findings aim to guide further education initiatives for directors. Threats are continuously evolving and training uptake rates are too low. Only 44 per cent of directors had undertaken training in cyber risk, and just 23 per cent have appointed directors with cyber skills.

AISA chair Damien Manuel GAICD says boards must rapidly increase their ability to respond to cyber incidents or risk adversely impacting reputation and trust levels with customers and suppliers. “The pandemic has pushed many organisations to digitally transform without the appropriate level of information and data governance and oversight,” he says. “Cybersecurity needs to be aligned to the organisation’s business objectives and strategy. It should be seen as a business enabler, not a standalone function. It should be integrated at a people, business process and technology level. At the end of the day, it’s a risk we need to manage in our personal and work lives.”