With the rise of digitised business models and the relentless evolution of cyber threats of various sources and scales, it is now more imperative than ever for cybersecurity measures to be in place. This applies to both domestic and international businesses when safeguarding their data and networks, and to maintain operational efficiency and trust with customers and partners.
How exactly do cyber threats affect international businesses? How should a business respond in tackling cyber threats? How would these businesses mitigate cyber security risks?
These are some of the questions addressed by the GRCI Panel where Sekuro Chief Growth Officer, Shamane Tan, joined as one of the global industry experts. Together, the panellists discussed the relevance of cybersecurity issues for domestic and international businesses.
Shamane among the panellist with Jonathan Armstrong, law partner at Cordery (London), Dudley Kneller, law partner at Gadens (Australia) and Ben Symons, Barrister at The 36 Group (London), moderated by Naomi Burley, CEO at GRC Institute.
Why should Compliance Professionals care about this topic?
For businesses to preserve their value and growth, compliance is an important foundation upon which a company’s reputation is built. However, as different stakeholders are involved in a company’s growth journey, it is important to understand their perspectives, and also to be able to communicate the “why” to them.
In the session, regulations like GDPR were mentioned, where the panel highlighted the observed trend of growing expectations of regulators in terms of incident response in the event of a data breach. Regulators seem to be conducting stricter interviews and investigation and organisations are expected to have proper reporting and experts to ensure compliance and cybersecurity
What are the new or ongoing cybersecurity issues affecting businesses?
Ransomware attacks remain one of the top malicious cybersecurity issues for the year 2021, followed by COVID-19 phishing activities and cyber attacks on remote workers. Other worrying trends include:
- third-party attack (or supply chain attacks) incidents, when a system is infiltrated through an outside partner or provider who has access to a business’ systems and data, and
- data breaches caused by insider threats such as Business Email Compromise (BEC).
While these may not be new issues, they have resurfaced and been widely highlighted over different periods in time, depending on the political seasons or impact of different economical drivers.
Cyber threats can originate from a variety of sources. While not exhaustive, the possibilities range from criminal gangs and nation-state sponsors to individual hackers, corporate spies, and malicious or negligent insiders.
As businesses continue to be dependent on technology and the internet, business owners worldwide need to understand that cyber risk is also a business risk regardless of their business size. This risk becomes exponentially higher especially if a company starts growing in reputation and size, as the computer networks and servers of big companies are attractive targets for hackers.
What are the possible impacts to businesses?
The most devastating impact on the brand and reputation of any business includes the erosion of customer trust, incurring fines, and loss of jobs or customers. While destroying trust through a cyber attack is easy, rebuilding that faith from customers can be an arduous, drawn-out process. Also, in the event of a ransomware attack, high ransom payments maybe demanded and that even when payments are made, the compromised data may not be recovered.
Tips In Mitigating Risk
1. Have a Robust Business Continuity Plan (BCP) and practise it consistently
In Shamane’s latest book ‘Cyber Mayday & the Day After', she highlighted the practice the Group CISO of Standard Chartered Bank, Yuval Illuz, put in place to maintain cyber resilience. He shared that in addition to the crisis management simulations that the team runs, he also implements near miss exercises, which are based on recent cyber incidents (even though they might not be affected). This has helped the company significantly in identifying areas for improvement, and being better prepared for the next attack.
2. Security Culture is Crucial
It is important for everyone in an organisation to recognise they can be as strong as their weakest link, which are often humans. With the possibility of human error and negligence, it is easy to classify them as an insider threat. Businesses, however, need to recognise that these very same people could also be their strongest first line of defence if a healthy security culture can be cultivated.
3. The four types of risk mitigating strategies include risk avoidance, acceptance, transference and limitation
Fundamentally, it is important to understand the mission and values of the business. Effective execution requires a good understanding of the risk perception of a business, and then being able to influence the people to achieve a meaningful outcome. It involves knowing the best practices to overcome apathy in businesses.
As mentioned by Dudley in the session, it is not the question of if, but the question of when.
Organisations need to be prepared for cyberattacks, starting with cybersecurity basics to build their cyber resilience program, hence increasing their cyber maturity. To add on, organisations looking to level up their cybersecurity can engage offensive security services like Red Teaming to identify the unknown vulnerability and areas of improvement. This also includes having incident response playbooks prepared for in the event of cyber attacks.
When is it ok to accept the ransomware fine and accept the risk?
Should it be paid, or should it not?
There are many factors and risks to consider in the instance a ransom is in demand.
In most cases, organisations do not know whom they are dealing with, where cybercriminal gangs can have different “codes of conduct”. There is no guarantee that the hackers will hand over the lost/compromised data after the organisation make the payment. There are instances where the functional decryption key is not returned after making the payment. Furthermore, even if the hackers return the keys, the organisation might face difficulties recovering and restoring all the data.
There are also high costs involved. Besides ransom payments, organisations also need to consider the fines and enforcement actions from regulators that come along in a data breach from a ransomware attack. However, sometimes, it is not only about the fines, as there are non-quantifiable impacts such as customer trust, as discussed earlier. In a scenario that involves a loss of lives, it will be a different situation altogether.
The panel also highlighted the possibility of legal implications where ransomware payments to hackers might contravene with sanctions regimes and regulations that are in place to deter such payments — for example, UK Financial sanctions for North Korea. This is because hackers can use ransomware payments to fund their activities by identifying zero-day vulnerabilities or nurturing talents to conduct more cyber attacks.
A suggestion for businesses looking to mitigate the impact of a ransomware fine would be to look into cyber insurance or other risk transfer options, which largely depends on the business’ risk appetite.
Conclusion
An important point Shamane brought up in one of her recent talks is that living with cyber-attacks is akin to being in an unwilling game of chess, where a player cannot control when they will be brought into the game. No system is infallible, and every business must always be vigilant and be prepared to respond to cyber attacks. If a business wants to be strategic, a proper cybersecurity system and response should be practiced to enable them to take control at the beginning, and set themselves for a higher chance of saying “Checkmate”.
Thank you Camms, LexisNexis UK and LexisNexis Pacific for organising and inviting Sekuro to this discussion panel!
About Sekuro
Founded by four of Australia’s leading cybersecurity organisations (CXO Security Pty Ltd , Privasec , Solista and Naviro), with a commitment to continuously researching and developing leading-edge capabilities, Sekuro is ideally positioned to help organisations Trust Tomorrow. We provide fully integrated end-to-end security services with high standards of accountability and care, offering an unprecedented client experience and aiming to turn every client into a #clientforlife.
Meet the Speaker
Shamane Tan
Shamane Tan is one of the most established women in the fields of technology and cybersecurity. As the Chief Growth Officer at Privasec and Sekuro, she is responsible for leading the security outreach strategy with the C-Suite and executives. Recognised by IFSEC as one of the global top 20 cybersecurity influencers, the ‘Cyber Risk Leaders’ author was also recently listed in the 40 under 40 Most Influential Asian-Australians and Top 30 Women in Security ASEAN Region 2021. A TEDx speaker and podcaster, Shamane is also the Founder of Cyber Risk Meetup, an international community and platform for cyber risk executives to exchange learnings.