Support 100 years of independent journalism.

Advertorial feature by BeCyberSure
  1. Science & Tech
11 April 2016updated 09 Sep 2021 1:11pm

Cybersecurity – Risk Management Crashes the Boardroom

Many companies will convince themselves they have nothing of value to hackers. Bad luck, all data has a value and all companies have something which will interest cybercriminals.

By Be Cyber Sure

“It is not the strongest that survive, nor the most intelligent, but the one most responsive to change”.

         Charles Darwin

Risk Management Is Now Top of the Board Agenda

With business interruption, reputational damage and cybercrime being the top 3 concerns, they know they face highly resourceful criminals and law enforcement agencies that are overwhelmed by the scale of their task.

Cybercrime everywhere is classified as a ‘Tier 1 Strategic Threat’, sitting alongside terrorism, international military crises and major natural disasters. The exponential rise of cybercrime and its global nature has created a virtual tsunami of risk. New laws seek to force businesses to raise their game. They come replete with revenue based fines and personal liability for those in control functions. Bilateral cross-border jurisdictional agreements are increasing – so best you know where your liability lies. The US is particularly aggressive about chasing foreign miscreants. Criminal convictions and jail time are now real possibilities for those who are negligent with data in their custody.

Select and enter your email address Quick and essential guide to domestic and global politics from the New Statesman's politics team. A weekly newsletter helping you fit together the pieces of the global economic slowdown. The New Statesman’s global affairs newsletter, every Monday and Friday. The New Statesman’s weekly environment email on the politics, business and culture of the climate and nature crises - in your inbox every Thursday. Our weekly culture newsletter – from books and art to pop culture and memes – sent every Friday. A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. A newsletter showcasing the finest writing from the ideas section and the NS archive, covering political ideas, philosophy, criticism and intellectual history - sent every Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.
  • Administration / Office
  • Arts and Culture
  • Board Member
  • Business / Corporate Services
  • Client / Customer Services
  • Communications
  • Construction, Works, Engineering
  • Education, Curriculum and Teaching
  • Environment, Conservation and NRM
  • Facility / Grounds Management and Maintenance
  • Finance Management
  • Health - Medical and Nursing Management
  • HR, Training and Organisational Development
  • Information and Communications Technology
  • Information Services, Statistics, Records, Archives
  • Infrastructure Management - Transport, Utilities
  • Legal Officers and Practitioners
  • Librarians and Library Management
  • Management
  • Marketing
  • OH&S, Risk Management
  • Operations Management
  • Planning, Policy, Strategy
  • Printing, Design, Publishing, Web
  • Projects, Programs and Advisors
  • Property, Assets and Fleet Management
  • Public Relations and Media
  • Purchasing and Procurement
  • Quality Management
  • Science and Technical Research and Development
  • Security and Law Enforcement
  • Service Delivery
  • Sport and Recreation
  • Travel, Accommodation, Tourism
  • Wellbeing, Community / Social Services
Visit our privacy Policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.

The problem(s): Cybercriminals seek vulnerabilities and not just those in your technology. They work on risk/reward and follow the money.

Language: Gobbledegook. A mystical language (e.g., endpoints and sockets for devices and connections) appears intended to confuse.

Endless acronyms; BYOD, AFH, 3DES…. add to impenetrability.

Use of language: ‘Cybersecurity’ when they mean ‘Information Security’ – this probably seems pernickety, but say ‘cyber’, think ONLY ‘cyber’ – which is what vendors want. Just remember, your threat begins long before you get anywhere near a computer. If a compromise occurs outside of your security perimeter, you may never know.

Secrecy: Victims are desperate to avoid reputational damage so keep very quiet whenever they can. Frequently, law enforcement agencies are not informed of a breach. Maybe only 5% – 10% of breaches ever become public knowledge, masking the true scale of the problem and fuelling ignorance based complacency.

Vendors: Cybersecurity vendors issue propaganda and then sell expensive ‘solutions’ into it. These solutions have often been developed with poor inherent security. Then they sell expensive fixes to patch the holes. A complex ecosystem has evolved around this merry-go-round. What their expensive sales force won’t tell you is that there is much that you can do to defend your data before you need to invest in expensive technical solutions.

Too Small to be of Interest: Many companies will convince themselves they have nothing of value to hackers. Bad luck, ALL data has a value and ALL companies have something which will interest cybercriminals. NO business is too small to be of interest.

The Rules Do Not Apply to Us: For now, regulators are focused on financial/critical infrastructure companies and new laws are primarily aimed at them. Nevertheless, up to 80% of data breaches in larger companies enter through vulnerabilities in their supply chain. Suppliers are a constant source of cyber infection. Regulated companies will pass these legal requirements on to their suppliers.

What to do?

In a recent survey, 2% of respondents said that they would sell their company’s data for as little as $10. At $1,000, 15% would.

Criminals are offering $20,000 for Google employee logon credentials, we hear. Google invests much effort in its own security, but it is impossible to make any system totally impregnable. Impossible. Even for Google. The survey mentioned above suggests a reasonable possibility that one of Google’s c.20,000 workforce will sell. Success will buy the criminals a goldmine. $20k will look like an absolute bargain.

Like cars and guns, computers are not intrinsically dangerous. Around 4 in 5 data breaches are initially caused by human error (or, occasionally, a malicious action by an (ex)employee). This is known as the ‘insider threat’.

A well constructed governance regime, proactive management and a good education and training programme at the heart of any Information Security efforts will ensure a significant lowering of the general cyber risk and increase crisis management capability. In the process you will create many more trained eyes to work with your security staff. That has to be a good thing too.

Then you can concentrate on creating a more robust and cost effective IT security solution. Any acquisition of potentially expensive technology will only be actioned in response to a genuine need. All the above should be guided by a comprehensive threat assessment involving all aspects of the risk (physical, cyber and governance). Strong governance will enable a Board to create a comprehensive ‘Information Security’ culture and process throughout the whole organisation.

Think human, BEFORE you think cyber.

Think security, NOT compliance.

Think Be Cyber Sure