Cyberattacks: think 'when', not 'if'

But a rising issue for many companies is they still lag behind the increasingly accepted view that cyber security is a business as usual (BaU) issue - and still plan for 'if' and not 'when' a significant cyber-attack may occur.

"The challenge of securing a computer network supporting thousands of employees across multiple countries is increasingly complex."
Steve Glynn, Global Head of Information Security at ANZ

As PwC noted in their recent Global State of Information Security survey, cyber security is now a “persistent business risk.”

“It is no longer an issue that concerns only information technology and security professionals,” the report said. “The impact has extended to the C-suite and boardroom.”

And so it should. The survey reinforces anecdotal evidence and media coverage - security incidents continue to soar, growing 66 per cent since 2009.

Verizon's 2015 Data Breach Incident Report mirrors these findings, supporting similar increases in both the frequency of cyber-attacks, and resultant loss of data. The report estimates a 34 per cent increase in cyber-attacks in Australia last year.

Since not all countries have mandatory data breach disclosure (where organisations are obliged by legislation to advise they have been the subject of a successful cyber-attack), the true cost is difficult to calculate.

In a study by the Ponemon Institute, commissioned by IBM during 2015, they estimated total average costs up from $US3.5 million to $US3.8 million per data breach. Verizon puts the cost at anywhere between $US250,000 to $US8.8 million depending on the number of records involved.

This excludes the cost of reputational damage which in many cases may be greater than the financial impact.

AN INTERCONNECTED WORLD

As our digital footprint increases, so does the technology interconnectedness of our personal and professional lives. The challenge of securing a computer network supporting thousands of employees across multiple countries is increasingly complex.

To keep up with the opportunities that social media brings, large organisations are increasingly opening these channels up – for both personal and professional purposes. These opportunities present new security challenges when personal and professional data is co-mingled on social platforms such as LinkedIn.

With contact information in abundance it's no wonder that according to Allen Paller, director of research at the SANS Institute, 95 per cent of all attacks on enterprise networks are the result of successful spear phishing. In other words, somebody received an email and either clicked on a link or opened an attachment that they weren't supposed to.

It's not just an employee's digital footprint that has the potential to compromise online activity. As companies, including banks, increasingly go digital and interact with customers beyond traditional channels, security must grow with it to protect the increasing amount of data being generated.

EVERYBODY'S BUSINESS

The concept of “Cyber Resilience” – the preservation and continuation of business operations in the face of a cyber-attack – is now an imperative.

Importantly this is a business issue – not isolated to the technology department – which must be approached in true partnership, incorporating both strong incident management and clear lines of communication across the organisation and beyond.

To cope with greater amounts of information to be protected, a deep understanding of the corporate network environment and the data that traverses it is at the heart of a cyber resilience strategy.

{CF_IMAGE}

At ANZ, we take cyber security very seriously and have invested towards gaining deeper understanding of key information to be protected. Given the explosion in data available, new technologies and techniques available, we are also developing advanced data analytics capability to better identity and understand events of interest that might lead to a cyber-attack.

This ability to more deeply analyse cyber security events is the largest deployment of its kind in Australia and augments additional people and processes supporting our 24/7 incident management and response capability.

A holistic understanding of an organisation's data through advanced analytics, combined with a well-planned cyber resilience strategy – prepared by and bought into by all areas of the business - provides organisations with the opportunity to prepare for when, not if, a cyber-attack occurs.

In the future, organisations will not only have to do everything reasonable to prevent and detect a cyber-attack, but equally important, they will be evaluated on how prepared they were in the first place, and how they responded and maintained business resiliency during the incident.

Steve Glynn is Global Head of Information Security at ANZ.