According to the report, from professional services firm MinterEllison, cyber security can no longer legitimately be considered the domain of IT alone. It warned that cyber attacks can adversely affect other businesses in the supply chain, compromise the privacy of millions of individuals, and threaten economic well-being and national security.
“Yet business is not responding quickly enough,” warned Paul Kallenbach, MinterEllison technology partner and cyber expert.
“Cyber attacks can entirely shut down businesses, causing significant (and sometimes irreparable) damage to corporate and government reputations, relationships and systems.
The MinterEllison ‘Perspectives on Cyber Risk’ Report 2017 revealed:
- A 100% jump in C-level concern about cyber incidents;
- One third of boards rate cyber risk in their "top five"; and
- Increased uptake of cyber security insurance.
According to Kallenbach, the 12 months since the release of the MinterEllison Perspectives on Cyber Risk Report 2016 had seen some of the most “devastating cyber incidents yet”.
“Every kind of organisation — government, state owned enterprises, public and private companies and not-for-profits — has been affected. In every industry — from finance, retail, hospitality and healthcare, to mining and resources, utilities, professional services and education — it's clear that no-one is immune.”
Kallenbach said that the rising risks associated with cyber attacks were being driven by the growing volume, scale and sophistication of the cyber security threat, in addition to an increasingly onerous Australian and global regulatory landscape.
He also pointed to an increase in organisational interconnection and interdependence as a result of the rapid adoption of cloud-based technologies.
“Cyber security has well and truly transcended the realm of the technical,” Kallenbach says.
“It is now a business, economic and national security priority, which requires that a culture of cyber resilience be woven into the fabric of public and private sector organisations' overall risk management approach.”
Referring to the 2017 report findings and concerns, Kallenbach pointed to a number of high profile incidents that occurred during 2016, including a US$81 million cyber heist involving an attack against global financial messaging system SWIFT, as well as:
- large data thefts from social media networks, including Tumblr (65 million accounts), LinkedIn (117 million accounts), AdultFriendFinder.com (339 million accounts), Myspace (427 million accounts) and Yahoo! (500 million accounts);
- the attack against Panamanian law firm Mossack Fonseca, which resulted in the theft of more than 11 million documents, the subsequent resignation of Iceland's prime minister, and ongoing investigations into numerous organisations and individuals (including a number of world leaders);
- distributed denial of service (DDoS) attacks against security researcher Brian Krebs, French media company OVH, the Rio Olympics online presence, the Australian Bureau of Statistics eCensus website, and domain name server company Dyn. The attack against Dyn was particularly devastating, disrupting internet connectivity for around 70 companies, including giants like Twitter, Spotify, Paypal, Airbnb and Reddit; and
- the accidental exposure of the personal information of around 550,000 blood donors by the Australian Red Cross.
“Our ‘Perspectives on Cyber Risk 2017' highlights the need to embed cyber resilience in every organisation, yet key findings suggest this isn’t happening,” Kallenbach cautions.
"In our board survey, 44% of organisations responded that the board is only briefed on cyber security issues annually or on an ad hoc basis, while 13% of organisations said that the Board received no briefings at all.
"In our CIO survey only 52% of respondents indicated their organisations had increased their expenditure on IT security over the previous 12 months and that shows little change to the 2016 Report findings.
"Cyber resilience should be a key focus area for all organisations in the next 12 months. This requires deep Bboard level engagement with cyber risk; identifying the extent of the organisation's exposure to cyber risk (including due to supply chain risk); developing, implementing and testing procedures to protect the organisation from cyber incidents; and being able to deploy the resources (both technical and human) to identify a cyber incident in a timely manner, and to respond to and recover from an incident."
Key findings from MinterEllison were:
1. Awareness of cyber risk has increased as the problem grows – but concrete actions have not changed;
2. Despite concerns about the increasing cyber threat, organisations remain complacent about reviewing and testing their own cyber resilience (and the cyber resilience of their suppliers);
3. Cyber security is still (wrongly) seen as being primarily an IT issue;
4. The privacy landscape is changing – both in Australia and overseas; and
5. The increasing uptake of cyber insurance indicates some willingness to act on managing cyber risk.