Cyber Security. Those two words seem to be on repeat. Everywhere we turn in the tech space, this topic, albeit being discussed extensively, just seems to get hotter.
Last month saw the Waikato DBH fall victim to a “war” it didn’t see coming. Theory is, an email attachment was opened, and if so, one click, was all it took bring five hospitals to their knees. Employees were underpaid or not paid at all, cancer patients were shifted to other regions, procedures that required digital imaging were rebooked and doctors were pushed to rely on hard copy records and whiteboards to commence treating patients.
The extent of damage and the cost to the government and insurance companies are still to be determined as experts weigh in, that the “war” is far from over. As cyber security heroes work tirelessly to put out the “fires” the looming fact is that even once all workstations and software are restored from backups and systems are up and running, the risk of all patient information being released online is still very real.
The money motive
Simply put, a large government organisation was infiltrated by hackers with one motive. Money. According to a recent cyberwarfare report, by 2025 cybercrime globally will cost businesses USD$10.5 trillion annually. And if the theory of human error, one small moment of misjudgement, a single motion of a finger on a mouse, is what’s to blame. It reinforces, that without a doubt, alongside health and safety, cyber security and awareness should be the top discussion points on every businesses risk register.
At times this topic brings about the sense of scaremongering, with businesses of all sizes still embracing the approach of “she’ll be ‘right” or “there’s no reason for us to be targeted”. In fact the above comparison to a “war” might seem excessive to some. But there are staggering stats showing that over 50 percent of businesses across all industries in NZ were successfully targeted by a ransomware attack in the past 12 months, and one in five of those businesses stated the attack caused serious disruptions to their operations.
Cyber security should be a priority
It raises cause for alarm that when in discussions with many business owners and decision makers Cyber Security still does not rank as a priority. We look at the importance of Health and Safety in the workplace, it is pivotal to keep our people safe, but if our business operations, funds and IP isn’t safe, how do we ensure the continuation of business as usual for those we employ or service?
Cyber Competency in a permanently digitally connected world is becoming a skillset required for leaders and employees of organisations and it’s evident that Cyber Security is no longer an IT duty, but that of the entire organisation, no matter the size. Breaches can be achieved through hardware, software, and of course the largest risk at hand, human error. As health and safety does, cyber security too, requires a framework. One of assessment, commitment, action and culture.
Taking into consideration what the critical areas to protect are in your business, and what the implications would be if you were to lose your data assets or if your business operations were to be down for any length of time, will help asses what security measures you have in place and where there are gaps. This enables you to act and put a framework in place for security measures, training and a security “playbook” to follow.
Committing to this Framework means creating a culture of cyber security awareness, that means demonstrating your commitment through educating staff and ensuring that there is a healthy sustainable security culture. When a security culture is sustainable, it transforms security from a one-time event into a lifecycle that generates security returns forever.
The World Economic Forum Principles of board governance of cyber risk suggests some considerations for organisations to integrate and support strategic and security goals:
- Appointing a role of a security officer, or more commonly outsourcing it. This role carries the responsibility to ensure a comprehensive plan (playbook/blueprint) exists for data governance
- Inspiring a cyber security culture
- Reviewing cyber security function, performance and accountability
- Set the expectation that cyber risk is an important part of business longevity and continuity
Regular reviews of your framework and cyber management plans should be conducted as technology and the sophistication of attacks ever changing. Regular and adhoc internal and third-party audits should also be performed on the effectiveness of cyber risk management and recovery plans. How is your plan looking and has it been tested?