Brendan Read discusses the expertise required to inform cyber security planning.

Despite the swathe of recent data breaches, corporate Australia remains worryingly susceptible to sophisticated cyber security attacks.

In some instances, the risk is going unheeded, leading to companies being crippled or compromised by an attack and without adequate procedures to resolve what can lead to financial ruin. Cyber criminals are becoming increasingly clever, being able to penetrate the impenetrable. Yet we are still seeing over-reliance on old technology and run-of-the-mill security processes compounded by IT departments having insufficient bandwidth and specialist expertise to provide a rock-solid, multi-layered cyber defence.

Various media recently reported on a number of cyber attacks, including that suffered by an Australian regulator in January where a data breach has blindsided even the highest echelons of corporate and government management. Hackers specifically targeted the third-party software used by the regulator and other victims, including the Reserve Bank of New Zealand. The perpetrators gained access to the transference of documents and attachments, potentially allowing them to view detailed financial and other confidential information. As businesses move to cloud-based platforms and products to deliver services to clients, there is a reliance on those third-party software systems to ensure client data is secure and protected.

It is now clear that the size or type of organisation offers no guaranteed protection. Businesses large and small are at risk, and anyone with a connection to the internet is vulnerable. It was also reported that along with the regulator, victims of cyber attacks and data breaches in the past year include the Tasmanian ambulance service, BlueScope Steel, MyBudget and Service NSW. This week came news that Koala, an online furniture retailer backed by Australian cricketer Steve Smith, was hit by a data breach that exposed around 400 million private business records online.

In our experience, the cybercrimes that do come to light are considered the tip of the iceberg. Concerningly, numerous breaches go unreported to authorities and never end up in the public domain due to companies fearing reputational damage. Many organisations also lack the expertise to identify whether a data breach warrants reporting to the Office of the Australian Information Commissioner (OAIC). However, businesses that have appropriate response plans to cyber risks have an increased ability to reduce reputational and financial damage. It is also important for management to ensure that these plans are developed and tested against real world scenarios rather than waiting for the inevitable.

Ramifications of such attacks cannot be overstated. Complete disruption to company operations often results after malicious software infiltrates a network. Entire systems are locked, networks frozen and information stolen. National security can be threatened, as feared in the Sunburst attack on American business and government organisations last year. In virtually every case, a heady ransom is demanded by the perpetrators to reverse their handiwork.

This level of cybercrime is likely to continue to flourish in Australia and will require increased cyber security expertise. While IT experts are critical, cyber security is a specialist function with a separate focus from general IT management. A top network administrator, for instance, will have an organisation's operational systems working perfectly, yet KordaMentha consultants continually uncover major exposure and much risk from a security standpoint. Relying on a single point of defence, such as a firewall, is simply not enough, and dedicated cyber security specialists must now be recognised as a critical addition to any IT department if we are to tackle this problem.

Corporate Australia and government departments must constantly evaluate their cyber security processes. Sourcing the necessary expertise is imperative to inform cyber security measures, including updating technology and adopting incident response plans that lead to quick, effective recovery instead of allowing their organisations to be unraveled and potentially ruined. Cybercrime is constantly on the rise, and it certainly will not be going away. Preparation is paramount. At the end of the day, managers everywhere need to ask themselves do they have a plan, and is it informed by the appropriate cyber security expertise?

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.