Cyber security: Boards have wider insight but still struggle to manage risks

, , ,

With an estimated 2.5 billion people around the globe using smartphones and most of us rarely a metre away from digital technology at any time, it’s safe to say, digital is here to stay.

For decades, digital has been exciting. With the advent of the digital age, possibilities and opportunities for commerce were lauded as endless.

The infectious desire to grow networks and stockpile huge amounts of data had everyone coding at the bit to ride the digital wave. Yet where there are waves there are sharks ready to take a chunk out of crucial data points and the company body, as Paul Twomey attests.

Undeniably boundaries of commercial operations have been feverishly expanding to include immense reliance on cyber functionalities. In light of this truth, all stakeholder attention must be focused on cyber vulnerabilities.

The bites within home safety nets continue to highlight substantial fragility in operations, arising out of our reliance and use of cyber networks.

Paul Twomey, an expert in the field of cyber and co-founder of STASH has been actively campaigning, working and striving to create real world solutions to a global problem.

He argues that a cross-sectional strategy is needed in order to bring organisations, CEOs, managers and business personnel into a ready and capable stance to face the reality of the cyber challenge.

Simulation Ready

Actively part of his advice to managers and leaders is to be party to exercises, simulation and insights into how cyber attacks and information breaches occur, and the damage they can wield. Many who have experienced the simulations Twomey has orchestrated speak of their previous ignorance as to how penetrations into networks can occur.

Continued Learnings

Paul Twomey has a comprehensive history of understanding and investigating the internet. Having been a founding member of ICAAN, the organisation that seeks to manage, assess and co-ordinate the backbone of the internet, including IP address systems, he has been privy to the many evolutions of the workings of the internet.

He speaks of having been in a position to view the development of the internet and its usage coupled with the consequential security risks that emerged from initial development and utility. He believes that continued learning and in striving to find ways to manage and respond to those risks is a necessity not just for the tech savvy but all leadership.

Moving Forward

In addressing the future trends that are likely to occur in the Australian cyber landscape, Twomey argues that the key aspect that must be understood by Australian boards and leaders is that nearly every business is cyber. All companies in the current landscape run on IT. At high levels of management and boards there needs to be the complete understanding that cyber is the core of most business and thus cyber security will continue to be an ongoing issue, it is not going away.

Twomey advocates that cyber security should be seen as a risk issue. As the core of business is cyber reliant, this means that the risk is a pertinent one. Cyber utility drives business and if stopped, it is to be an abrupt one.

He explains that when it comes to flying, most would view the plane as a tangible object, giving little thought to the extensive software that drives most of the operation. Functionally, planes heavily rely upon software. The same is true of most businesses, software and cyber functions drive the majority of business functionality and this reliance creates vulnerabilities.

Cyber Skill Set

Twomey argues that going forward leadership personnel must understand risk and have cyber literacy. While any board member needs to comprehend a profit and loss statement, now agents must understand the nature of the cyber world and ones business in relation to it, coupled with the risks that this involvement brings.

Workshop Lessons

In his workshops Twomey teaches that a business perspective of cyber security includes particular lenses. There must be an understanding of adversaries and how these adversaries would value assets. Additionally an awareness of the vectors that may be used in a cyber attack and how leadership and the company is to respond must be established. Indeed what is to be prioritised when in the midst of an attack must be addressed.

Point Of Attack

The statistics when it comes to where cyber attacks derive from are not as centred as commonly believed. While 40% of attacks occur and do damage to business from external points, 60% are able to occur due to activity, whether intentional or inadvertent, from the inside. Twomey highlights that huge cyber problems have occurred and will occur due to inadvertent bumbles of well-intentioned employees. Whether taking documents home and putting valuable information on drives, where lower levels of security are maintained and read by prying eyes, it is these activities that have particular potential to create substantial risks and damaging points for companies.  

Human Training

Within companies, focus should be aligned to particular points of vulnerability. Twomey argues that phishing continues to be a gateway of access for external agents gaining access to in-house networks. Training should be facilitated so that staff can comprehensively understand phishing techniques so as to avoid them. Additionally accountability measures may have a role to play on addressing phishing issues within companies.

Responsive Capabilities

Twomey advocates that IT departments should acutely know, understand and be proficient at cyber attack/risk response and management. The reporting process he argues needs to be troubleshooted and instituted at extensively higher levels than currently in place. Companies need to be able to answer how they want and need to separate out information security operations. He asserts that information and reporting trajectories must be separated out from the CI office, it must be managed as part of the risk portfolio of the board. Risk needs to be accepted as a necessary responsibility of the executive not the technical side.

Future Context

Twomey says that all organisations need to be aware of the aggregate trends that has been developing across cyber aggression and security. Nation states are now increasingly engaging in cyber activity that many experts have thought as criminal, forced cross border tax transactions and other issues that haven’t been seen before.

Additionally Twomey speaks of the altering of criminal operations and their attempts to extract valuable assets. Instead of relying on botnet attacking methods, criminal agents are changing their modus operandi. They are now going after higher more lucrative targets with the advanced resistant threat strategy. This strategy sees operators spend considerable time and energy getting inside businesses to learn and gather information with ever increasing complexity and deception. A blurring is taking place, now cyber security is not just about firewalls and software but about layers of deceit in the digital and work space.

Twomey argues that businesses must adopt the assumption that at one time or another their systems will be penetrated. Focus must be tuned to how to respond when, not if, there is an attack. What is the executive plan when encryption is taking place and the company is being extorted? Has the company been through an exercise to troubleshoot the knowledge and processes of what to do, play by play? Twomey frankly speaks of the difference preparation and knowledge can afford a CEO. Knowing what to do lends itself to looking like one is in control, the alternative is being a deer in the headlights.

If CEOS and boards are to strategically position themselves so as to be adept and agile in the current and coming digital environment cyber literacy is vital. Learnings, strategy and simulation need to be a part of the central business and organisational dialogue and executional processes.