New Times,
New Thinking.

Advertorial feature by BeCyberSure
  1. Science & Tech
11 April 2016updated 09 Sep 2021 1:11pm

Cybersecurity – Risk Management Crashes the Boardroom

Many companies will convince themselves they have nothing of value to hackers. Bad luck, all data has a value and all companies have something which will interest cybercriminals.

By Be Cyber Sure

“It is not the strongest that survive, nor the most intelligent, but the one most responsive to change”.

         Charles Darwin

Risk Management Is Now Top of the Board Agenda

With business interruption, reputational damage and cybercrime being the top 3 concerns, they know they face highly resourceful criminals and law enforcement agencies that are overwhelmed by the scale of their task.

Cybercrime everywhere is classified as a ‘Tier 1 Strategic Threat’, sitting alongside terrorism, international military crises and major natural disasters. The exponential rise of cybercrime and its global nature has created a virtual tsunami of risk. New laws seek to force businesses to raise their game. They come replete with revenue based fines and personal liability for those in control functions. Bilateral cross-border jurisdictional agreements are increasing – so best you know where your liability lies. The US is particularly aggressive about chasing foreign miscreants. Criminal convictions and jail time are now real possibilities for those who are negligent with data in their custody.

Select and enter your email address Your weekly guide to the best writing on ideas, politics, books and culture every Saturday. The best way to sign up for The Saturday Read is via The New Statesman's quick and essential guide to the news and politics of the day. The best way to sign up for Morning Call is via
  • Administration / Office
  • Arts and Culture
  • Board Member
  • Business / Corporate Services
  • Client / Customer Services
  • Communications
  • Construction, Works, Engineering
  • Education, Curriculum and Teaching
  • Environment, Conservation and NRM
  • Facility / Grounds Management and Maintenance
  • Finance Management
  • Health - Medical and Nursing Management
  • HR, Training and Organisational Development
  • Information and Communications Technology
  • Information Services, Statistics, Records, Archives
  • Infrastructure Management - Transport, Utilities
  • Legal Officers and Practitioners
  • Librarians and Library Management
  • Management
  • Marketing
  • OH&S, Risk Management
  • Operations Management
  • Planning, Policy, Strategy
  • Printing, Design, Publishing, Web
  • Projects, Programs and Advisors
  • Property, Assets and Fleet Management
  • Public Relations and Media
  • Purchasing and Procurement
  • Quality Management
  • Science and Technical Research and Development
  • Security and Law Enforcement
  • Service Delivery
  • Sport and Recreation
  • Travel, Accommodation, Tourism
  • Wellbeing, Community / Social Services
Visit our privacy Policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.

The problem(s): Cybercriminals seek vulnerabilities and not just those in your technology. They work on risk/reward and follow the money.

Language: Gobbledegook. A mystical language (e.g., endpoints and sockets for devices and connections) appears intended to confuse.

Endless acronyms; BYOD, AFH, 3DES…. add to impenetrability.

Use of language: ‘Cybersecurity’ when they mean ‘Information Security’ – this probably seems pernickety, but say ‘cyber’, think ONLY ‘cyber’ – which is what vendors want. Just remember, your threat begins long before you get anywhere near a computer. If a compromise occurs outside of your security perimeter, you may never know.

Secrecy: Victims are desperate to avoid reputational damage so keep very quiet whenever they can. Frequently, law enforcement agencies are not informed of a breach. Maybe only 5% – 10% of breaches ever become public knowledge, masking the true scale of the problem and fuelling ignorance based complacency.

Vendors: Cybersecurity vendors issue propaganda and then sell expensive ‘solutions’ into it. These solutions have often been developed with poor inherent security. Then they sell expensive fixes to patch the holes. A complex ecosystem has evolved around this merry-go-round. What their expensive sales force won’t tell you is that there is much that you can do to defend your data before you need to invest in expensive technical solutions.

Too Small to be of Interest: Many companies will convince themselves they have nothing of value to hackers. Bad luck, ALL data has a value and ALL companies have something which will interest cybercriminals. NO business is too small to be of interest.

The Rules Do Not Apply to Us: For now, regulators are focused on financial/critical infrastructure companies and new laws are primarily aimed at them. Nevertheless, up to 80% of data breaches in larger companies enter through vulnerabilities in their supply chain. Suppliers are a constant source of cyber infection. Regulated companies will pass these legal requirements on to their suppliers.

What to do?

In a recent survey, 2% of respondents said that they would sell their company’s data for as little as $10. At $1,000, 15% would.

Criminals are offering $20,000 for Google employee logon credentials, we hear. Google invests much effort in its own security, but it is impossible to make any system totally impregnable. Impossible. Even for Google. The survey mentioned above suggests a reasonable possibility that one of Google’s c.20,000 workforce will sell. Success will buy the criminals a goldmine. $20k will look like an absolute bargain.

Like cars and guns, computers are not intrinsically dangerous. Around 4 in 5 data breaches are initially caused by human error (or, occasionally, a malicious action by an (ex)employee). This is known as the ‘insider threat’.

A well constructed governance regime, proactive management and a good education and training programme at the heart of any Information Security efforts will ensure a significant lowering of the general cyber risk and increase crisis management capability. In the process you will create many more trained eyes to work with your security staff. That has to be a good thing too.

Then you can concentrate on creating a more robust and cost effective IT security solution. Any acquisition of potentially expensive technology will only be actioned in response to a genuine need. All the above should be guided by a comprehensive threat assessment involving all aspects of the risk (physical, cyber and governance). Strong governance will enable a Board to create a comprehensive ‘Information Security’ culture and process throughout the whole organisation.

Think human, BEFORE you think cyber.

Think security, NOT compliance.

Think Be Cyber Sure