It was great participating in last week’s Australian Institute of Company Directors Governance Summit, and hearing about all the issues that keep board members awake at night. Not surprisingly, cybersecurity was often near the top of the pile, as board members grapple with high-profile data breaches that hurt the bottom line while generating unwanted headlines and reputational damage.
These data breaches have surfaced with increasing frequency. Statista research shows the number of data breaches reported in the US each year rose from 157 in 2005 to 783 in 2014.
In 2017, Equifax’s data breach left at least 143 million US consumers exposed – nearly half the population. Uber hid a global data breach involving 57 million customers for more than 12 months. In both instances, these companies were subject to a wave of backlash because of their actions surrounding the breach.
Closer to home, the Australian Cyber Security Centre has noted that tens-of-thousands of Australians have been caught up local breaches as well.
Consumers will not tolerate complacency when it comes to their personal data. They expect safeguards to protect the information they provide and transparency if something goes wrong. This is why you need to have a plan in place to deal with significant data breaches.
The devil is in the details. Business leaders understand the importance of cybersecurity but often overestimate how comprehensive their defensive strategies are. The Association of Corporate Counsel Australia found 59 per cent of board members believe their cybersecurity practices are very effective compared to only 18 per cent of IT security professionals. This clear disconnect has serious repercussions for the management of cyber risk.
Cyberattacks are now an everyday fact of life for business and government. The Australian Cyber Security Centre says 90 per cent of ASX-listed companies have experienced a data breach of some kind. As a business leader, you need to adjust your mindset – it’s no longer a question of if you experience a breach but how you respond when it happens.
Failing to prepare is preparing to fail
When disaster strikes, it makes sense to have a dedicated disaster recovery plan to follow. These plans exist for natural occurrences and other unforeseen circumstances but most fail to consider stolen data. Cyber should be viewed like any other business risk, with safeguards and procedures in place to ensure processes are up to scratch.
“Cybersecurity needs to be part of disaster recovery and business continuity planning so that people can practise,” elevenM Consulting Principal, Steve Glynn, told a recent Microsoft cybersecurity roundtable. “You don’t want to get this wrong in the heat of the moment.”
The US Department of Homeland Security organises Cyber Storm, a biennial cybersecurity exercise to strengthen public and private sector preparedness. It helps build strategic decision making and incident responses in accordance with national policy and procedures.
Your organisation should do the same, and play its own war games assessing threats and putting safeguards in place that accurately reflect your appetite for risk. This means your recovery plan should be continuously updated, comprehensive enough to cover all possible scenarios, and subject to regular practice drills.
This should include a process for getting out in front of the problem from both a communications and duty of care perspective. When a data breach occurs, your organisation will be judged on how it responds. These incidents are often won or lost in the media.
The best defence is proactive so don’t wait for disaster to strike. It’s never too early to be prepared, especially when sensitive customer details and hard-earned reputations are at stake.
Download our industry report now for in-depth analysis of how to navigate the new cybersecurity threat landscape.