Think Cyber Risk is an IT Issue? You’re Missing Half the Story
Posted on November 4, 2015
8 min read
This post originally appeared on Linkedin
As the rate of technology innovation continues to rapidly accelerate, more and more of our world is moving from the physical to the digital.
And while technology and connectivity creates great opportunities it also means we need to be more alert to cyber threats than ever before.
Given the importance Telstra places on cyber security – and our own experience as an organisation that provides essential infrastructure, holds a large volume of customer data, and has had to deal with cyber security issues – I wanted to share some thoughts and learnings about this very real challenge.
Understanding the threat is real
Part of the deal with leadership is confronting and dealing with complex issues and risks. But even for great leaders sometimes understanding cyber risk, and what it really means for our businesses and customers, can be challenging.
Connectivity provides great benefits to our society and the economy but better connectivity and the rapid uptake in technology also means that barriers to crime, espionage and protest have lowered, and even mistakes can happen at a pace, at scale and with a reach that is unprecedented.
The actors in a digital world are no different than they are in a physical world. They include state-sponsored criminal activities and ideologically motivated activism. But cyber espionage is still espionage, cyber crime is still crime and hactivism is just activism.
Externally the threat comes from individuals seeking fame or fortune, issue-motivated groups looking to steal information or disrupt a service to make a protest point, organised crime syndicates looking for profit, and nation states trying to gain either a tactical or strategic advantage or, in some cases, acquire intellectual property.
All companies need to be concerned with their own actions and those within their supply chain. As well as external threats, internally a member of staff or staff’s partner, a business unit making a mistake or, in rare cases, malicious acts by an employee, can mean the loss of valuable customer or corporate information or a disruption to networks and services.
That means senior management and Boards need to review and adjust their risk management frameworks and approaches to ensure they address cyber security appropriately. This is a business issue, not just a technical issue, and to be successful the response must cover people and process as well as technology.
Responding to the threat
All of us can appreciate security at an airport. Guards, cameras, scanners, procedures, checks and controls; these are just the visible signs of measures designed to maintain security and it is not hard to understand why collectively we need to comply with these security requirements.
Contrast that with the world of cyber security, where you are facing a threat that is intangible, invisible and difficult to understand.
You know the threat exists – and you are frequently reminded of it in the media – but unlike in the physical world when cyber-criminals steal our information there is no-one leaving the company via the basement, with our information in a sack in the back of a van. In cyber crime, your most valuable information can be taken quietly by a cyber-criminal half a world away, or be put at risk by a well-meaning employee who clicks on a link or inadvertently sends customer data outside the company.
If you find your organisation compromised, and be realistic here, you will be attacked, it is how you respond that matters. An FBI director is quoted as saying there are two types of companies: those who know they have been hacked and those who don’t know they have been hacked! Telstra had a firsthand experience of this recently when we acquired a company (Pacnet) that, a couple of weeks prior to our ownership, had a cyber security incident.
Once we became aware that a third party had accessed part of the Pacnet corporate IT network, we reacted to address the breach and assessed what had happened so we could be certain of our facts. We then told our customers and the relevant regulators. We thought it was also important not to speculate about attribution – our focus was on our customers and protecting them and their data. We were guided by our values and putting the customer is at the centre of everything we do.
And while that particular incident was unfortunate it made me realise that as a leader I did not need to be distracted by the technical nature of the breach. I had a team focussed on that. For me, it was about making sure I asked the right questions, that my key staff could answer those questions in plain English, tell me when the situation was under control, and what the impact was to our customers. For me, it was critically important we were transparent with our customers and the regulators about what had happened and that we were effectively managing the risk.
Awareness is key
None of us would follow a stranger down a dark alley in a strange city but many of us may have, or are likely to, click on a link in an email or open an attachment from someone we might have met – or even just in an email address that looks ok. But this is metaphorically the same action.
That is why an effective cyber security approach includes a range of technical and non-technical solutions, because this is just as much a human issue as it is a technical one.
Building a cyber aware workforce means investing in raising the level of awareness so people know what to do when phishing emails find their way into their inboxes, that ‘free’ software can often come with an unwanted gift of malicious software, and that there is a lot they can do to help keep customer and corporate information safe.
Many cyber compromises are in reality the result of a staff member inadvertently clicking on a link in a phishing email. This risk can be managed with ongoing staff awareness so that looking out for phishing emails and malicious software becomes second nature.
Dealing with the challenge
Effectively managing cyber risk means continually assessing and reassessing best practice in operations and governance.
At Telstra, we think this is absolutely critical because we need to keep our customer and corporate information safe, and our networks secure.
As part of our approach we have developed something we call the Five Knows of Cyber Security, a series of key questions to focus our thinking. We have found this an accessible, down to earth approach that has helped the risks to be better understood from the Board down.
The Five Knows are 1) knowing the value of our data, 2) knowing who has access to our data, 3) knowing where our data is, 4) knowing who is protecting our data and 5) knowing how well it is protected.
When you can answer these five questions you are in a better position to effectively assess and manage the risk. For us, the Five Knows have changed the focus of the discussion from a technology issue to a business one, one where senior leaders can contribute to the effective management of cyber security risk.
No easy answers
There is no single, easy formula for effectively managing the cyber security risk but for me understanding that this is a business risk, that it’s about people and processes as well as technology and knowing the answers to the Five Knows, is a good place to start.
The cyber threat can never be completely eliminated but the risk can be effectively managed. Managing the risk includes not being distracted by the technical hype, making sure you ask the right questions, getting clear answers from your key executives and anticipating any impacts on your customers so that when a breach does occur you are well placed to deal with it in a way that is consistent with your organisation’s values.
Technology and connectivity offers huge opportunities and great benefits and that is something we want to build on and innovate to create new possibilities for our world. But cyber threats are very real, and increasing, and this should put cyber security right at the top of the list for every business or person holding or generating data – and I can’t think of too many that don’t.
A leadership issue
As leaders, dealing with risk and complexity is part of the job. Successful organisations are good at dealing with risk and knowing how to effectively manage it. Cyber security, while it may appear complicated and deeply technical is, in the end, just another business risk to be managed.
So while cyber security may been something that was once considered an ‘IT risk’ it is now a risk that has to be owned by the business as a whole. At the end of the day, cyber security and how it has been managed is a risk that all business leaders need to be across. How well we effectively manage this risk is a key leadership issue.