Don't Be the Next Cyber-Statistic: Managing Your Digital Risk
Risk management in a digital world is no longer a problem for the IT department. It's a leadership issue that requires a considered approach.
Bunnings, Medibank, Optus, Telstra, Woolworths – what do they have in common? Other than their size in the Australian business landscape, they all share the unenviable record of experiencing high-profile data breaches in 2022. Government agencies, insurers, tech news sites and more all carry lists of data breaches each year. While high-profile breaches get the headlines, that doesn't mean small to medium-sized businesses (SMEs) have reduced risk.
Sizing up the risk
Each year the Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate (ASD), produces the Annual Cyber Threat Report. The 2021-22 report quotes staggering numbers from the 2021-22 financial year:
More than 76,000 cybercrime reports to the ACSC, up 13% from the previous year.
That equates to one cybercrime report every seven minutes.
Fraud, online shopping, and online banking were the top reported cybercrime types, accounting for 54% of all reports.
Financial losses due to Business Email Compromise (BEC) of more than $98 million, with an average loss of $64,000 per report.
For SMEs, here's the line that will hit home: "A rise in the average cost per cybercrime report of over $39,000 for small business, $88,000 for medium business, and over $62,000 for large business, an average increase of 14 per cent." Of course, no one wants a $50k to $100k hit on their business.
Yet, SMEs are increasingly being targeted by cybercriminals. Why? Because they often have weaker security protocols and are not as well protected as larger businesses. A data breach can mean loss of business, loss of customers, increases in insurance premiums, upgrade costs to improve systems, and even bankruptcy in some cases. As a business owner, being proactive with cyber risk management is paramount. So, where do you start?
What are current cyber threats?
The first step is always education, which means understanding the threat environment. Ransomware, phishing attacks, and data breaches are some of the most common cyber-attacks. Ransomware encrypts data on a victim's computer, making it inaccessible. The attacker then demands a ransom payment to decrypt the data. Ransomware is becoming increasingly common and can be very costly for businesses.
Phishing attacks are emails, texts or websites that attempt to deceive victims into providing sensitive information such as passwords or credit card details. Phishing attacks are often very sophisticated and can be difficult to detect. Data breaches are when confidential data is accessed or stolen by unauthorised individuals. Data breaches can have serious consequences for businesses, including loss of customers, financial losses, and damage to reputation. Understanding the landscape of cybersecurity can seem a huge challenge. So here are three areas to focus on from a leadership and management perspective to get the ball rolling.
1. Understand your appetite for risk
This might seem an unusual place to start, but it's fundamental to all of your subsequent moves. Every business, and business owners or leadership teams, has a different tolerance for risk, so it's essential to understand your risk appetite before taking any steps to improve cybersecurity. We're not talking about regulatory requirements or privacy codes; those are non-negotiable. But each person or group needs to agree on the risks and mitigation approach for the stage of the business's life cycle.
2. The cost of managing risks
Any risk management plan comes with opportunity costs. Pretending it won't happen is not a plan. Opportunity costs are the sacrifices a business must make to reduce the risks of data breaches and cybercrime. Money that could be spent on other parts of the business is sacrificed to cover the cost of investing in new technologies, hiring more staff to manage cybersecurity, or paying for data security measures, among others. All of these options come with a cost, and businesses must weigh up the benefits and risks of each option before making a decision. Pretending it won't happen to you is not a plan.
Here's an example: cloud computing is becoming the norm, particularly for businesses using SaaS. As a business grows, there could be a compelling business case to move from spreadsheets and email to a cloud-based service. Yet, tight budgets coupled with fear (lack of knowledge) about the need for a technology shift means old-fashioned ways of working remain the norm. Rather than accepting the costs of managing the risk, the business becomes hamstrung through inefficiencies and an inability to adapt and innovate. This a lesson we've surely all learned, hot on the heels of the disruption caused by a global pandemic!
3. Develop a risk culture
Connected to risk appetite, risk culture is one in which risk is understood and accepted as part of doing business. In a risk culture, business owners are willing to take risks to achieve business objectives, but those risks are also managed effectively to minimise the chances of losses. It's 'your way' of handling risk.
Your risk culture is grounded in a culturally and commercially balanced risk approach. With cyber-attacks, it's a case of when not if. So, it's essential to have a robust risk management plan in place to protect your data and your business. This includes implementing robust security protocols, such as firewalls and antivirus software, and educating employees about phishing attacks and ransomware. Embed risk management into your processes, including training, budgeting and taking into account the increase in remoting working. Remote working brings added complexity and cost, so its vital to have processes in place around secure home wifi, VPNs (Virtual Private Networks) and the use of unprotected public wifi such as cafes and transport lounges.
Consider also what you're prepared to do (or not do) if you are attacked. For example, would you be prepared to pay ransom demands? Can you afford it? Do you have a communications plan for notifying customers and, if necessary, government agencies? Do you know where and how to access the expertise you will need in the event of an attack? All these questions need to be considered, and the answers are embedded in your policies and culture.
Cybersecurity is a critical issue for all businesses, large and small. Your approach to managing digital risks starts with the three pillars that support your strategic approach – risk appetite, risk opportunity, and risk culture. Taking a strategic view to risk management ensures a coherent approach to specific challenges at the operational level. All of which ensures that when new and specific risks emerge, you can be proactive, and not become another statistic.