Recent experience at The Royal Melbourne Hospital in which a serious computer virus infection substantially affected the hospital’s technology and communications systems for several days highlights the risk of hacking in our modern age.
So many of our systems are now technology based and our organisations are increasingly dependent on software and systems to ensure that our businesses survive. We have increasingly experienced massive technological advances, increasing our ability to communicate, grow, learn, profit and connect.
However, there are those who will always seek to profit from our businesses reliance on technology, and we now face the age of hacking and cyber assault.
Infection by computer viruses occurs on a regular basis. More pernicious hacking attempts occur through a person in another country with a screen and keyboard. Cyber theft occurs as hackers seeks to acquire online property, intellectual property and access to bank accounts.
Despite this, there are reports that less than 40% of Australian corporate boards are currently aware of the extent of their own cyber protection. Small businesses, with less resources are at particular risk and there are reports that a staggering 60% of small businesses who are hacked are forced into closure within six months of the hacking.
Corporate boards therefore need to avoid complacency. We sometimes have a false sense of security in relation to cyber safety. Companies must keep updating their cyber defences, because hackers are always adapting and existing firewalls are consistently challenged. A recent KPMG report indicated that Australia cyber security incidents rose by 109%. Reports indicate that cyber hacking steals an average of $3.6 million per company every year – including not for profit businesses like hospitals and aged care facilities.
Cyber risk should therefore be a significant part of any risk management framework for a corporate board to consider.
Strategies for cyber protection include:
- More complex passwords and equipping all devices with password protection.
- Update all software regularly and consider deleting susceptible programs.
- Maintain cyber protection software including firewalls, antispyware, antivirus and anti-malware.
- Ensure deletion of personal files from any hardware which is discarded or transferred.
- Use more creative ideas for security questions.
- Use two step authentication processes where possible.
Boards and Audit and Risk committees have a role to play in oversighting management responses to cyber security issues. Boards should be proactive in seeking appropriate assurance that the company has appropriate systems in place, that they are updated regularly and that IT departments are aware of the most up-to-date hacking issues.
The challenges for Boards to consider and the questions to be raised include:
- What level of resources is the Board and the company are prepared to invest to deal with cyber risk.
- Does the company’s business strategy include reference to cyber security with protections directed to the most valuable assets or the most strategic software and client connection systems.
- Businesses survive on data. Where is it stored, how is it secured and what are the systems in place for protection?
- Many businesses use contractors and other third parties to provide systems, access data, and managed processes. What protections are place to ensure that third parties observe your cyber security requirements?
- How do you manage access to your systems whether by staff, third parties or even customers?
- Do you have a plan for a breach of your systems from cyber attack? What are back up plans for your data and systems? How do you deal with reputation risk, to secure your business operations and maintain that trust and confidence of your clients?
All of these issues are worthy of consideration at the Board level.