COVID-19 | Preparing for COVID-Normal? Five things you can do now to reduce your cyber security risk

The recent pandemic has changed the way a lot of us work and communicate with each other. In particular, it has accelerated business digital transformations such as working from home, and highlighted the increasing prevalence of data breaches. Data breaches affect us all and can cost our business millions. As we steadily emerge from stringent lockdowns and restrictions, now is the time to consider what our business might look like in COVID-Normal.

A plan for now, a plan for the future

In Australia, we have seen a systematic response to the pandemic through careful immediate and forward planning with built-in flexibility to respond to new challenges presented by the virus.

Our response to cyber security should be no different.

But what are we ultimately trying to achieve?

Ultimately cyber security aims to prevent the technical exploitation of vulnerabilities. Simply: keep the right people in, keep the wrong people out.

Preventing the technical exploitation of vulnerabilities

Cyber security can be complex and daunting, particularly for those of us who miss the good old ‘locked safe’ approach to data protection. And there are many ways to go about it. Here’s my five tips for what you can do right now to reduce your cyber security risk.

1. Cyber Security by Design

‘Cyber Security by Design’ is a phrase I use to describe a comprehensive approach to cyber security. The phrase is inspired by Dr Ann Cavoukian, former Privacy and Information Commission of Ontario, Canada, who developed the concept and roadmap for ‘Privacy by Design’ which is now used worldwide for privacy compliance.

So, what is it?

‘Cyber Security by Design’ or CSD is a way of proactively managing risk by embedding good cyber security strategies into the design specifications of our technology, our business practices and our physical infrastructures.

Let’s be honest: there is currently no way to completely protect our systems. Even an air-gapped system is vulnerable to internal intrusions and physical theft.

CSD is about layering the measures we use to minimise risk and designing this in a way that is tailored to the individual business needs. We do this by understanding what we are trying to protect, and why we are trying to protect it.

And just like our plans and our response to the virus, we need an approach that has inbuilt flexibility to deal with whatever comes next.

2. Train, educate, test, repeat

A cyber secure culture starts from the top down. It needs to be on our board’s agenda as a regular item (if it isn’t already).

Then comes the systematic approach to meet the immediate threats and the future threats.

1. 1. 1. Training: For all staff. That means employees, directors, contractors and any third party with access to the company’s systems.
      2. Education: Live and breathe your policies, procedures and controls. One way to do this is to provide ongoing education about the policies, including risk management and examples of behaviour to avoid and traps to watch out for.
      3. Testing: Just like our privacy policies, this is not a ‘set-and-forget’ approach. Test regularly, test often. Pressure test it. Fix. Pressure test it again.
      4. Repeat: This approach is geared towards identifying flaws or gaps in cyber security procedures. Once identified, the procedures, policies and controls can be updated, implemented for training, education and further testing. Cyber intruders never sleep, so neither should we!

One thing our recent changed working conditions has taught us is that cyber security is not just a matter for the IT department. We are all responsible. We all need to know this.

3. Knowledge is power: compliance obligations

Our businesses all have compliance obligations, some more so than others. It is imperative to understand what these are and how cyber security fits in.

On average, a cyber attack costs a business a total cost of $3.86 million – from detection and escalation, to lost business, notification to regulators and customers, and ex-post response. (Data courtesy of ‘Cost of a Data Breach Report 2020’, Ponemon Institute and IBM Security).

This figure does not include cost of reputational damage, which can be incalculable.

Investing in compliance and investing in an appropriate cyber security approach to meet that compliance, is an investment in business longevity, productivity and sustainability.

4. Passwords, patches, persistence

Passwords: Passphrases are generally easier to remember and the longer they are, the higher the complexity, which ultimately costs an unauthorised intruder more in dollars and time to crack. Compare this with a highly complex password that users generally have difficulty remembering but are easier for an unauthorised intruder to penetrate.

The Australian Cyber Security Centre provides a range of guidance passphrases, including their guide on Creating Strong Passphrases that are complex and are easy to remember.

Patches and updates: Updating our systems as soon as these are available reduces the window of time for the exploitation of vulnerabilities.

Persistence: Cyber security comes easier to some than others. This is where continuous training and education are essential.

5. Cyber Liability Insurance

We saw from the Sony Playstation case in the U.S. that traditional liability policies are unlikely to respond to a claim related to a cyber attack.

Enter stage left: Cyber liability insurance – a tailored insurance which usually offers comprehensive cover for liability and expenses associated with a cyber breach. Depending on the policy, it may include network outages, malicious code, and cyber-extortion.

Whether it is needed or not will depend on the risk profile of the business; remembering of course that it is not a solution, but rather part of the steps we can take to minimise our cyber security risk.

Takeaways

Our COVID-Normal will have an increased focus and reliance on technology. This aligns with our Government’s plan to be a leading economy in the next ten years by capitalising on the adoption of online technologies kickstarted by the pandemic.

With this in mind, our cyber security takeaways are:

• An organisation’s data can only be as secure as its ability to identify the risks and manage them in the most effective and appropriate manner. See here: Cyber Security by Design.
• Cyber security is not a ‘one size fits all’ proposition. Rather, security measures, policies and procedures must be tailored to individual business needs.
• Preventing unauthorised access to data is an investment that ultimately can save our organisation in resources, costs, damages, time and reputation.
• Implementing the above 5 tips now can help you to reduce your cyber security risk.

For details of all our COVID-19 tips and updates, visit the Gadens COVID-19 Hub.

Authored by:

Michael Owens, Partner
Kelly Marshall, Director