The federal government’s decision to spend $1.6bn boosting Australia’s ability to repel cyber-attacks might have highlighted the risks they pose to the economy, but security partners say that some customers still struggle to understand the scale of the threat and manage it appropriately.
It was a trend that generally became more pronounced as businesses diminished in size, they said. However, even in larger organisations, board level support for company-wide measures to tackle cyber security breaches was still far from universal as cyber leaders continued to grapple with stubborn communication barriers.
And they say that these problems are exacerbated by the evolving and mercurial nature of cyber threats.
Aaron Bailey, chief information security officer for Sydney IT services provider, The Missing Link, said that while business leaders understood that cyber-attacks had become a part of the commercial risk landscape, some still weren’t taking them seriously enough.
“(Business) leaders are becoming more aware of what a cyber-attack could look like. However, there is still a trend of underestimating the likelihood, true cost and effort of responding to and recovering from a serious cyber-attack,” Bailey said.
That concern was echoed by Unisys’ industry director cyber security Gergana Winzer, who said that the ability to translate awareness of cyber-attacks into a dollar value was a “huge gap” for Australian business leaders. And given the evolving nature of cyber threats and that they can impact organisations in unique ways, she said it’s not a straightforward calculation.
“That is why we have developed solutions for them to be able to put a dollar figure next to the risk and be able to calculate the financial impact in case of a cyber-attack by correlating the gaps to real threats and probability, and calculating the dollar value associated to a risk relative to their organisation,” Winzer said.
“The biggest gain in this game is the ability for them to bounce back from an attack quickly which translates into resilience. Resilience is the new black,” she added.
Paul Glass chief executive officer of cloud and networking security specialist Nexion Group said that cyber security diligence was higher among business leaders that had experienced breaches firsthand.
“I believe that large global enterprises understand the risk and costs associated with a cyber-attack, but I am firm believer that until a company has been directly impacted, there is a continual lack of immediate attention to a whole-of-fabric network solution, staff education and intracompany communications,” Glass lamented.
Glass said he was constantly surprised at how often companies turned down the opportunity to conduct staff awareness events.
“We don’t let someone drive a truck without a licence or step on a mine site without having done the required onboarding. Bar staff have to complete a responsible service of alcohol course, so why do we simply hand the keys to our entire company without proving support and training,” he said.
“This needs to be a part of the business ongoing activity, not a once-a-year event,” he added.
Bailey echoed those concerns saying that organisations needed to foster a “security conscious” culture.
“We are not quite there yet with most organisations, but we are seeing efforts to achieve this level of security culture integration,” he said.
However, he said that in some cases there was still a disconnect between the CISO’s office and senior leaders that could be holding back their efforts.
“While we have seen some cyber teams becoming more effective in reporting risks to the executive leadership team and securing more executive level endorsement and support for key cyber security initiatives, we still see some cyber security leaders, who are quite often technically minded, struggling to gain executive level support,” he said.
Recent cyber security research conducted by Unisys found that while 69 percent of CISOs believed cyber security was part of their organisations’ business plan, that view was only shared by 27 percent of CEOs.
“Lack of communication is a fundamental cause of this type of disconnect between the CEO and CISO. Not every pair of CEOs and CISOs know how to, or even like to, talk to each other – they don’t share the same language and might define what constitutes a breach very differently,” said Winzer.
However, Glass said he was concerned that business leaders were struggling under the weight of a new phenomenon brought on by the pandemic — new attack vectors arising work-from-home provisions and the increasing importance of mobility more generally.
“My concern is fatigue. With so many risks to business, market headwinds and staff morale low, cyber security should be forefront of all business leaders, but fatigue has set in given the scale of the pandemic and the volume of offers in the market,” Glass said.