2019 Cyber Security Risk Report

Technology Adopters Make Tempting Targets for Cyber Attackers

It’s a favourite phrase of most enterprising new start-ups but ‘Digital Disruption’ is a significant accelerator of risk not just reward for Australian organisations as revealed in our 2019 Cyber Security Risk Report.

The greatest challenge that organisations continue to face is simply keeping up and staying informed about the evolving cyber risk landscape.

Last year provided some salutary lessons in data security with Facebook, Fitbit and Google in particular making headlines. It was also the year when governments started to get serious as the EU’s General Data Protection Regulation came into full force.

In Australia there is a need for 2019 to become the year in which companies and organisations recognise the pitfalls as well as the profits to be made through digital transformation.

The “What’s Now and What’s Next Report” highlights eight areas on which Australian companies should focus in order to recognise and mitigate their cyber security risks.

RISK 1: Technology

Embracing digital transformation creates new and unanticipated risks.

As traditional “brick-and-mortar” companies rapidly evolve into digital economy “X-as-a-service” (XaaS) providers, they face new and potentially not-yet-recognised exposures.

Australian organisations are vying for relevance in our own ecosystem of an ever evolving digitised world.  Whilst we have not yet adopted the same level of integrated technology across all industries, XaaS and “Infrastructure-as-a-service” (IaaS) are enabling business and everyday life across the publishing industry and we are readily accepting these technologies within the automotive industries.

RISK 2: Supply Chain

Supply chain security wake-up calls grow more insistent.

New security issues arise from “direct-to-cloud” employee access and aggregation of data from multiple corporations into shared platforms.

We have seen multiple organisations face large scale issues purely from the failures of trusted 3^rd / 4^th party providers.  And there is no doubting the benefits of cloud-based technologies for businesses, including the ready access to information by employees and trusted third parties.

Managing these exposures from a cyber perspective is no different to managing these issues from a traditional perspective.  Due diligence, specific to cyber exposures, is a fundamental component to robust risk management, and something that organisations are becoming more acutely aware of.

RISK 3: IoT (Internet of Things)

IoT is everywhere, and it is creating more risks than companies realise.

Network-connected IoT devices such as conferencing systems, security cameras, printers, and building automation sensors and controls can easily outnumber the organisation’s managed IT assets; yet most companies don’t securely manage or even inventory all of their IoT devices.

Whilst Australia may have been a slower adopter of IoT enabled devices historically, this is changing rapidly.

Managing an inventory of IoT and industrial internet of things (IIoT) connected devices, both 3^rd party devices and your own, is becoming imperative; but, more importantly is implementing appropriate tracking and isolating capabilities into the network.  AI enabled security measures will provide invaluable assistance with protecting organisations against these types of risks.

RISK 4: Business Operations

Technology for operational efficiencies can lead to security deficiencies that disrupt organisations.

Increasingly, companies rely on technology to run critical day-to-day business operations. This reliance can create a painfully disproportionate risk of operational disruption. Malware infections can shut down manufacturing systems or potentially even a power grid; ransomware can bring business operations to a halt by encrypting the company’s data.

Unfortunately, Australian organisations utilising industrial control systems (ICS) and public utility infrastructure (PUI) will more often than not follow a similar trend to our global counterparts.  The aging supervisory control and data acquisition (SCADA) infrastructure isn’t designed to withstand today’s attacks, and typically the results are more disastrous than a compromise of IT systems.  For the last 5 to 10 years, a majority of the security focus has been on IT, primarily as OT was thought to be isolated from IT, and OT systems were by and large left untouched once installed.  It is certainly not the case.

RISK 5: Employees

Excess privileges and shadow IT increase employee risk.

As companies seek to increase efficiency through technology, they often give users more robust access privileges than may be needed, which can increase risk. At the same time, cloud computing is intensifying the “shadow IT” problem, in which departments or business units independently adopt technology without telling the central IT organisation.

The most relevant case on this topic has come from the UK, Wm Morrisons Supermarkets Plc v Various Claimants[1], where the large supermarket chain suffered a data breach at the hands of a rogue employee.  The case, which has gone through trial and High Court appeal, has found in favour of the impacted employees, despite the Court acknowledging the supermarket appeared to have appropriate data protection controls in place and had done as much as it reasonably could to prevent the misuse.

This is an important precedent. It firmly places vicarious liability at the feet of the ‘data collector’, even when there is no wrongdoing.  Australian businesses will likely find themselves in a similar position and being able to demonstrate the actions were either accidental or those of a rogue employee will not likely be sufficient defense.

RISK 6: Mergers & Acquisitions

Vulnerabilities from deal targets increase as dramatically as M&A value.

As deal-making continues to grow, related cyber security risk may rise even faster. Increasingly, bad actors often target companies being acquired by larger enterprises in between deal announcement and closing.[2]

Cyber due diligence has become a fundamental component of an organisation’s risk management program – whether it be for supply chain exposures, or M&A exposures.  Some of the biggest financial lines insured losses have stemmed from acquisitions that contained unidentified flaws due to lack of deep due diligence.

Look no further than Verizon’s acquisition of Yahoo. Yahoo’s price tag was slashed by US$350 million after Yahoo disclosed two major data breaches which had occurred years earlier. [3]

RISK 7: Regulatory

Managing the intersection of cyber security policy and enforcement.

Proliferating and overlapping cyber-regulation runs the danger of actually creating more cyber risk, not less, as compliance obligations can overwhelm the CISO, and a “check-the-box” mentality replaces best cyber security practices.  Even knowing which box to check, in which jurisdiction, has become much more complex.

Australian businesses are in no different position to our global colleagues.  We find ourselves in a truly global marketplace, where a SME may be offering services / solutions to UK, USA and Asian businesses or individuals. However, the inherent risk is at a significant magnitude compared to operating only in Australia.

RISK 8: Board of Directors

Directors and Officers face growing personal liability relative to cyber security oversight.

Managing cyber security risk has quickly become one of the biggest oversight challenges facing board directors and officers—and it’s a growing personal risk, too. Shareholders have been bringing claims against directors in some of the highest-profile data breaches.

It should be no surprise that the Australian Directors and Officers (D&O) insurance marketplace is undertaking a transformative period.  Whilst we are yet to see a major cyber related D&O incident, it is only a matter of time.  Australia has a robust litigation funding environment –  these participants are keeping a keen eye out for possible class actions against D&Os resulting from a cyber incident.

2019 Outlook – With Great Opportunity Comes Great Risk

The eight risks discussed point to the fact that as digital transformation proliferates, the “attack surface” of global business expands rapidly, and in sometimes unexpected ways. It’s a modern digital twist on a story as old as time: with great opportunity comes great risk. To mitigate that risk, corporations must exercise constant vigilance over their fast-changing enterprise cyber risk profiles—from the boardroom to the supply chain, and from IT infrastructure to every other facet of business operations. That means organisations must stay informed, understand their risk profile and be proactive in their defense: share threat intelligence to help keep the entire business community safe, hunt to detect bad actors before they cause damage and, perhaps above all else, be prepared for a cyber attack.

[1] http://www.bailii.org/ew/cases/EWCA/Civ/2018/2339.html

[2] https://imaa-institute.org/mergers-and-acquisitions-statistics/

[3] https://www.reuters.com/article/us-yahoo-m-a-verizon-idUSKBN1601EK