Q: We are encouraged to broaden our business horizons and develop a global footprint if we want to remain competitive in today’s marketplace. However, as working across borders increases, and digital business landscape needs evolve, will organisations be faced with cyber risks? And will cyber security threats apply no matter what part of the world they operate?
A: The threat from cybercrime is pervasive throughout the world. Indeed, as businesses expand their global reach through more advanced technology and improved transactional relationships and communication, the risk from cyber threats grows. Statistically, less than 10% of cybercrime occurs in the same geographic location as their target. Cybersecurity is a rapidly evolving landscape for both industry and government, and no matter where you are conducting business in the world cybercrime remains a significant issue.
Q: What types of cybersecurity threats are present now and what can we expect in the future?
A: I will limit this to three main cybersecurity threats businesses face presently. The first is socially engineered malware where the user is fooled into installing a malicious program sent from a source or website that they either trust or frequently use, which then compromises their data.
The second is insider threats where there is a threat to the organisation from employees, former employees, or third-party suppliers. They have access to company data, IP, and systems. Those who pose the threat can be either untrained and unknowingly make common mistakes with their cyber hygiene, or malicious in their intent by stealing or compromising sensitive data.
The third risk is outdated and unpatched software. The software used by an organisation has not been upgraded with the most up-to-date security patches, therefore, creating vulnerabilities in their network. Up-to-date cyber security protection and strong risk management are key to avoiding this threat.
Q: What can we expect from future information security and emerging threats?
A: One of the main threats we will face in the future will stem from the rapidly increasing use of IoT devices* in the workplace and the lack of security architecture in place from the start of the product’s manufacturing roadmap. The addition of IoT within the business can aid in the optimisation of processes, however if it is not secured to the same standard as the rest of the network, cybercriminals can use it as a ‘stepping stone’ to scan for vulnerabilities in more critical systems in the network.
*The Internet of Things (IoT) is a network of physical devices, vehicles, home appliances and other items embedded with electronics, software, sensors, actuators, and connectivity which enables these objects to connect and exchange data.
There has also been an exponential increase in the use of business email compromise, where a malicious person sends a team member an email appearing to be sent from senior management requesting or authorising a transfer of funds or sensitive information to a ‘vendor’.
Q: Does it matter how big or small the business, what industry or sector it is in, or whether the internet only plays a small role in their operations?
A: Certain industries such as banking and the financial sector are frequently targeted, which requires them to have high-security standards. Cybercriminals will often target easier prey such as SMEs who are often aware of their vulnerabilities and unprepared for the threat. Less than 25% of Australian SMEs have a dedicated IT security staff member or provider, and despite facing as many threats as the larger end of town, do not have the resources or training to address and mitigate the risks adequately.
The damage caused by a breach to an SME cannot be understated, with 80% of SMEs that suffer a breach going bankrupt within 12 months.
Q: What cybersecurity and computer security practices should businesses implement to help protect their data, assets, and network?
A: Cybersecurity policies, procedures, and frameworks should be implemented throughout the organisation’s structure. From cyber hygiene and employee training to implementing a breach response plan and delegating roles and responsibilities, cybersecurity should be a top priority. When a company conducts a business impact analysis as part of its business continuity planning, it’s critical that they identify the most significant cyber risks and triage the treatment and mitigation of these risks.