A cyberattack is an existential threat to all companies, which puts the pressure on cybersecurity teams. The pressure continues to increase as more staff work from home and the skills gap continues to exist. Simon Howe, Vice President Asia Pacific Sales, LogRhythm, explains how companies can help ease the pressure on their cybersecurity teams.
The COVID crisis has made 2020 a tough year for the millions of Australian workers who’ve either been thrown out of work or found themselves working harder than ever, helping their employers navigate challenging economic conditions. Among those fortunate enough to still have a job, few have been harder pressed than the country’s small army of cybersecurity professionals.
As well as contending with an explosion of COVID-related fraudulent activity, they’ve been on the frontline, defending businesses and organisations against the threat posed by malicious attacks, including those orchestrated by the sophisticated, state-based cyber actor which Prime Minister, Scott Morrison, warned against in June.
The stakes are high. AustCyber’s Australia’s Digital Trust Report 2020 noted that a single week of widespread disruption, as a result of a major cybersecurity incident, could result in a US$1.2 billion hit to the economy and more than 6,000 job losses. They’ll continue to rise, as bad actors home in on opportunities to infiltrate government and corporate networks, to steal money and data, wreak havoc and hold organisations to ransom.
Little wonder then that security professionals are feeling the heat. Three quarters of respondents to LogRhythm’s The State of the Security Team global survey carried out earlier this year reported feeling more stressed today than they did two years earlier.
The research also found senior leaders can have a significant impact on the wellbeing and morale of their information security teams.
Here are four ways to take the pressure down.
Get the board on board
Cybersecurity has historically been a backroom function. That’s made accessing sufficient funding and resources to do their job properly a challenge for many security teams. Raising awareness at board level of cybersecurity’s critical importance to the organisation can make it easier for security personnel to secure the budget and buy-in they need to succeed.
Indeed, here are four increased duties for Australian boards relating to cybersecurity:
- Directors’ cybersecurity duties under the Corporations Act
Company directors have an obligation under section 180 of the Corporations Act to exercise their powers and discharge their duties with ‘care and diligence’. If there was any doubt that this obligation extends into the field of cybersecurity, ASIC has made its position clear.
ASIC Report 4291 states that:
• It considers board participation important to promoting a strong culture of cyber-resilience; and
• a failure to meet obligations to identify and manage cyber-risks may, if you are a director or officer of a company, result in you being disqualified from your role. - Directors’ cybersecurity duties and the Privacy Act
This applies to any entity with a turnover of AU$3 million or more. The Australian Privacy Principle (APP) requires the entity to take such steps as are reasonable in the circumstances to protect personal information from misuse, interference and loss and from unauthorised access, modification or disclosure. - Directors’ cybersecurity duties and Mandatory Data Breach Notification
In February 2017, the Privacy Act was modified to incorporate a new mandatory data breach notification regime. It applies to entities that are currently obligated under the Privacy Act.
Notifiable Data Breach legislation requires certain data breaches to be notified to the Office of the Australian Information Commissioner and to affected individuals. There are very significant fines attached to a breach of the regime, in particular, where companies have not met their obligation to protect their data and the information relating to individuals. - Directors’ cybersecurity duties and Australian Consumer Law
The Australian Competition and Consumer Commission (ACCC) has a number of statutory powers under the Australian Consumer Law which could be exercised to take action against businesses that fail to properly prepare for cyber-risks.
While the ACCC has to date focused on educating and informing Australian businesses about cybersecurity issues, it has similar powers to the FTC in the US and which it could use to punish and/or deter harm caused to consumers by businesses with lax cybersecurity, including around false or misleading representation and fit for purpose.
Poor cybersecurity practices – for example, providing an online payment service with insufficient protection for consumers’ credit card or personal information – may be a breach of the provisions of the ACL.
Conclusions
There are a range of potential legal liabilities that may flow from an organisation’s failure to adequately address cybersecurity issues. While there needs to be an appropriate recognition of the separation between board and executive responsibilities, doing nothing is not an option as ignorance to a company’s cyber obligations is not a defence.
A good place to start can be the Australian Government Cybersecurity Operations Centre’s (CSOC) ‘Questions senior management need to be asking about cybersecurity’ or visit the website of the Australian Office of Information Commissioner. Today, directors and boards must be supporting critical cybersecurity defence initiatives of their businesses to enable them to discharge their obligations under the Corporations Act.
Commit to hiring – and keeping – top talent
Australia is suffering from a severe cybersecurity skills shortage and the sector will need an additional 17,000 workers by 2026, according to AustCyber’s most recent reckoning. A substantial number of positions continue to go unfilled; a situation which only exacerbates the pressure on those holding the fort. While higher education institutions are racing to plug the gap with new courses and qualifications, it will be some years before demand and supply align.
Against that backdrop, developing a plan to attract new employees to your security team and retain the skilled talent whose efforts are keeping your enterprise protected from attack is critical.
Support a strategic cybersecurity plan
Many security departments manage threats by throwing technology at the problem. As a result, they own an array of disparate solutions. Integrating and maintaining those solutions takes time and, in a thinly stretched security team, that’s a commodity that’s in perennially short supply.
Taking a step back and developing a strategic technology plan can mean better protection for your organisation and fewer headaches for security personnel. Encouraging them to review their technology stack and invest in a solution that provides a single view of real-time threats can make it possible for them to identify and neutralise potential attacks before the enterprise is compromised significantly.
Make security everyone’s responsibility
Employees can be the strongest and the weakest links in the cybersecurity chain. A healthy cyber culture will make the job of your security team easier, by making the business of protecting corporate systems and data into everyone’s responsibility. Fostering it starts at the top, with senior leaders who throw their support behind cybersecurity training and awareness initiatives and recognise and reward individuals who do the right thing.
Protecting the team that protects the business
In 2020 Australia, cyberattack is no longer a mere irritant; it’s an existential threat. Doing all you can to support the team whose daily efforts can prevent disruption and disaster isn’t just the right thing to do, for people under pressure – it’s sound business practice that will serve your organisation well.