Lack of cyber security knowledge leads to lazy decisions from executives

The numbers and size of cyber security attacks are increasing and Australia is one of the world’s largest targets. The Federal government noted the current impact of cyber attacks on the Australian economy is A$17 billion annually.

The reasons are many and include a lack of direction and commitment to understanding information security at the strategic level. Research from the Australian National University shows executive/board knowledge of cyber risks among medium sized businesses is inadequate and board-level governance of cyber security risks varies wildly between organisations. This is troubling given the ultimate accountability of board directors.

The report found that only 58% of cyber security professionals thought their board had a sufficient understanding of cyber risks. Less than half (46%) said their board discusses cyber security rarely or never. Almost a third (30%) even said their board does not receive reports of cyber threats to the company.

Research from Cambridge University and retail bank Lloyds, also shows this level of uncertainty is causing boards to realise they have no idea what they are dealing with and giving up. Boards are doing this by simply outsourcing the risk of a cyber attack through the purchase of cyber insurance. The report comments:

“The amount of cyber insurance being purchased in Australia [has] increased 168-fold (16,828%) in the last two years, as more and more businesses seek to protect their balance sheets from this emerging threat.”

The problem with this approach to cyber risk is that too little effort is being made to understand the value, control and cost of the information that an organisation holds.

Cyber insurance is a product that covers businesses for the risk of data breaches, employee errors in mishandling data and computer hacking attacks. It covers liabilities and the expense involved in responding to a cyber attack. For example, Sony estimated that it spent US$171 million in cleaning up after its PlayStation Network was famously hacked in 2011.

Simply outsourcing the risk of an attack by purchasing cyber insurance fails to protect an organisation’s reputation from repeated and sustained cyber attacks. Another problem is that the erosion of an organisation’s competitive advantage through the loss of trade secrets through cyber attacks, is difficult to measure and insure.

My research shows executives should be identifying the value and sensitivity of the information in their organisations. Only then can they make sensible decisions about what IT infrastructure should be used and whether to seek expert help by outsourcing.

However identifying all the information that an organisation holds is not as easy as it first sounds. For example, some business conversations take place on social media platforms such as LinkedIn. Businesses need to consider whether those conversations are within the realms of responsibility for employers and therefore if employees should be admonished or supported for holding these electronic conversations.

Organisations can sometimes hold vast pools of information that are secret. However holding sensitive, secret information that is non-strategic is costly and may be pointless. Consider for example a retail organisation that has an online ordering website. This sort of organisation shouldn’t be recording and holding the credit card details of customers, if it can be helped.

Outsourcing the payment for goods or services to finance service intermediaries makes good business sense. By not holding credit card details and effectively outsourcing that function, an organisation has made itself safer because it simply can’t end up on the front page of a newspaper for leaking credit card details.

Sometimes sensitive information is necessary for conducting business operations. If this is unavoidable, then organisations might need to ask whether the security controls they have in place to protect their sensitive information are enough. This might also extend to information being used by suppliers or customers.

If the assessment reveals that security controls are not enough, then a business case needs to be made for increased budget to the board. This may be costly, but if sensitive information is necessary for conducting business operations, then it must be protected and the security budget should be approved. Retailer Target was affected by a point of sale cyber attack in 2013. Paul Miller/AAP

Organisations routinely fail to fully assess and protect against the risks introduced by storing or sharing information with other organisations. Examples include sharing with suppliers, customers, regulators and contract staff.

High profile cyber bungles from supplier-side attacks include the Target attack in December 2013, where the point-of-sale machines, supplied and operated by a third-party supplier, were infected with a virus that siphoned off all the credit card details of customers.

Board directors not taking the time to understand information security strategy can lead to a blanket approach of mitigating all risk of a cyber security attack by simply purchasing cyber insurance. This clumsy approach is not sustainable and consumers should be demanding more from our business leaders.