In the past 12 months, more than 50% of Australian businesses have been hit by a cyberattack and suffered an average four days of downtime, according to industry report[1]. [J1] Phishing emails and malicious code can compromise computer systems, cut off access to vital data and wreak havoc to supply chains. Depending on the scope of the attack, the consequences range from minor disruption to a total breakdown of business continuity. Lost productivity, reputational damage and depressed revenue growth are among the direct costs.

So, what can organisations do to prepare for, respond to and recover from cyber threats? Having initiated a global transformation of our technology and business infrastructure after experiencing significant cyber challenges in the US, we understand first-hand what's at stake strategically, operationally and financially. Through our lived experience, Equifax has learnt how to strengthen our defences and improve the resilience of our core business services, processes, people and technology.

In our Go Talks podcast (episode 3), we discuss what businesses can do to improve their cyber risk posture. Equifax Chief Information Security Officer Wayne Williamson and Palo Alto Networks VP and Regional Chief Security Officer Sean Duca agree that the following four elements are a great starting point for any organisation.

1. Keep up with security hygiene 

"Any system is an entry point for potential threat actors."

With scale and complexity comes the notion that organisations need only protect their business-critical assets – their crown jewels. The challenge with this approach is that virtually any system is an entry point for potential threat actors. So, while organisations need to classify their assets by importance and apply a set of non-negotiables to those deemed business-critical, the planning shouldn't end here. Organisations should always follow through with the lower end of their cybersecurity stack to build a strategy that is multi-layered.

Crucial to this process is having an information security strategy in place that helps organisations make a habit of their cyber hygiene practices. Included in the design are fundamentals like access management, data management and multi-factor authentication. It's about being proactive and cultivating a threat-active mindset.

2. Foster a culture of security

"Future-proofing your business against cyberattack starts now with a top-down culture."

Future-proofing your business against cyberattacks starts now with a top-down culture. The senior leadership and boardroom are in the best position to champion security as an enterprise-wide priority. When driven from above, it's possible to establish a culture that security belongs to everyone and that all employees should make intelligent decisions to defend against cyber threats.

Collaboration is required between management, teams and individual staff to ensure security protections and processes are followed through at all levels. The growing regulatory burden associated with fighting cybercrime requires a coordinated enterprise-wide approach. The 2020 Critical Infrastructure Bill has expanded from 4 to 11 sectors[2], demanding a higher percentage of companies across Australia pay closer attention to their security measures.

APRA will also be expanding its regulatory reach and coverage, with its 2020-2024 strategy[3] noting plans for a ~96% increase in coverage. This will see their range rising from 680 organisations to ~17,000 banking and non-banking businesses.  Organisations should start preparing now for this increased regulatory burden. The Chief Security Officer should have a clear and direct line to the CEO to plan for what this looks like. Does it require more resources? Perhaps an upskilling of staff?

3. Build cyber resilience

"Computers will be at the frontline of government-backed wars between countries."

Cyber resilience is about anticipating a breach rather than reacting to it. Given the increase in nation-state cyberattacks on businesses, it's likely that computers will be at the frontline of government-backed wars between countries. So, it's essential to understand that cyberattacks aren't going away, and businesses will never protect their networks completely. But what they can do is ensure continuity of operation, so when an attack happens, the impact is minimal.

A core aspect of building cyber resilience is bolstering the whole company to be in the future state, primed from the executive team down to operate with an always-on awareness of potential threats. Organisations should evolve their understanding of the cyber threat landscape over time, continually revisiting their policies, procedures and accountability framework to ensure it aligns with their overarching direction.

Security teams must regularly test the capabilities of their incident response plan with real-time simulated attacks to see how a cyber incident might affect applications, systems and interfaces. Identify any weak points and process gaps before, not after, a crisis hits.

4. Take ransomware seriously

"When you pay ransomware, you're feeding the beast."

Ransomware attacks are escalating, affecting businesses of all sizes across multiple industries. In 2020, 61% of companies reported they had been impacted by ransomware, up by 20% from the previous year[4]. And when a company is faced with the crippling realisation that their files are now inaccessible and can only be decrypted by paying the attacker, many choose to pay the ransom to make the problem go away. Palo Alto's 2021 Ransomware Threat Report[5] shows the average ransom paid for organisations increased from US$115,123 in 2019 to $312,493 in 2020, a 171% increase. In 2020, the highest ransom demand hit $30 million.

It's a difficult decision, but the bottom line is that when you pay ransomware, you're feeding the beast. And it's not even a get-out-of-jail-free card because once you've paid, your organisation is more likely to be impacted a second time. According to a recent global survey[6] of security professionals, some 80% of businesses that chose to pay a ransom demand suffered a second ransomware attack, often at the hands of the same threat actor group.

Notably, it shouldn't be up to the cyber incident response team to wear this decision. A playbook should already be in place outlining the precise plan for what happens when there has been a breach. Playbook content might include projected productivity loss thresholds and reputational impacts to help navigate the way forward.

Find out how we can work together to find new ways to fight cybercriminals with shared information, applied security capabilities and expert partnerships. 

 
Talk to us today

Related Posts

Cybersecurity readiness doesn't come easily. Reacting to a security breach is vastly different from being ready to act should a breach occur. Many organisations haven't previously focused on proactively protecting their critical information assets, but change is coming. The increased sophistication of today's threat actors heightens the chances that more organisations will find themselves the unlucky targets of cybercrime.

 

Read more

Far from lengthening loan application turnaround times, the new Best Interest Duty laws may be the impetus the mortgage industry needs to go digital.

Read more