01 Oct

Getting fighting fit to fortify against cybercrime

A year ago, we wrote about the need to mitigate cyber risks. Since then, the situation has worsened.

According to the Australian Federal Police, cybercrime is one of the fastest growing crime types in Australia. The Australian Signal Directorate’s latest Cyber Threat Report (2022-23) found cybercrime reports were up 23% (nearly 94,000 reports). The report also highlighted that ransomware alone annually causes up to $3 billion in damages to the Australian economy.  Alarmingly,  Accenture have reported a 1,265% phishing attack increase in the last eighteen months, and 76% increase in ransomware attacks since the launch of ChatGPT.

As The Hon Clare O’Neil, Minister for Cyber Security, says in her foreword to the 2023–2030 Australian Cyber Security Strategy: “Cyber security is an urgent national problem, and we need to act now… For too long, Australian citizens and businesses have been left to fend for themselves against global cyber threats… It is time for real and meaningful change.” The Strategy sets out that change in the form of building six ‘cyber shields’ and then working with industry to reinforce the shields and build our national cyber resilience.

The first shield involves strong businesses and citizens. The strategy envisages a future in which “every individual and business has the skills and resources they need to be cyber secure” and “small businesses and vulnerable groups will have dedicated support from government and industry”.

Support from government, banks, telcos and other big businesses will help all Australians. But, as the AFR article “Regulators warn cyber reforms won’t provide immunity from prosecution” recently highlighted, company leaders will still need to prepare for cyber attacks in the months or years before they happen. This will include addressing three key organisational factors.

Leadership readiness

Cyber security is a board-level issue that needs to be addressed with strong corporate governance. As part of its Cyber Security Strategy, the Government is looking at developing clear guidance on cyber best-practice and sharing lessons learned from cyber incidents.

In the meantime, cyber security and risk awareness need to be baked into leadership capability. This includes leaders developing, implementing and testing a plan to prevent and respond to a cyberattack. It also involves being highly aware about what their teams are saying and doing, and maintaining a narrative of cyber security in their day-to-day operations. In some organisations, especially those using AI, leaders will need to build a suite of new cyber-related capabilities.

Leadership readiness also requires clear lines of responsibility and accountability. A recent article in the AFR highlighted the current level of exposure on this issue, when the Australian Signals Directorate contacted 620 businesses about cyberthreats it had detected and nearly half of them did not respond.

Cultural readiness

A strong security culture has the power to be a key defence in any organisation’s fight against cybercrime. Achieving it takes many things, including strong leadership, consistent and clear communication around risk awareness and expected behaviours, and responsibility at all levels of an organisation.

Security is also enhanced inherently in organisations with strong, positive corporate cultures. When employees are highly engaged and satisfied, they take responsibility for their work and actions – including protecting the organisation they work for. For example, a 2023 phishing simulation found that inexperience, and lower employee satisfaction and loyalty were most predictive of riskier behaviour. In other words, newer employees are more vulnerable to phishing attempts.  It went on to say that “interventions that increase employee satisfaction might be effective at reducing risky cybersecurity behaviour”.

Organisational readiness

Organisational readiness involves having the right people, roles and responsibilities, processes and systems, governance, resources and training in place to do everything you can to defend against cybercrime. It is an ongoing, evolving commitment that takes time, money, accountability and leadership will.

One of the challenges is the speed of change in digital practices. For example, over the last 10 years, businesses have been told to collect data and mine it because that’s where the gold is. But having done that, many organisations are now having trouble securing the data. When AI is also drawing on that data pool, the issue of cyber security becomes even more acute given the many examples of bad actors ‘poisoning’ data or soft-injecting AI to corrupt outputs. Conversely, generative AI may also become a key tool in cyber defence so organisations will need to stay across those developments as part of their cyber security activities.

How JOST&Co can help

Cyber security is a known business priority with ever increasing risk. To help organisations defend themselves from cybercrime, our team can step in and diagnose cyber weaknesses at a cultural level. We can also assist with organisational readiness and offer leadership development solutions.