Experts place the human factor at the centre of cybersecurity strategies
A panel of experts has placed the human factor at the centre of Australian companies' cybersecurity strategies.
According to a new red paper released today by global data, analytics and technology company Equifax, increasingly sophisticated cybercrime threats in Australia have encouraged organisations to evolve their security culture, reporting structures and level of preparedness.
The Australian Cyber Security Centre (ACSC) says Australian corporates reported cybercrime-related losses worth more than $33 billion, with a cyber-attack happening every eight minutes over the 2021 financial year.
Equifax recently put together a panel of cybersecurity experts from the global and Australian business communities to critically discuss global and local best practices. The resulting conversation is in the Equifax red paper Exploiting Humans: The New Insider Threat in Cybersecurity.
The paper examines the human faces of the problem, the evolving role and responsibility of Chief Information Security Officers (CISOs), and how shaping a cyber-aware security culture within organisations is integral to minimising the growing threat of cybercrime in Australia.
The panel discussion included John Yates, director of security, Scentre Group, Catherine Buhler, CISO, Energy Australia, Jamil Farshchi, CISO, Equifax Group/Global, and Wayne Williamson, CISO, Equifax Australia - New Zealand. It was moderated by James Turner, founder of CISO Lens.
"Cybercrime is a $33 billion people issue, and there is an increased sophistication of attacks exploiting the human link, including advanced ransomware crimes, internal staff being manipulated by threat actors, and cybercriminals exploiting gaps in critical systems," says Equifax ANZ CISO, Wayne Williamson.
"It's important that organisations are looking closely at the human elements of the threat and human elements of the corporate response."
The red paper coincides with the launch of Equifax's cybersecurity checklist, aimed at helping current and future CISOs manage the human elements of their cybersecurity and insider threat programs. The checklist includes nine key elements:
- Tailor your strategy
- Talk about risk and the size of the risk
- Get buy-in from the top
- Talk to the whole team
- Sell the message
- Have a plan, prepare to change it
- Assess the intelligence
- Train behaviour
Williamson says it is a testament to businesses growing awareness of the critical importance of cybersecurity that CISO roles entered the picture five or six years ago with more force. But he says many CISOs haven't yet had the liberty of time to establish robust, best-practice cyber risk mitigation programs within their organisations.
Cybersecurity preparedness is ever-evolving, and he says the responsibility lies with the entire organisation, not just CISOs, to address cyber risks head-on.
Common themes emerged during the conversations with the security leaders on the panel, namely, involving a business security culture driven from the top and conducting threat assessments on people and technology remain core principles to managing these risks.
The red paper contributors and panellists agreed that having a seat at the table during board-level discussions was becoming increasingly important in designing robust security measures and embedding cybersecurity culture into an organisation's DNA.
"At Scentre Group, we've come on a high-speed journey in terms of cyber over the last five years. We now have a pretty mature outlook led by the CEO," says Scentre Group director of security, John Yates.
"Resources don't necessarily follow just because you've identified a problem. But if you have the ear of senior leaders, then you've got a much better chance they'll understand where the investment is needed from a security perspective and why they need to inject it in early, rather than doing the dreadful thing of retrofitting later."
The launch of the red paper captures a growing, urgent conversation within different industries to determine how CISOs, CTOs, C-Suite executives and boardrooms are continuously evolving their cyber strategy to account for both the nuances of industry-specific impacts in the event of a cyberattack and the emergence of new cyber threats that span internal and external, human-led and technology-driven triggers.
"EnergyAustralia is an energy retailer and generator with 2.4 million customer accounts," says EnergyAustralia CISO (group security), Catherine Buhler.
"Our customers share their personal information with us and trust us to handle their data like it's our own. Our approach to cybersecurity is aimed at preventing an incident. We continually apply recommendations made by the experts, combining protections for customers, our people and our assets."
She says the recent Equifax panel provided a fantastic opportunity for sharing knowledge between different industries and even countries in a collective effort to prevent cybercrime.