Organisations are increasingly being targeted by ransomware attacks that can lock down their systems, or worse, result in them paying out heavy sums of money to the perpetrators. These attacks are growing in volume as cybercriminals continue to show little fear in attacking a variety of industries.
In Australia, there has been a 13 per cent increase in cybercrimes reported over the past year1, and in response to the growing threats, businesses hit by cyber-attacks will be required to report the incidents to federal authorities, as new specific offences for criminals operating online are set to be announced by Federal Government in the near future.
The Home Affairs Minister, Karen Andrews, recently said the Australian public needs to be better educated about ransomware and how cyber criminals steal private information and then charge their victims for the return or release of that data. As part of several proposed legislative changes, the Minister has warned against businesses opting to quietly pay ransoms to avoid being exposed publicly to protect from reputational risk. Rather, she wants businesses to fess up, so they address the problems and don’t become a victim again later on.
Either way you look at it, with cyber-attacks on the rise, security is a boardroom discussion and it’s important the decision makers inside every organisation quickly recognise and understand that cybersecurity is not a just technology problem. It’s also a business problem, and as we shift to hybrid workplaces and our surface area for attack becomes much greater, it’s also important to recognise that everyone in the organisation has a role to play.
Download the guide to business security to learn how you can minimise risk to your business.
As a business problem, the purpose of a cybersecurity solution must be focused on attaining a balance between protecting the organisation and keeping the business running efficiently and effectively. Importantly, there also needs to be an understanding that you cannot lock down an entire organisation, which means finding a balance between security and operations.
For example, if a business is aware of a cybersecurity vulnerability, the decision to act would be based on the business’ appetite for that risk ie. weighing up the cost of a data breach against the cost of implementing technology to remove that vulnerability. That’s a business decision.
Striking a balance
Organisations are trying to strike a balance between flexibility and control, based on their risk appetite. It’s not always necessary to implement company-wide controls and lock everything down. That’s often not practical.
Rather, it’s best to start with a clear understanding on the problem you are trying to address, and then configure your security systems in a manner that doesn’t make life difficult for your organisation to function properly.
As we emerge from prolonged COVID-19 lockdowns, many organisations will continue to support remote working, resulting in further cloud data security challenges.
At NovaWorks, we have been advising clients that are in various hybrid states to help them understand risk, secure their remote workplace infrastructure and devices to prevent data loss, mitigate threats and address compliance issues. Beyond the basics of remote file access, our clients have discovered that a fully integrated solution allows them to give time back to employees and support flexible working arrangements. This can improve employee satisfaction, whilst still ensuring individual accountability.
But a common mistake business makes when migrating to the cloud is they put too much of the decision making around security on the cloud provider, when in fact they should be making the decisions themselves. Whilst cloud providers can provide a list of recommendations, organisations need to assess for themselves and ask questions like ‘do I actually really need to do this?’, ‘what is my appetite for not doing it?’, and ‘how much is it going to cost to actually implement, maintain and manage going forward?’.
All too often, these questions are not thought through, and an organisation goes to the nth degree with security, when in fact they already had a perfectly good secure setup, and didn’t need additional controls in place. And all too often these decisions are being made without knowing the cost and impact to the business.
It’s important for organisations to have a clear rationale on what is behind a decision and what problem they are trying to solve, as opposed to just trying to tick a box around cyber because it ‘feels like the right thing to do’. If you sit down and think things through, that’s when you can start to make really informed decisions based on experience or based on what you actually want to try to do.
Need some advice on how to strike the right balance between control and flexibility? Book a Security Assessment with a cyber security expert at NovaWorks.
1. Australian Cyber Security Centre Annual Cyber Threat Report – 1 July 2020 to 30 June 2021