Australia is one of the world’s richest targets for cyber criminals, according to data cited by Serge Maillet, Head of Cyber Security for Siemens Digital Industries, when presenting at the recent Australian Cyber Security Week 2020. Gallagher’s own Head of Cyber/Technology Practice Leader Robyn Adcock attended to find out how businesses can protect themselves. Here are her key takeaways.
Michelle Price, CEO of AustCyber, warns that threats are increasing in sophistication, frequency and severity at an alarming rate, and that we are now at crisis level. Driven by the rise and rise of data use of data in business, the number and types of attacks have increased through connected systems, which support transmission of digital information.
It’s hard to keep up with the various threat vectors, which include large numbers of domestic, international and state sponsored actors. The types of attacks range from ransomware to credential stuffing (stolen account details and passwords used to access accounts), and are often aimed at small businesses by malicious actors who recognise vulnerabilities in business supply chains.
The pressing need for Australian cyber resilience
Cyber crime costs Australian businesses $29 billion a year and the Australian Cyber Security Centre (ACSC) Annual Cyber Threat Report July 2019–June 2020 records receiving notice of 60,000 data breaches reports.
Maillet says these statistics paint a disturbing picture, and highlight the need to examine cyber resilience nationally. While he acknowledges that some organisations have been moving to improve their security, he says Australian businesses are not doing enough to increase their cyber resilience.
Cyber resilience isn’t the same as cyber security, he explains. Security is trying to keep hackers out while resilience refers to minimisation of the impact and collateral damage caused by threat actors attempting to compromise a target’s system.
To achieve resilience organisations need to be prepared, know what to do if a security breach occurs and be able to respond quickly to minimise damage and enable speedy recovery: if data is compromised businesses need to have a back-up solution to restoring their data.
But when a security breach occurs many businesses remain unaware of the intrusion, and lack the capacity to address it. These business owners urgently need to reduce the risks involved with responding to a cyber attack and the time and resources this requires.
Automation the solution to achieving cyber resilience
Innes Willox, the chief executive of Australian Industry Group made reference to the Fourth Industrial Revolution Report and pinpointed the need for Australian industry to leverage deeper into automation, artificial intelligence (AI) and robotics to boost capability and resilience.
Ideally business security audits should be conducted every 6‒12 months ‒ but audits are only valid for that one point in time, while IT systems are dynamic in business environments where owners are installing new software, adding new assets and making configuration changes. This makes maintaining a security compliant system a challenge. Maillet believes automated systems will deliver actual systems intelligence.
He says Australian businesses must embrace automation technologies underpinned by artificial intelligence (AI) and machine learning, which will allow them to implement cyber security solutions that provide real time continuous threat detection within their IT and operational technology environments. In addition, automation can be used to both measure and enforce security compliance and best practice within businesses.
The cyber resilience solution is threefold
- staff education to recognise and respond appropriately to threats
- automation of ongoing systems checks, using AI to recognise potential threats
- cyber security insurance cover to assist with recovery costs if a breach occurs.
The role of cyber security insurance cover
AustCyber has stated that cyber security is a function of insurance for a resilient economy, and this applies to both large and small organisations, as businesses grow their global supply chains, engage in online collaborations and develop remote learning delivery.
Insurance has an important role to play in that many businesses can’t afford to respond to a crisis after it happens: cyber security cover assists with these costs. Cyber security insurance can help small businesses that don’t have a head of IT systems and may not even have the function outsourced.
In businesses of less than 20 employees, which represent 97% of Australian businesses, responsibility for cyber security usually rests with an individual – the owner – not a board. A recent small business survey showed that almost all (92%) of the respondents understood that they needed to take action but didn’t understand what they should do to respond to a cyber security threat. The ‘how’ is often missing for small businesses.
Gallagher cyber insurance provides access to specialised expertise, both in damage control and prevention. Through our partnership with cyber security provider Amplify Intelligence our client businesses can benefit from a cyber security service that monitors their systems and deliver timely alerts, scaled to suit the resources of large and small organisations.
"For small businesses, the simple plug-in brAIn-box provides cyber resilience through capabilities such as systems monitoring, vulnerability testing, reports on suspicious activities and key security metrics, security policies and incident response plans, and security awareness training,” says Amplify Intelligence CEO Paul Byrne. “This gives business owners oversight of their security and a prioritised list of actions without demanding technical expertise or time away from their core activities."
Are you confident your business is protected against cyber criminals?
To help you find out, we have developed a survey in tandem with a cyber security expert, so you can rate your response against the areas considered most important to get right for complete cyber protection. Your responses are completely anonymous - and if you do have any questions, please don't hesitate to contact the Cyber Risk practice — we will delighted to assist.
Gallagher provides insurance, risk management and benefits consulting services for clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance and/or risk management perspective, and offer broad information about risk mitigation, loss control strategy and potential claim exposures. We have prepared this commentary and other news alerts for general information purposes only and the material is not intended to be, nor should it be interpreted as, legal or client-specific risk management advice. General insurance descriptions contained herein do not include complete insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. The information may not include current governmental or insurance developments, is provided without knowledge of the individual recipient’s industry or specific business or coverage circumstances, and in no way reflects or promises to provide insurance coverage outcomes that only insurance carriers’ control.
Insurance brokerage and related services to be provided by Arthur J. Gallagher & Co (Aus) Limited (ABN 34 005 543 920). Australian Financial Services License (AFSL) No. 238312