Getting on board to fight cyber crime

One in four Australian respondents in a recent study believes that their board does not yet fully appreciate the risk posed by targeted cyber-attacks. In addition, 39 per cent said they either did not have, or were not aware of, a crisis response plan in the event of an attack.

The study, conducted by BAE Systems Applied Intelligence, also found that 84 per cent of Australian respondents expected the number of cyber-attacks to increase in the next two years.

Richard Watson, managing director Asia Pacific and Middle East of BAE Systems Applied Intelligence, says: “Boards should adopt the mindset that a cyber-attack will happen at some stage. While some attacks will have a minor impact, others may threaten the global reputation of the organisation and a poor response to these attacks will often serve to worsen the fallout from a major incident.

“Consequently, a board should satisfy itself that management has effective processes to identify attacks early and then to respond to these in a structured and repeatable manner, with a clear delineation of responsibility.

“It is also common for the best recovery plans to fail on first contact with a major event so the board should ask about the extent of testing of these processes.”

Watson warns that sophisticated cyber-attacks often rely on tricking or coercing internal staff to open malicious attachments or visit malicious websites that compromise the computer they are using, establishing a command and control challenge and spreading laterally inside the network.

“Hence, a key control is establishing a culture where staff are aware of the risks associated with cyber-attacks and confident enough to flag concerns about suspicious things through an effective mechanism. This should also include specific training for high-risk staff such as IT administrators,” he says.

Watson adds that the cyber-attack challenge may still be viewed as a technology problem alone, rather than something that must be tackled at CEO and board level.

However, he notes that it is also becoming more common to see the role of chief information security officer (CISO) created. This role usually reports to the CIO, COO or CEO and is responsible for an organisation’s cyber security posture.

“The board needs to ensure this role is sufficiently empowered to effect change and is also not reporting in a way that means it is competing for resources with regular IT projects which are often seen as more of a priority by some parts of the business.”

Watson says boards should ask the following types of questions to establish if their crisis plans are mature:

  • Effective detection: Does the organisation have the right controls in place to detect targeted cyber-attacks? How can the organisation be confident that the most sophisticated types of attack will be detected? “In a number of recent examples of covert cyber-attacks (to steal information rather than cause high-profile disruption), the attack has gone unnoticed for a period of over a year, despite the organisation having firewalls, anti-virus, intrusion detection systems and regular penetration tests of the perimeter. These kind of attacks are often based on compromising end-user computers and establishing command and control channels into the organisation,” says Watson.
  • Formalising where critical information resides: Has the organisation established which information is of high value and identified which departments, business processes, IT systems, suppliers and staff process or have access to this information?
  • Roles and responsibilities: Are roles and responsibilities clearly marked in the event of a crisis? “A common problem is the lack of a clear chain of command for effective and timely decision making,” says Watson. “A crisis will often require difficult decisions, such as at what point to turn off key systems or services or to engage with customers or the media. In some industries and countries, it is mandatory to inform a regulator or the end customer if their information is breached.”
  • Access to specialists: Does the organisation have clarity over which specialist partners will be used (for example, cyber security incident response or media relations)? Are these organisations on “retainer” deals so they can be called in at short notice? A common challenge is when an organisation having a crisis doesn’t have pre-existing commercial arrangements in place at a time when it needs urgent support, says Watson.
  • Testing the crisis plan: Are the plans periodically tested to ensure they are effective? A common problem is that plans are made but never tested or disseminated so that all stakeholders understand their roles.