Cyber fraud takes top billing on the business risk list
Some say it was too cute. Others say a woke moment of generation X bonding. But I reckon the exchanging of vinyl LPs by Prime Minister Jacinda Ardern and her Australian counterpart Anthony Albanese was a stroke of genius.
This was the first visit by a foreign leader to see the new prime minister on Australian soil. And while the trajectory was always going to be positive, it was made more so by a supposed ‘‘chance’’ exchange of records.
I suspect there was no chance in it. Rather, a muso-obsessed Ministry of Foreign Affairs and Trade staffer had noted both PMs were rock music aficionados, made the suggestion and orchestrated it brilliantly. In fact, it was brilliant to a level of detail that’s noteworthy.
While Albanese offered up middle of the road efforts from Midnight Oil, Powderfinger and Spiderbait, Ardern dug deep into the back catalogue of Flying Nun, instantly giving her massive cred with music tragics on both sides of the Tasman.
Her selection included The Clean’s Boodle Boodle Boodle, Aldous Harding’s eponymous first album and the classic AK79, a compilation of 70s Kiwi punk groups.
The best track on AK79 is probably Toy Love’s Squeeze. It features frontman Chris Knox belting out the lyrics: ‘‘I’m a fraud and I’m a sham, but I accept that’s what I am.’’
Lyrics that sum up very nicely the attitude of the professional cyber criminals out there. They are no longer hiding in the dark corners of the web; today you can contract hackers on your behalf to hunt down personal information, carry out brute force attacks and a lot more.
The scale of attacks, and the rise of cyberattack as a business model, has turned traditional risk matrices upside down. Whereas once cyber risk was a bolt-on at the bottom of the list, today it’s taking out top billing.
In fact, it’s taking out the top three, according to the latest directors’ liability survey by WTW. The London-based risk management firm surveyed thousands of directors and risk managers in more than 40 countries.
The results painted a dramatic picture of real risks to business in 2022.
Universally the top three risks for directors are cyberattack, data loss and cyber extortion. All three were rated as very significant or extremely significant by respondents.
While cyberattack and data loss have been in the top 10 for a couple of years now, they are now firmly the top two, while number three cyber extortion is brand new. In simple terms it is when criminals threaten to disable the operations of a business or compromise confidential data unless they receive a payment.
Typically, extortion access is via ransomware, but this is just the start in what can be a layered set of behaviours. Single extortion is where the criminals simply encrypt your data and want money (typically via bitcoin) to unlock it. Double extortion involves encryption and exfiltration. Then triple extortion sees them trying to extract additional monies from the third parties whose information they have exfiltrated.
The survey found that while directors in New Zealand and Australia were fairly comfortable managing traditional risks (employment claims, solvency and regulation), they were much more worried about the three big cyber risks.
Certainly in New Zealand many directors will have experienced what it is like to be hit with an attack, or watch pensively at some high-profile ones in the past year involving banks, telcos and healthcare.
Off the back of the WTW Clyde survey, local cybersecurity firm ZX Security noted the increased pressures on businesses to have adequate cybersecurity controls. They also made some useful suggestions for board directors.
These include asking the right questions of executives, being more aware of vulnerabilities and preparedness measures and seeking assurance that your company is compliant with the information privacy principles in the recently updated Privacy Act.
All of which is good stuff, but as a professional director myself, I’m also concerned with how it’s done.
As with all spheres of governance, you can’t measure what you can’t see, so surfacing both threats and preparedness is important. So it needs to be surfaced in board papers.
In fact, I reckon it needs to be reported in every set of board papers, not a once a year ‘‘deep dive’’. Ideally this reporting involves building a dashboard that highlights both attack and defence.
Dashboards can range from simple metrics like patching, backups and incident reporting for smaller companies, through to more comprehensive metrics for enterprise level operations.
Enterprise level reporting typically involves listing the top risks, the ongoing work under way to mitigate those risks, the updating of incident and testing plans, third party application security status, sinkholing readiness and external threat assessment.
A retrospective Stuff review of
AK79 describes the album as ‘‘the spark that lit the fuse’’.
I reckon the WTW survey might just have the same effect, when it comes to local directors lifting the profile of cybersecurity in their governance.
Mike ‘‘MOD’’ O’Donnell is a professional director, facilitator and a regular columnist. He is also the chairperson of the NZ Cyber Security Advisory Committee.
Hackers are no longer hiding in the dark corners of the web.