Cybercrime and the board: An issue that affects everyone differently

The Director Sentiment Survey 2023 held some sobering insights for those of us working in the cyber security industry. A mere 23.5 per cent of surveyed directors say cyber security is a key issue for the board. Only two-thirds say they regularly discuss cyber risk and are confident their organisation has the capacity to respond to a cyber attack or incident.

While this was a positive shift from the previous survey, the initial reaction is these figures are still somewhat deficient. With a recent Kordia survey finding one-in-three businesses had their operations disrupted by a cyber incident in the past 12 months, cyber security clearly impacts a huge number of organisations and people.

With good security governance and preparation, cyber risk can be managed, yet despite years of increasing activity in the threat landscape, that message doesn’t seem to be hitting home for some boards.

The core reason some boards aren’t treating cyber risks as a priority is they probably assume it is strictly a technology issue. However, understanding cyber security as business risk, rather than a technical one, is key to good governance and management.

Perceptions of cyber risks can also be mistakenly narrowed in focus to the data breaches that make headlines. However, most organisations now rely on internet-connected platforms and services to manage infrastructure or transact with suppliers and customers. This has led to many cybercriminals now targeting operational downtime to inflict damage on their victims.

Look at Australian port operator DP World, which had to take down all of its online systems – from email through to container tracking – in response to a serious cyber attack. A few days offline brought container movement to a standstill, with a serious flow-on effect for the entire shipping industry in Australia.

In today’s complex operating environments, the assumption that an organisation can continue operations by rolling back to ‘pen and paper’ misses technology-based dependencies. That’s why it is important to ensure your organisation performs cyber risk assessments and maintains a cyber risk register to ensure this is well understood.

Another key finding in the survey is a downward trend in views on ‘the positives of automation and AI’. This isn’t surprising; the promise of AI has not yet been matched in delivery. According to Gartner, Generative AI is sitting high on the hype cycle, approaching the peak of inflated expectations, and is expected to be productive in five-to-10 years.

However, the rate of change is accelerating and AI is already showing surprising capabilities in some areas, while confirming limitations in others. Like many emerging technologies, employees have often started using AI well ahead of their employer’s having an official approach or policy. This may introduce new vulnerabilities and boards should be guiding their organisation to provide controls that ensure its use is not creating new risks.

Also, cyber security is an asymmetrical arena. Cybercriminals will be watching and testing AI and using it where it works – they often need just one successful attack to reach their target.

The obvious use case for AI is in spear phishing, which may involve imitating targeted business leaders to trick unsuspecting employees into harmful actions. The speed and accurately at which AI will be able to analyse and replicate the tone of an individual will far exceed that of a human, making these scams incredibly difficult to spot.

In February, police in Hong Kong highlighted a case of an employee at a multinational company parting with more than US$25 million after an entire video conference was deepfaked, showing the potential of AI in the arms race between those tasked with defending against cybercrime, and those committing it.

New Zealand has recently appointed its first Minister of Regulation, but unlike Australia, has not yet appointed one for cyber security.

However, this mooted idea has drawn steady support. Kordia’s survey of business leaders found 42 per cent of respondents like the idea, and about the same number (43 per cent) agreed that reporting all cyber attacks should be mandatory (right now, this only applies to those where privacy breaches occur). No-one likes fines, but 51 per cent believed penalties should be harsher for organisations failing to protect personal data.

These findings come back to the point that boards should appreciate the magnitude of cyber risks and should expect more government direction in dealing with those risks.

Cyber risk is very real. Almost every New Zealand organisation needs to manage digital risk, as the threat landscape continues to evolve at a rapid pace. It is likely one of the most complex and dynamic risks that your organisation faces today, and in the future. More than ever, it is critical that boards lead a risk-based conversation, especially if the organisation’s executive layer isn’t already doing so.