The 10 cyber trends Australian businesses must consider in 2019
The ever evolving cyber risk landscape has led to an increasing awareness at senior management and board level of cyber exposures, and the need for it to be treated not only as a technology exposure but an overall enterprise risk.
The 2019 Global Risks Report confirmed that technological instabilities remain an elevated concern for businesses across the globe. Utilising data collated from 1,000 multi-stakeholder members who responded to the World Economic Forum ‘Global Risks Perceptions Survey’, this year’s Global Risks Report showed that “massive data fraud and theft” was ranked the number four global risk by likelihood over a 10-year horizon, with “cyber-attacks” at number five.
With this as our starting point, we’re pleased to be able to share with you our list of Top 10 cyber considerations and predictions for Australian businesses in 2019.
1. Creating a strong cyber security culture
A strong cyber security culture should not only focus on the training of employees to build awareness of common forms of threats (phishing emails, social engineering scams) but should also empower individuals to understand their responsibility and the critical role they play in the success of their company’s cyber risk management framework.
2. Cyber Coverage Under Traditional Insurance Policies
There is growing attention from insurers regarding the provision of unintended ‘silent cyber’ coverage within non-cyber insurance policies. We are at a point in time where these policy wordings are being closely reviewed with a view to adding affirmative / non-affirmative language that clarifies instances where cover will / won’t be provided for a cyber event.
3. Data Encryption Legislation
In early December 2018, the Australian Senate passed new laws aimed at providing law enforcement agencies access to encrypted communications.
In the event of a cyber-attack that causes widespread disruption to business networks, software applications that are traditionally intended for personal use can become invaluable. This is certainly what one multinational law firm found when impacted by the NotPetya malware in 2017, relying on messaging application WhatsApp for several weeks to keep their business running. What happens however when the encrypted communications within these messaging applications lose their encryption protections?
4. Contractual Requirements to Purchase Cyber Insurance
There has been notable growth in the caution displayed by companies on how their business partners and suppliers handle sensitive and confidential information. Organisations, especially government associated entities are seeking to include in their contracts a requirement for a contractor or supplier to hold cyber risk and data breach related insurance.
5. Cyber and Business Interruption
All types of organisations, even if they do not hold large volumes of sensitive or valuable data, need to consider and account for potential risk associated with a cyber event rendering operating systems ineffective or inaccessible.
Within the insurance industry, insurers have traditionally been reluctant to provide coverage to this newer risk class. As the use of Blockchain and digital asset currencies grows, and governments establish protocols for regulating their use, we anticipate the insurance market will rapidly evolve to provide alternate risk transfer solutions to the corporate world.
7. IoT Devices Increase the Risk of Security Incidents
The vulnerabilities that exist in IoT devices are substantial, and there is certainly heightened awareness that cyber criminals will continue to target IoT devices as a gateway to larger computer networks. Despite these exposures, organisations can successfully position themselves to take advantage of powerful new technologies made available using IoT devices. This can be achieved by proactively identifying the potential risks exposures of using these machines, and implementing robust security policies, procedures and a strong cyber risk culture to counter the potential cyber risks they carry.
8. Social Engineering Fraud
This type of fraud doesn’t require sophisticated software or a high level of technical knowledge. It only takes a basic understanding of a company’s organisational structure and key employees, which can be found through a quick internet search. Given the relative ease of conducting social engineering fraud when compared to carrying out a sophisticated hack or targeted ransomware attack, it should come as no surprise that this form of cybercrime is expected to continue, and even escalate, this year.
9. Government incentives – grants for micro/small business to conduct a health check
In late 2018 the Australian Government announced that applications were open for its Cyber Security Small Business Program2. This initiative underscores growing recognition from Government bodies that clearer and more stringent privacy protection legislation can only be effective if companies are taking an active role in the management of their cyber risk. It is not only larger companies that can be significantly impaired by a cyber event; organisations of any size are at risk.
10. Less about security, more about resiliency
While decisions can be made to invest money in preventing cyber events from occurring, the nature of operating a company in today’s highly technological and connected world means that cyber risks will always be there. Therefore, the cyber security conversation should also include a focus on resiliency and a holistic approach to protecting your company, considering factors to both prevent an attack as well ensuring that the organisation can respond to and recover from one.