11 November, 2015
In brief
Cyber security should become an increasing commercial priority with large pieces of corporate profits being taken by criminal enterprises breaching cyber security.
The Australian Government is focusing on cyber security, with a soon to be released national Cyber Security Review followed closely by a new national Cyber Security Strategy.
Summary
With more businesses and consumers turning to the online marketplace each year, it is no surprise that the world’s rapidly expanding cyber economy is estimated to be worth a mammoth US$4 trillion, with an AU$79 billion contribution to the Australian economy.1
Australia’s take is forecast to increase to AU$139 billion by 2020.2 Given the explosion of the online marketplace, the risk of cyber-attacks is fast becoming one of the greatest concerns for businesses and governments worldwide. As more transactions and services are facilitated online, faceless ’cyber criminals’ are seeking to profit from this increased online activity. Hacking has evolved quickly into a highly organised criminal enterprise. The risk is real and the potential losses are devastating; cyber-crime is now more profitable than the global cocaine and heroin trades combined.3 Gone is the stereotype of a lounge room hacker, pushing the boundaries of their coding abilities, and in their place stands sophisticated and established criminal organisations taking to cyberspace to extract millions of terabytes of valuable data.
The changing face of Australia’s security
Threats to Australia’s national security may have resulted in a traditional military response in the past, but the Australian military has acknowledged they are facing a very real threat from a new form of enemy; one which no amount of brawn or weaponry can placate. In recognising the need for cyber protection, the Defence Department says it will have to take a more relaxed approach to the demanding physical fitness requirements within its ranks, with the need to enlist 'couch commandos' who possess the requisite skills to defend the military’s critical data stores and IT infrastructure.4These radical moves come on the backdrop of companies reporting losses of US$500 billion globally to cyber-crime.5 The potential losses are so significant that the Australian military is prepared to change its traditional and regimented criteria for entry. Times are changing and not just in the military.
More and more companies are enlisting employees to senior ranks for the sole purpose of protecting their valuable data. A decade ago, recruitment advertisements would have be devoid of roles such as ‘Data Protection Officer’ and ‘Security Consultant’ but recent times has seen organisations doubling down on their need for qualified, talented security professionals and salaries are increasing right along with demand. "Security plays a key role in a company's success, which is why we're seeing more demand for professionals with security skills. With that in mind, if companies and recruiters want to lure top security talent, they need to offer generous compensation packages and benefits," says Shravan Goli, president of recruitment company Dice.6
A collaborative approach between government and the private sector
Australian Prime Minister, Tony Abbott, recently held the inaugural Cyber Security Summit in Canberra attended by leaders from Australia’s largest blue chip companies.The attendees’ list points to the status and prioritisation of cyber security at the highest levels of business and government in Australia. The Summit came on the back of the Government’s ongoing Cyber Security Review, which commenced in November last year, with recommendations from the Summit to be released in the coming months followed closely by a national Cyber Security Strategy (the first of its kind since 2009).
The Cyber Security Strategy is unlikely to be directive but largely focused on facilitating business to adopt practical and realistic cyber security measures; the Australian Government is a strong advocate for the multi-stakeholder model of cyber governance.7 Prime Minister Abbott has indicated that there is a need for business and government to come together, to collaborate in creating a secure cyberspace, with the government holding the view that a state-dominated governance model would stifle innovation and economic potential.8 The preferred model places greater emphasis on joint collaboration between the private sector and government in a bid to tackle cyber security.
What you should be doing to protect your business
In the wake of the recorded prevalence of cyber-attacks, Chief Information Officer of Telstra, Mike Burgess, believes cyber security incidents are “reasonably foreseeable events and every company can take steps to actively manage cyber risk”.9 He urges the private sector to lead the way on cyber security, highlighting that data is the 'life blood' of most companies. The risks of failing to secure data systems coincide with the potential to derive a competitive advantage; companies who prioritise cyber security and create a safe and trusted business environment benefit over competitors who fail to put adequate protections in place in the eyes of customers.
Mr Burgess highlighted that in order to achieve cyber security of their data, organisations must:
- know and understand the value of their data,
- know who has access to that data,
- know where that data is,
- know who is protecting that data, and
- know how well it is protected.
Ultimately, to ensure the cyber economy can prosper in Australia, business leaders must take steps to protect their customer’s data. Management must take responsibility and seek to change the corporate culture internally to ensure appropriate defences are put in place early, consistently, and throughout every level of an organisation.
Beyond the bottom line
While the monetary losses resulting from cyber security breaches are unquestionable, the damage extends far further than the profit margins. The buck for keeping data safe ultimately stops at the top of a company’s executive food chain. In 2014, the US CEO of Target, Gregg Steinhafel, stepped down in the wake of hackers gaining access and stealing the financial and personal details of 70 million customers held in the corporation’s databases. A survey conducted by Telstra in 2014, culminating in its Cyber Security Report, indicated that companies believe the greatest business risk resulting from security breaches is reputational damage alongside productivity loss, followed closely by financial loss.10 Alarmingly, 40% of organisations surveyed had a major security incident in the preceding three years. The risk is everywhere; the survey and the results traversed a range of sectors including information technology, government, natural resources and banking and financial services. No sector is immune from cyber-attack. The potential exposure for business and management as a result of cyber-crime means it is not surprising cyber security has become a key agenda item in the boardroom. The survey conducted by Telstra points out that the commercial reality of cyber-crime is that organisations are no longer asking if they will be attacked, but when.
Endnotes
- Paul Smith, ‘Australian digital economy valued at $79b', Australian Financial Review (online), 25 March 2015.
- Ibid.
- Sarah Martin, ‘Metadata easy prey for cyber thieves’ The Australian, 16 June 2015.
- Noel Towell, ‘Cyber fitness the latest test in quest for military muscle’, The Age, 20 June 2015.
- Richard Gluyas, ‘Abbott, CEOs go covert over rising cyber threats’, The Australian, 9 July 2015.
- 10 highest-paying IT security jobs.
- Lynwen Connick, First Assistant Secretary Department of Prime Minister and Cabinet Cyber Policy and Intelligence Division, ‘Opportunities and Risks for Australia in Cyber space’.
- Ibid.
- Mike Burgess, ‘Cyber security review too important to be left to government alone’, The Australian, 9 July 2015.
- Telstra, Cyber Security Report 2014.
For further information, please contact:
Julian Lincoln, Partner, Herbert Smith Freehills
julian.lincoln@hsf.com
