The recent ransomware attack on one of the US’s largest fuel pipelines, Colonial, has led President Biden to release an executive order mandating that the federal government significantly improve cyber security within its networks. It’s a step in the right direction, and a serious warning signal for all businesses around the globe — US government or not.
Accoding to Ajay Unni, member of the NSW Government’s Cyber Security Task Force and founder of cyber security company StickmanCyber, “Ransomware attacks are the worst of their kind. Victims are brought to their knees and forced to pay up — or risk losing their entire business, data and reputation. This is why cyber security is not just an IT issue, but a whole business issue.
“While ransomware is undeniably deadly and unpredictable, organisations regularly become victims, thanks to their own lack of basic security controls. Most ransomware attacks are a result of phishing emails, compromised passwords to networks and open and unmonitored network or infrastructure — all things that can be secured against with proper cybersecurity processes.”
Unni says that to improve security over the long term, businesses must ensure they have strong passwords, privileged or role-based access to critical systems, rotating passwords and multi-factor authentication. “They should regularly test their networks for security weaknesses, and make sure that systems, policies and procedures are all enforced and backed by strong governance and compliance.”
Where do company boards fit in?
“Company boards are just as responsible for a business’s cyber security as the IT department. Board members must look at cyber security through the lens of risk and exposure, and realise that they are responsible for the impact of any risk — including cyber.
While management teams are regularly tasked with protecting the business from all types of risk, the board is ultimately accountable, says Unni. “Company directors and boards carry huge responsibilities and they need to be aware of how a cyber attack can impact themselves and the organisation. Not taking these responsibilities seriously can have severe legal, reputational and financial implications, both personally, and for the company as a whole.
“If you want to implement cyber risk assessments into your own board’s agenda, you might consider the following approach. First, ensure that cyber security is set as part of the board’s agenda. Set aside time to build a cyber security strategy, which includes appointing someone in the management team to lead and be responsible for cybersecurity. Check that your board’s risk register includes cyber risk, is updated regularly, and tabled at the board meetings. Provide leadership and take part in cybersecurity awareness and training.”
He recommends assessing various company cyber insurance covers, so that if there is an attack or breach, companies will be better positioned to mitigate financial losses.
“Evaluate your director insurance to include cyber risk. It’s important to remember that insurance is not going to influence your actual cyber security, but is a cover in case all prevention and detection and response efforts fail.”
Don’t Ignore the Risk
There are a number of risk assessment frameworks for cyber security, but unlike risk in the physical world, cyber risk can sometimes be misleading if it is not articulated well. In order to assess their cyber security risks, businesses should look in three main areas: people, systems, and processes. Once they have established the weaknesses in these three areas, the next step is to see how those weaknesses can be exploited to cause damage to the business.
“For example, if no training was ever given to the people in your company, how likely is it that staff would click on a link that could install malicious software? Or if your systems don’t have the latest security patches, how easily can they be breached? If there are no policies or processes for cyber security in place, is it even possible to prevent an imminent attack?
When it comes to cyber security risk, there are a huge number of factors at play. While all businesses want to get ahead, grow, and increase their revenues, it’s vital that they also stop and think carefully about how a cyber attack can impact their business, he told Which-50.
“Ask yourself: do we have everything we need in place? Do we have the right kind of strategy, governance, policies, procedures, and risk assessments? How strong are our monitoring, detection, response, threat intelligence, and testing? What training do we have in place? Do we have a good mix of people and partners to help support the business from cyber risks?
“With all of these bases covered, your business will be in a much better position to protect itself from predators should an attack arise. In most cases, it’s not a case of if, but when.”