Is your company cyber-safe?

Businesses can't afford to ignore the threat of cybercrime.

The threat of cybercrime is real. Ensure that your business is protected.

These days “cyber” is a prefix for a swathe of shadowy activities: there’s cyber warfare, cyber espionage and cyber sabotage, not to mention cyber bullying and, of course, cybersex. But for most businesses and everyday consumers, the threat of falling foul to cybercrime is the most worrying.

Intellectual property (IP) theft, fraud and the risk of people’s personal information or, for that matter, complete identities being stolen by organised crime gangs or just tech-savvy opportunists is rising exponentially as hacking grows in size and intensity.

To put this into its true and frightening perspective, a new study from software security firm McAfee and the Center for Strategic and International Studies reveals that global cybercrime activity is costing up to US$500 billion each year, which is almost as much as the estimated cost of drug trafficking. In the US alone, cybercrime is blamed for the loss of as many as 500,000 jobs as companies buckle under the loss of their IP, confidential strategies and the reputational damage that results.

Clearly, extracting value from the computers of unsuspecting companies, government agencies and consumers’ bank accounts is big business, and one the McAfee report says has become a “major risk for companies and nations as these illicit acquisitions damage global economic competitiveness and undermine technological advantage”.
"There is generally no incentive to report cybercrime". – Nigel Phair, Centre for Internet Safety
Although McAfee says its research is the first to use actual economic modelling to forecast the financial costs of cybercrime, according to Nigel Phair, director of the Centre for Internet Safety at the University of Canberra in Australia, under-reporting of cybercrime is a massive problem.

“There is generally no incentive to report cybercrime to law enforcement or regulatory bodies,” Phair says. “Australia is yet to implement data breach legislation, so there are no legal requirements to notify customers or the Privacy Commissioner of personally identifying information collected and retained by an organisation.”

This is set to change come March 2014 with the introduction of new Australian Privacy Principles – something Phair says the majority of Australian organisations are unprepared for, particularly with respect to collecting and retaining customer data, the use of cookies and other technical collection measures.

Compounding the problem is the fact that some companies still don’t seem to fully comprehend the dangers they face from high-tech crime, while others just aren’t prepared to admit that their systems are vulnerable.

“All systems have vulnerabilities, but organisations need to identify their trophy data and protect it accordingly,” Phair says. “Too many organisations are ill-prepared for a network outage, regardless of whether it occurs from a cyber-attack or power blackout. Organisations need incident response procedures and they need to practise them.”

This is especially important given many criminals are extremely well organised and funded and, in some cases, arguably more technologically sophisticated than the law enforcement bodies trying to catch them.

Professional Development: CPA Q&A. Access a handpicked selection of resources each month and complete a short monthly assessment to earn CPD hours. Exclusively available to CPA Australia members.

es, there are some very sophisticated criminal organisations attacking companies, particularly in export-facing markets,” Phair agrees. “However, consumer trust and confidence is more diminished from bad user experiences. Everyone has a different tolerance of this, which could include constant spam, illegal material and unpleasant content.

Organisations need to be wary of simple scams against them and their staff which may be an entry point into their IT systems.”

Effective risk management is essential, he adds.

“They have to identify their key data and put appropriate controls around this data to protect it from both external attack and internal threats. Risk management practices need to be used to identify this information and the impact it has on business survivability.”
3 cyber-safety steps for business

Building security into business systems and admitting, from the outset, that a firm is at risk is vital. Up-keeping antivirus and firewall software is imperative.

In a new report titled “Cyber threat intelligence and the lessons from law enforcement”, professional services firm KPMG notes three principles that will help organisations manage the cyber threat proactively and minimise risk to customers, shareholders and employees.

These are:
  • Create an intelligence-led mindset: Leaders must continuously assess the cyber threats the organisation faces, the risk those threats pose to valuable information assets, what response is required and how effective has that response been.
  • Implement an intelligence operating model: Intelligence models vary but should start by having in place a strategy and budget for cyber intelligence.
  • Build an intelligence-led decision-making process: Gather relevant information, analyse that information to create intelligence, and then act on that intelligence.

September 2019
September 2019

Read the September 2019 issue of INTHEBLACK magazine.

Each month we select the must-reads from the current issue of INTHEBLACK. Read more now.

CONTENTS