Risky business: managing cyber threats

The digital revolution is well and truly upon us and businesses are reaping the rewards. Online accounting software automates bookkeeping, cloud solutions increase computing capacity while saving costs, online stores open up whole new markets for retailers. It goes on.

But with reward comes risk. Each new system or application is a potential entry point or target for cyber threats. These threats can come from diverse sources, from hackers and cyber criminals to disaffected employees or customers.

Your business may not hold sensitive data such as medical or banking details but don’t assume you’re immune. According to the Institute of Directors and New Zealand cyber risk consultancy Cybercraft, all businesses are potential victims. A cyber-criminal might attack a business to gain product or contract details, source code, merger or acquisition plans or employee information.

New Zealand businesses lost $728,318 in the first three months of this year, according to cyber security agency CERT NZ, and 118 organisations were targeted by phishing scams and credential harvesting attacks, but only a small proportion of losses and attacks are reported.

At an operational level, cyber-attacks can disable or bypass websites or key systems – paralysing your business and often leading to lost revenue.

Cyber-attacks can have legal ramifications as well. Proposed changes to New Zealand’s Privacy Act would make reporting of data breaches that harm or pose a risk of harm mandatory, and failure to do so could result in a fine of up to $10,000.

But perhaps most worrying to businesses is the reputation damage from a cyber-attack, says Cybercraft director Jeff Herbert. “That’s the biggest thing keeping them awake at night. An attack on a professional services firm and the resulting brand damage has been estimated to knock as much as 20 percent off turnover.”

Today’s consumers are more informed and engaged than ever, and a breach of their data destroys trust in your brand. A survey by a UK accounting firm found that 85 percent of consumers canvassed said a breach would discourage them from using a business in future.

The risks are clear, but many businesses are unsure how to tackle them.  So where to start?

Culture change: not just ‘IT’ issue
Cyber security cannot be siloed with the IT department or entrusted to the usual security software packages. The financial, legal and reputational risks to the business of a cyber-attack mean cyber security must be treated as an enterprise-wide risk and addressed as such, from the board down.

Cybercraft advocates developing a cyber security culture, much like the health and safety cultures of modern workplaces, in which every person in the organisation – from the receptionist to chair of the board – is encouraged and trained to be smart digital citizens.

Risk awareness and appetite
Risk is an accepted part of doing business. But too many New Zealand businesses and organisations are unaware of the cyber risks they are exposed to. A 2014 survey by the Institute and the New Zealand Institute of Economic Research found less than half (47 percent) of boards said they received good quality information from management on technology-related matters. Cybercraft recommends businesses first determine their risk appetite by identifying how bad things currently are.

Once a board has a clear picture of the risks it can determine which are acceptable and which need to be removed, mitigated, or insured against. If a board can say, ‘We really depend on this technology and our business will be really impacted if there’s a breach’, then the business can develop a cyber risk management plan and allocate resources appropriately, Jeff says. In many cases businesses will need to seek expertise to assess their cyber security risks and legal obligations and form a cyber risk management strategy.

Cyber security policies need to extend beyond a standard Acceptable Use Policy through to informing the service provider what level of security needs to be deployed, and what the board expects of the provider.

Vigilance is key
It is not enough for cyber risk management to just be on the board’s agenda, it needs to be prioritised so that directors have clear and current knowledge of cyber risks and attacks faced by the organisation and how they are being managed. Cyber threats are constantly evolving and changing, businesses need to be regularly addressing them to ensure they have protection from major financial, legal and reputational harm.