equ leadership attends CyberEXCHANGE
My reflections on the state of cybersecurity and learnings from industry champions
The volume of organisations who have experienced a cyber attack in Australia was a real eye-opener.
I don’t think it was terribly surprising that the data we use every day to search, communicate, buy, and build, is of value to those with malicious intentions - it is, however, a bit shocking to learn how underprepared some of the largest organisations are in managing the basics of data security.
Key Takeaways
- Most companies now accept that a cyber attack in some form is inevitable, what is left uncertain is the scale and timing
- The impacts of Privacy Act reform are significant - dramatically affecting first party data planning
- Having a proactive and tested plan for response, including a clear and honest communications plan, is essential
After spending a day listening to some of the industry’s most potent security evangelists describe the state of cyber-awareness in Australia, the message is clear - it’s time to roll up our sleeves.
What does 'secure' look like?
It’s clear that the basics are now obsolete - if you’re not developing a robust and well-socialised first-party data policy, using 2FA/MFA, and ensuring your business thoroughly understands the importance of good password hygiene (here’s looking at you, CoolPassword!1), then you are a target.
Speakers like Shana Uhimann, CISO of Minderoo Foundation and Tattarang, Richard Asch, Head of Cyber Security at Western Power, and Michael Malone, iiNet founder, all echoed the same message - the risk for not implementing the basics and instilling good cyber awareness at all levels of the business now rests at the Board level - not just with technical leaders. And, as privacy legislation in Australia pivots towards recognising and defining the protections of individuals and their data, businesses are now liable for not prioritising data protections.
That’s a big shift from a bit of brand damage.
Proposed privacy amendments set a higher standard
Personal information - your name, your address, your phone number - are now so ubiquitous that you shouldn’t be surprised to find a mysterious text message from a long lost relative claiming you’ve won the jackpot.
As more of our personal information becomes more available, enforced protections have expanded to meet the deluge, encompassing health information, biometric markers, and even religious or political affiliations. Because businesses are usually the first to harvest and hold this data, it means they have become the target of innovative social engineering techniques.
But this year, proposed Australian policy measures have taken a step further - targeting device identifiers, IP addresses, and metadata - meaning the potential for corporate liability has dramatically escalated. This means Director liability, and direct application of fines for breaches.
The first step is proactive communication
My major takeaway from the day was that good security starts with awareness of the playing field, and better security means a better strategy. Proactive, consistent, two-way communication about understanding risks and implementing solutions is the best way to raise the water level within organisations of all sizes and prevent potentially catastrophic breaches.
It is the organisations which lead the way with proactive communications strategies that will have the greatest success in ensuring those affected by an attack are able to respond and mitigate the impact of such an event.
Most importantly, like all effective policies, honest feedback with an eye on integrity and efficacy empowers leaders who will now bear the brunt of responsibility.
It is clearly time for all leaders across business to look beyond brute force data attacks, and build rigorous defences against social engineering, first party data use and hygiene, and instilling cyber awareness thoroughly through all levels of operations.
Thank you so much to our friends at CyberCX for including us in such an insightful event.