Cyber security advice for boards in the era of hybrid working
Businesses should factor in cyber security risks when laying out a hybrid working policy.
Earlier this month, the Australian Government released a Ransomware Action Plan, which introduces a specific mandatory ransomware incident reporting to the Australian Government. What Australia does in the cybersecurity space New Zealand tends to adopt, so could this be on the horizon for our country? And what does that mean for directors?
Essentially this mandatory reporting is in addition to the data breach privacy reporting that Australian organisations must complete for ‘serious harm’ data breach incidents. What’s not clear is whether businesses must disclose whether they have chosen to pay a ransom to cybercriminals or not. Currently, most victims of ransomware tend to keep the details of any ransom paid under wraps, so as not to impact their brand and reputation.
It’s clear that the Australian Government are responding to the growing incidents of ransomware and are trying to quantify exactly what the threat landscape looks like for their market.
Whether New Zealand decides to bring in this mandatory reporting or not, it’s worth paying closer attention to the impact ransomware attacks could have on your business and ensuring there is an adequate response plan in place to mitigate as much damage as possible.
A report by Emisoft estimated the cost of ransomware attacks in New Zealand in vicinity of around $43.8 million – a combination of ransoms paid and the cost of business down time. The report also estimates a business’ systems will be out of action with the associated loss of productivity and revenue for 16 days on average, even if a ransom is paid.
While becoming the target of an unscrupulous cybercriminal may be unavoidable, it should be high on every director’s agenda to ensure the organisation has a robust cybersecurity plan to mitigate any risk.
Typically, this would look involve a combination of security training with staff, alongside technical controls, such as multi-factor authentication (2FA/MFA), network segmentation, and up to date patching. Regular penetration testing of your network and infrastructure, as well as developing and rehearsing your incident response plan, are also the best defensive actions a business can take.
Cybersecurity is a business risk, and more and more senior leaders that I speak to are seeing it as ‘the’ business risk that they believe will cause the most harm to their business. The role of directors is about ensuring the long-term sustainability of the company, so irrespective of legislative changes, cybersecurity issues such as ransomware should definitely be featuring in board discussions.
If you're not a member of the IoD but want to keep up to date with the latest governance news, insights and resources, sign up below.