Thursday, 23 September 2021 KordaMentha’s Behind Business podcast discusses the most pressing commercial, financial and operational issues facing business today. Cybercrime costs the Australian economy billions of dollars each year. The increasing number of cyber-attacks have hit some of our nation’s biggest organisations including BlueScope Steel, Lion Dairy and Drinks, and Nine Entertainment as well as several major hospitals. These types of attacks can cripple an organisation financially and reputationally. With cyber now recognised as one of the top three risks facing organisations, it is imperative that Boards fully understand the specific cyber risks facing their businesses and are actively taking steps to mitigate those risks. In this episode of Behind Business, KordaMentha’s Cyber expert Brendan Read joins Anna Leibel from the Secure Board to discuss the risks facing Boards, what they need to be aware of and what they can do to manage the risk of a cyber-attack. Transcript Sean Aylmer Welcome to Behind Business. The podcast where KordaMentha experts, discuss the most pressing issues facing business today. I'm Sean Aylmer an economist and journalist for 25 years. And the host of the Fear and Greed Daily Podcast. Cybersecurity is without a doubt, one of the greatest challenges we face now and well into the future. From small businesses, right up to the largest corporations and government agencies. Already this year, we've seen plenty of Australian companies under attack, including the Nine Network, which was almost crippled by a cyber attack. Internationally, millions of dollars have been paid to hackers who used ransomware to shut down an oil pipeline in the U.S. and global meat processing giant JBS. Today in Behind Business, we're going to look at what boards need to be aware of and what they need to do, to manage the risk of cyber attack and what can happen if they're unprepared. It's a complex field, but we have two experts to help. In this edition of the Behind Business podcast, we have Anna Leibel and Brendan Read. Anna is a Director of The Secure Board and is a sought after advisor on transformation, data, cyber, leadership, and culture. Anna, good morning. Anna Leibel Good morning, Sean. Sean Aylmer Brendan Read is a former detective from the Queensland police high tech crime investigation unit and now a forensic partner who leads the cyber team KordaMentha. Brandon, good morning. Brendan Read Good morning to you Sean. Sean Aylmer Let's start with you Brendan. I can't imagine there'd be too many boards around the place now unaware of the risk of cyber attacks. Are they doing enough to prepare for it? Brendan Read Look, Sean I would say my initial response to that question would be that some are, but most are not. And in relation for the ones that are not prepared, I'd say that disparity comes from where and how those boards are receiving their information on cyber issues for the organization. So some of those boards would be looking at their internal IT teams, hoping they'll give them the thumbs up that everything is fine. But it can really be an advantage to an organization, when they get that independent set of eyes coming in and reviewing and reporting to the organization on their cyber risk position. And there're some very simple steps that organizations can take, to look at addressing that and be prepared. And some of those steps are things like cyber health check, development of a cyber incident response plan, testing that plan as well as a big part of it is educating your staff, which is critical. Sean Aylmer I'm going to come back to some of those issues in a moment. And I'm bringing you into this. What's a director's current obligation around cyber security and is it changing? Anna Leibel It certainly Sean. I think at the highest and most simplistic level, more board directors are accountable for risk, culture and solvency. And so if you just apply the risk lens, we now know that cyber is in the top three risks of most organizations. I'd be surprised if it's not at least number one or number two. But we are seeing the government and therefore the regulators actually start to make bolder moves around what boards are actually accountable for. Anna Leibel So a few years ago, APRA released their standard called CPS 234, which is an information security standard that actually states that the board and the executive chain, must own information security. I was actually working in financial services at the time and had to implement the requirements to make that standard. So I definitely think that was a really great step and it definitely helped create buy in more broadly than the technology team. Anna Leibel And then the Australian Cyber Security Strategy, actually plans to include changes to the directors duties under the corporations act. So I definitely think it's starting to shift and I do think that is a good thing. Sean Aylmer Okay. So clearly they're liable for it. I'm just going to go back to Brendan what you were talking about, the health check incident response education. If I'm a director, it's really challenging to understand what I'm supposed to be doing. And I am a director of a small business to be honest and I have no idea right through to the major banks and miners and the directors and those sorts of organizations. So it goes right across the spectrum of businesses. What are the sorts of things they should be asking in board meetings? What are the sorts of things they should be thinking about, even if they don't actually understand the technical aspects of it? Brendan Read Yeah, Sean. I think they need to be understanding as best they can, the sort of risk exposure they have to cyber related incidents. And every business and organization is going to be different. And it'll depend on what type of sector that, that particular organization works in, as to what level of risk mitigation that they need to take. So certain sectors such as the financial sector, or the energy sector may have their own cybersecurity frameworks, that they need to adhere to. And also, the other complication that comes into it now is this Cloud based computing that everyone's moving to. So a lot of organizations have their data sitting in third-party platforms. So as soon as they're putting their own personal data into those third-party platforms, the organization is taking on the risk that, that third party applies to their client data. So they need to really understand what that third party is doing and what steps they're taking, to protect their own personal data. Because with the changes in the regulation, the regulators becoming more active in this space, organizations really need to be understanding where they're exposed to risk. And if there is an incident, what exactly do they need to do in terms of responding to that incident. Sean Aylmer Okay. Brendan, what are the most common types of attacks we're seeing at the moment? Brendan Read Look, Sean phishing attacks definitely are up there. They're easily deployed to an organization and they can be even more targeted when the threat actors are actually doing their own intelligence, gathering and looking at an organization and identifying who are the key individuals they need to be communicating with. So phishing attacks and just for the purposes of your listeners, it can be something as simple as receiving an email with a link in there, that the employee clicks on inputting their credentials. And they're actually providing those credentials to a external third party, a non third party. I'm also seeing attacks where hardware is being accessed through vulnerabilities, where organizations aren't patching those devices to the latest updates. Similarly to a computer having operating system updates and everyone gets the windows updates. They normally come out quite regularly, even the hard way that's part of your IT ecosystem needs to be updated. So whether it's a network attached storage box that's sitting inside the organization, all these devices that are all intertwined into the network, need to be considered risks and a potential vulnerability to be coming into your organization. Sean Aylmer Okay. Anna, ransomware. I mean, why has that suddenly become so popular? And just to define ransomware, that's where people are demanding a ransom to unlock your systems. And even if they do, that may not occur immediately, it might occur slowly and they may on sell your data. So there's lots to it. It's in there Anna? Anna Leibel There certainly is Sean. And there's lots of discussion now going around with businesses around, whether you pay the ransom or not. There's also a perception amongst I suppose, directors and executives. So more non-technical executives, that a ransomware attack actually perverses quite quickly. Whereas other organizations that have actually experienced one, find that often it can have their systems out of action for a number of weeks, if not months. And sometimes the recovery efforts are taking up to nearly a year. Sean Aylmer So Brendan, who does it? I think that's kind of the $64 question. Brendan Read Yeah. Sean, look, you've got a number of various sort of sophisticated, organized criminal networks that are deploying these sorts of attacks. They're very effective at it. And they've got the ability to deploy quite quickly. There's new variations of ransomware that are coming out, that the speed that they're able to deploy the ransomware, the malicious software on the network, is unprecedented. And it's becoming a real problem. Their ability to not even needing to encrypt entire data storage volumes of information, but just partially encrypting files as they sort of move through the network. And even partially encrypting, which means that they can move a lot quicker. It's still just as devastating as if they've encrypted a whole volume of data storage. So very devastating to an organization. And also, what I'm now seeing is before the ransomware is actually deployed, the threat actors are in there and they're normally in there for a considerable amount of time. Normally months before they deploy the ransomware. And during that time, they're doing their reconnaissance, looking around, seeing what data is sitting where and what value they could put on certain pieces of data. And then they'll find methods to exfiltrate that data out of the organization. And we're talking large quantities of data being sucked out of a corporate network, without the owners of that network having any idea that this information is actually going out the back door. Brendan Read And then after they have a copy of that data, they then deploy the ransomware attack. And then if the organization chooses not to pay on the ransomware, well, then they have leverage in terms of the data that they currently hold a copy of their confidential corporate data. Sean Aylmer So in a sense they could sell that on the black market too. If they're not getting the ransomware out of the company, the potential is for them to sell that data. Brendan Read Yeah, correct. Yeah. The ultimate goal is for them to make as much money as possible and to leverage the victim as much as possible. So where an organization may think they can roll back to a previous backup in time and that's a method to fully recover their data, it potentially maybe there're certain risks for that as well. However, the criminals understand that. And they're using that now as leverage in terms of having a copy of that information and either on selling that to another third party, or I'm making these corporates pay big amounts of dollars. Sean Aylmer Brendan, hackers are now advertising for people with access to secure information, to join them and presumably share the profits. What's bought that about? It sounds an amazing thing to be happening. Brendan Read Yeah, Sean it is. And it's a scary sort of new twist on how they're marketing their services. They understand that the actual victims of these types of attacks, also holders of potential credentials themselves. And then they can be part of the profit sharing beast that these ransomware attackers are deploying. So it really as a board member, you'd be sitting there thinking, managing the disgruntled employee situation, or who actually has the keys to the kingdom in terms of sort of the IT network administrators and what sort of level of access do those people have. You've got consultants that might be coming in and you may be providing credentials for them to go in and do certain pieces of work. And it's just sort of managing those risks around when you're providing those credentials, where could that information then be sort of be passed on to now? And these criminals are never giving you a direct access to provide that information and make money on the side at the same time. So it is a real difficult and challenging environment that we're now sort of facing. Sean Aylmer Anna, what are you seeing? Anna Leibel I've heard of hackers actually hiring out, or renting office space within corporate city centers and creating jobs and calling potential candidates and other organizations, that have got access to the type of information that hackers really need, to help them infiltrate systems. So that might be someone who works in more of a technology architecture type role. And the salary that they're offering, is enough to get the candidate to at least come along to a few interviews. And what they do through the process of a number of interviews, is actually asked them to draw the company's architecture up on a white board. So they're basically using an employee, to help gain that really critical information and confidential information. Sean Aylmer So Brendan, has COVID made a difference? Everyone working from home, remote working. Has it changed things? Brendan Read Yes, it definitely has. Becomes a lot harder to manage your employees when they are working remotely. They're not physically in the office. You've got the risk of employees connecting to their own home networks, plugging in devices that they've got access to on the home front. And you just don't know what sort of malicious software might be sitting on those devices when they're plugging them in. It all comes down to how an organization is actually configuring and managing those types of risks. Brendan Read But with COVID, it didn't give organizations very much preparation time. So if they weren't already set up to work in a remote environment, now it's sort of thrusted into that situation very quickly and just had to adapt on the fly. And that has just created a absolute massive amount of cyber related risks for organizations. Sean Aylmer Anna, do you have anything to add to that? Anna Leibel I sure do Sean. So I was fortunate or unfortunate to live through that. I was actually working in financial services, as we went into the restrictions in Victoria in particular last year. And it really did help that I had just finished implementing a 3d cybersecurity strategy, with the cyber team at that organization that I was working at. And so therefore, it was a very seamless transition to the organization being able to effectively work from home. The other thing is that the Australian Cyber Security report that's just come out, actually shows that I had 67,500 cyber current reports in financial year 2021. So that's actually one in every eight minutes. And so, they can see through the numbers and the reports are those cyber attacks. That people working from home and COVID, has created a very ripe opportunity for the hackers. Sean Aylmer Anna, if I'm sitting on a board right now, what are the sorts of questions I should be asking management about cybersecurity? What are the things I should be thinking about? Anna Leibel So Sean, the first thing that I would recommend is not always to direct the questions to the person that's accountable for IT or cyber, which is usually rolls up into IT. So I'd be directing questions to the person that's accountable for procurement and legal. So the contracts that you have in place with your vendors. So I'd be wanting to understand what partners, or vendors have access to our sensitive information as an organization? What contracts do we have in place around their accountability for keeping our data safe? In the event that they actually do suffer a cyber attack themselves, what SLIs or service levels do they have around having to notify us of that attack? I would also be asking the CEO, to really talk about when they're sharing cyber updates at those company briefings, or meetings that they have. And the questions that I'd be directing to the IT leader, or the security leader if they attend your board meetings, is really around the work they're doing around technology controls, what strategy they have in place and developed? What's going to be different once that strategy has been implemented? And really building a relationship with that security leader, because that role holds so much accountability. And you really don't want to be meeting that person for the first time as a board member, if you're actually are under a cyber attack. Sean Aylmer Do you have to be a big business to do this Brendan? Or is it smaller businesses should be doing this as well? Brendan Read Look Sean, I think every organization should be taking a cyber risk seriously, no matter how big or small. And I even understand with the current environment, we're all sort of going through COVID, a lot of organizations are suffering from cashflow issues that sort of stress. But it doesn't preclude them from having the discussion at the board level, from starting to put together a roadmap of how they can move forward, in terms of meeting their objectives around cyber risk. Anna had spoken about culture. That's something that can happen internally in the organization, but they definitely want to start having those discussions internally and start that sort of roadmap happening, rather than leaving it, not putting any steps in place, no processes in place and then suffering a significant data incident, that they'd been trying to manage. And the fallout from that, which might relate to customers in terms of infected individuals and even the regulators stepping in. And we're definitely starting to see the regulator type particular interest in organizations, that aren't taking appropriate risk mitigation steps. Sean Aylmer Anna, how can managers and boards become more knowledgeable about all this? Anna Leibel Well, I think the first piece is to really become, or take accountability for your own cyber literacy. So really finding a way that you can learn that you're comfortable with. So that might be a blend of things. It might be podcasts, articles, books, or formal training. And I think that's really around gaining the confidence of what questions you need to be asking, whether you're working within the management team or sitting on the board. And I think that nowadays cyber can be quite daunting and there is a lot of technical jargon associated with it. So if you are either reading or listening to something that you don't understand, then you're not, you haven't got the right people to help you build that cyber electricity. I think the other piece is really understanding what a good cybersecurity strategy looks like. And it can't be a technology focused strategy anymore. It needs to be focusing on your entire organization. And the other piece, and Brendan's touched on this already, but I cannot reiterate how important it is to have an incident response plan. So that's part of your business continuity planning, but it's something that you need to practice on a regular basis. I would encourage either boards or subcommittees of the board, to participate in simulations to really test those, so that the learnings from them can keep being built in to really help prepare the business for a cyber attack. That the other thing that I've experienced that works really well, is through those simulations to also at times, remove a really critical role from the simulation. So imagine if you actually experienced a real cyber attack that your security leader, or your CIO was on annual leave. And so during those simulations, take the CEO out of the simulation, pretend they're on annual leave, or your IT leader or your security leader. And I think you learn a lot when you pull those really strong leadership roles out of a cyber attack. Sean Aylmer So Anna, you read a bit about companies confident that they're compliant with their processes and policies and taking out insurance against cyber risks. Is that enough? Should you be comfortable if you've done that? Anna Leibel No. It's really around today not that ... A strategy is not focusing on being compliant or having an insurance policy. From a compliance perspective, they're really good measures to have in place. And I advocate for organizations meeting those regulatory compliance requirements, but similarly to have an insurance policy, it's really around thinking through the implications to your business of a cyber attack. And an insurance policy and being compliant, is not going to protect your reputation and your brand. It's not going to really protect you from the financial impacts of an attack. So today it's a really fine balance around insurance of how much the policy will actually cover you for, versus how much the premium is each year. And more often now, we're hearing of probably smaller organizations rather than larger are actually choosing to self-insure in the event of a cyber attack. Sean Aylmer Okay. So am I going to ask you both. Brendan, Can I, if I run a business, be confident that I can be cyber secure or not? Brendan Read Sean it's a good question. It's an ongoing process. It's not just a one-off sort of ticket box type exercise with cyber risk management. It's ongoing, whether that is education and training, simulation exercises, external sort of review penetration testing of your network, all these things that are all about mitigating risk, but they're an ongoing process. Because the setup that you have in your organization this year, might be totally different next year, in terms of the technology you use, the applications that you're deploying on the network, that sort of thing. So it's something that needs to be sort of continually developed. Sean Aylmer Anna, what's your answer to that question? Can I be cyber secure? Anna Leibel So Sean, you've made me reflect on my experience. Coming on to five years ago, when I was the CIO and getting asked that question by the board. And five years ago, I would have answered you yes. And at the time the discussion was really around how much investment do you need, to keep the organization safe? And it's just the pace of the emerging threats around cyber, that's making it very challenging for organizations to keep up. They're so sophisticated now, I think it's a very fine balance between as a board and an executive, focusing and exploring around the controls that are in place to prevent a cyber attack, along with making sure that you're focusing on how prepared you are to get through an attack. Sean Aylmer That's a good place to leave it. Anna, thank you for talking to Behind Business.