Stretching the Castle Walls: 3 cyber security questions for CEOs

Where to start 

No one has less time than a CEO, much less a CEO who has just been informed of a cyber security incident. This is especially pertinent given several recent large-scale data breaches have impacted millions of Australians’ personal information.

In the second half of 2022, there were 497 notifications to the Office of the Australian Information Commissioner, marking a 26 per cent increase in reported breaches since last year. The increase in prevalence and sophistication of cyber threats drives how organisations must protect themselves from these threats, and how they respond to successful attacks. It has become imperative for every CEO to prioritise cyber security in their organisation – but it’s not always clear where to start. 

As the threat landscape rapidly evolves, we need to ask ourselves the right questions to ensure we’re prepared for when the inevitable happens.  

1. What are my reporting obligations? 

Governments worldwide have tightened regulations concerning cyber security and data protection.

In fact, the Australian Government is looking to appoint a dedicated Privacy Commissioner to support organisations impacted by data breaches. This will be the first time a standalone Privacy Commissioner has been appointed in eight years. 

The best way to get a comprehensive understanding of your regulatory and reporting compliance obligations is by collaborating with your legal and compliance teams. Cyber security regulations are unique in that reporting is mandatory and must be done within certain timeframes.  For example, if your organisation is deemed critical infrastructure by the Critical Infrastructure Protection Act (updated in 2022), then you may be required to report breaches within 24 or 72 hours, depending on the circumstances.  

These reporting obligations may exist within other organisations too – make sure you are aware of best practice around informing the Board and your executive committees.

Failure to comply with these obligations will result in financial penalties – up to $222,000 for a corporation per infringement1 – reputational damage and increased audit scrutiny. Staying ahead of your obligations and understanding the regulatory landscape will help prevent many of these issues, but also give you the basis for a cyber security program.

2. Can we handle a cyber security incident?

Three key terms to remember: capability, capacity, and confidence; Are you capable of responding quickly and efficiently? Do you have the capacity internally to handle a crisis? How confident are you in these answers?
 

Understanding your organisation’s cyber security readiness is crucial in identifying and addressing potential vulnerabilities. The move to the cloud has fundamentally changed the way that organisations need to handle cyber security – decentralisation means that the castle walls that held their ground in a traditional data centre are now being stretched around a much greater area. The castle has grown to a village, and this means more angles of approach for threat actors. 

The threat actor is often not an individual. They are an organised network of highly informed and capable criminals whose business it is to defraud your company or your people of money (money is the most common motive). Cybercrime goes beyond just a phishing link in an email; it’s a highly lucrative enterprise that attracts skilled individuals and organisations working together to produce profits and grow, just like a regular business. 

Uncovering the “unknown unknowns” is crucial. In security, we often refer to this as the “Identification” stage. Identification involves assessing gaps in skills, capacity, or knowledge that may exist, then building a program of work to protect the areas Identified.

Engaging third-party cyber security experts to conduct readiness assessments can provide valuable insights into your organisation’s cyber security posture. These assessments will highlight areas of improvement, help identify vulnerabilities, and provide a clear roadmap for enhancing your organisation’s cyber security maturity.
 

3. How will we respond to a cyber security incident? 

If you’ve heard it once, you’ll hear it again. It’s not if, it’s when.

The inevitability of a cyber security incident means that it is now considered a top risk by corporate Australia.  Using risk terms, the likelihood of a cyber incident is nearly 100% (“highly likely” or “almost certain” in your corporate risk matrix). A recent analysis from the World Economic Forum placed cyber security as the most likely technological risk for organisations to face in a post-COVID world.

Regular tabletop exercises and simulated breach scenarios allow organisations to test their response plans, identify potential weaknesses, and refine their incident management procedures. These exercises provide valuable insights into the effectiveness of communication channels, coordination between teams, and the overall ability to maintain business continuity during a cyber incident.

In addition, team leaders should establish clear lines of communication and assign incident response roles and responsibilities. This ensures that all employees are aware of their roles in the event of a breach and can act swiftly and cohesively to minimise the impact. 

Now is the time to ensure you’re incorporating cyber security into general enterprise risk mitigation plans, from an operational and reputational perspective. By Identifying reporting obligations, protecting sensitive data, and preparing for cyber incident response and recovery, CEOs will be in a position to keep the castle walls in the right place in their organisations.