Casino's broken Crown
Inquiry report into ASX-listed Crown Resorts Ltd focuses on governance failures, risk management and culture.
COVID-19 has also forced our businesses to rethink and change many of their operations, structures and strategies. But alongside these changes, it’s time for directors to also reassess their cybersecurity policies and processes.
Like other areas of your business, your cyber risk profile has been disrupted – and even if you recently reviewed your cyber security posture, it’s imperative that you understand what the new threat landscape looks like and adjust accordingly.
Thanks to large-scale government investment in our ultrafast broadband network, New Zealand is blessed to enjoy some of the best domestic internet connectivity in the world, giving us easy access to a wide range of applications that enable easy communication and collaboration. As a result, when we entered lockdown companies were able to undertake a rapid pivot to digital operations, even if that pivot was made in crisis mode.
However, with most boards now focusing on the immediate issue of survival, information security may well have taken a back seat.
While that’s understandable, maintaining an eye on cybersecurity is essential. If the economic impacts of the pandemic aren’t bad enough, a security breach costing time, money and reputation could make it far worse.
In the rush to rapidly pivot company processes to allow remote working, it’s likely your cyber preventative and detective controls may not have been properly adapted, leaving you at serious risk of attack.
The very lifeline to productivity in the stormy seas of COVID -19 may tow your organisation into a lurking cyber security iceberg.
Having more of your workforce connected to a myriad of internet connections greatly increases your necessary connectivity surface area. This dispersed network creates exponentially more vantage points for cyber criminals to infiltrate your systems as well as increasing the chance of accidental data breaches via your employees.
This risk is heightened because your security team is now finding itself having to manage incidents in unfamiliar conditions in lockdown. They are now working with playbooks that don’t cater to new operating models and where networks and information now reach into the studies, dining tables, spare bedrooms and personal internet connections of your employees.
The video conferencing application Zoom serves as an example of the dangers faced when making sudden changes to process, infrastructure, or applications. This particular application, with its ease of use and a free license, has a long history of security problems which many overlooked given the urgency of need.
Multiple governments around the world were among the millions of organisations to use Zoom – and some of them fell victim to “Zoom-bombing”, where hackers infiltrated unsecured calls and wreaked havoc in supposedly secure meetings. Zoom has since updated the application to ensure more secure connections by default, but only after researchers (including our own) notified them of its latest shortcomings.
The lesson here is that the introduction of any new application, process or way of working must be accompanied by a thorough assessment of security implications.
It’s never too late to do this. After the accelerated change dictated by crisis, it’s highly advisable to take a strategic, planned, and detailed review of all measures taken. Where risks are identified, take immediate steps to bring them up to speed and align them with best security practice.
This applies even to those organisations that may have reviewed their cyber security posture ahead of, or even during, lockdown. After all, the current covid situation is fluid, and so too will be your structure and systems.
The best approach is to consider a range of factors and scenarios, including potential long-term working from home policies, the new or expanded use of cloud technologies including remote access, the establishment of appropriate controls and authentication methods, and the hardening of devices and applications to reduce the risks of data compromise or loss.
Finally, don’t forget a focus on your people.
While securing devices, networks and applications remains essential, probably the most important factor in the security chain is the human one. Educate and re-educate every staff member, particularly those who are new to remote working.
Hackers don’t sleep. They are waiting to take advantage of every crisis. Right now, we are seeing covid themed phishing and ransomware attacks that are exploiting concerns over the pandemic, weaker home IT controls and the high likelihood of users taking the bait.
The bottom line is that business as usual today is a foreign land. Our new normal is forever changed and businesses must ensure a fluid approach to processes and policies. Your cyber security must reflect an ongoing new normal, or your organisation may be at risk.
Author: Peter Bailey
GM, Aura Information Security
The article is featured in the June/July issue of Boardroom magazine.