Cyber security is a major concern for Australian businesses, no matter their size or industry, and having to deal with ransomware and DDoS attacks has unfortunately become business as usual, with detrimental consequences for both the bottom line and reputation. The recent Wannacry ransomware attack, affecting more than 150,000 machines across the globe, was an example of the devastating impact a cyber attack can have, with critical medical services affected in the United Kingdom and networks affected across the world.
According to our last Cyber Defence Monitor 2017 report, cyber security represents the most significant business challenge for 71 per cent of C-suite executives. 72 per cent of IT decision makers expect to be targeted by a cyber-attack over the next 12 months.
While 50 per cent of businesses plan to increase the time and resources spent on cyber security, executives and IT leaders can’t agree on who should be accountable for managing the budget or where it should be spent.
There are still major gaps between how the executive suite and IT leaders perceive the issues and priorities attached to cyber security. For example, in the event of a successful attack, business leaders are more worried about sensitive information theft, loss of customer information and reputational damage, while IT decision-makers are more worried by Intellectual Property (IP) theft, fraud and business disruption.
Australian organisations can’t build an effective cyber security strategy if they are out of sync on their priorities. They also can’t properly protect the organisation’s most important assets if they are not aligned on who is responsible, or indeed what those assets are.
Just as concerning is the 77 per cent of C-suites and 93 per cent of IT decision-makers who don’t believe they have the skills they need to deal with a cyber attack.
A lack of common views on the important assets to protect and confidence in available skills means we need to work quickly to narrow these gaps in understanding, intelligence and responsibility.
A diversity of opinion tied to common goals is a symptom of strength in an organisation. It’s clear that effective collaboration, communication and intelligence sharing are the bedrock on which effective defences will be built. IT and business teams don’t always communicate openly, directly or comprehensively.
It’s time business leaders stop pointing the finger at IT teams, and participate actively in securing their organisations. They are the ones overseeing the wider business, and it is their role to raise awareness about the cyber threat amongst all lines of businesses, so employees are better informed and less likely to be the source of a breach.
They should also be intimately involved in deciding where the security budget should be spent, which includes considering outsourcing part of their security to industry experts, to benefit from economies of scale, specialist facilities, shared intelligence and the ability to call upon scarce skills that are in high demand.
Hiring the right IT skills has indeed been a real struggle for Australian organisations in the past few years. With the increased sophistication of threats, finding relevant security experts has become very challenging, and expensive. Instead of seeing this as a barrier, it should prompt organisations to make hiring one of their priorities, and start thinking about their future cyber skills requirements today, nurturing the talent required to ensure a thriving supply chain of skilled works and ideas to address this growing challenge into the future.
Finally businesses should also be open to sharing knowledge with peers, law enforcement, governments and IT security firms, to augment theirs and the industry’s defences against cybercrime. This is how Australian businesses will build threat intelligence engines that will benefit whole industries, by collating and analysing data from various sources into one common framework.
In an increasingly connected world, it is no longer possible for businesses and business units to remain siloed, and for leaders to be hands off on cyber defence. Without a common understanding of where the business is currently or the desired destination, and the means by which they’ll reach it, IT Decision Makers and C-suite executives risk wasting scarce resources and ending up in the spotlight, for all the wrong reasons.
Michael Shepherd is the Regional Managing Director for Australia and New Zealand (ANZ) at BAE Systems Applied Intelligence