Organisations who underwent rapid digital transformation likely made significant productivity gains during the past few months, via increased speed and access to data, improved data analysis, and related data storage cost savings.

However, BDO’s National Cyber Security Leader Leon Fouche said many of these same organisations have encountered costly cyber attacks.

Leon Fouche

“We have seen a considerable rise in phishing email attacks, business email compromise attacks, and/or ransomware attacks,” he explained.

“This increase in cyber attacks is attributable to cyber adversaries taking advantage of the current working from home climate, but it is also a symptom of inadequate or reactive cyber security approaches within organisations’ digital transformation strategies.”

Not a new trend

It is surprisingly common for organisations to embark on a digital transformation journey and implement new technology and information systems without a strategic or proactive approach to data privacy and cyber security.

With more people working from home, the transition from office-based network access to remote/home access has created unique capacity, operational and cyber security challenges.

This means a lack of forward planning when it comes to cyber security can give rise to heightened information security vulnerabilities, some of which may not have been on an organisation’s radar previously.

The cyber security landscape in Australia and New Zealand is constantly evolving, and failing to stay abreast of the trends and factoring them into any technology related decision-making can be fraught with danger.

“Industry data from the latest BDO and AusCERT Cyber Security Survey Report proves new cyber adversaries and criminals are entering the mix, the types of attack methods used are evolving, regulatory obligations are shifting and organisations are looking at cyber security differently,” Mr Fouche said.

“Many organisations do not have appropriate and fit-for-purpose cyber security strategies to address the cyber risks within their organisations.

“The rapid and significant impact on the working arrangements COVID-19 has introduced to organisations day-to-day operations, and the cyber risks associated with these, are not fully understood.

“We have also seen many new business service offerings emerging to allow organisations working remotely, such as telehealth services, and remote technology support services. All of these introduce new challenges to the privacy and safety of systems.”

Under-investment leads to risk exposure

Organisations who find themselves at risk have often under-invested in five key elements of their cyber security program:

1. Providing cyber security education/training for everyone in the organisation
2. Hiring the right people to lead the organisation’s cyber security and data privacy strategic planning and implementation from the start
3. Engaging independent firms to conduct periodic cyber security diagnostic testing to understand the organisation’s cyber vulnerabilities and threats. Testing should include computer vulnerability scanning, penetration testing, email system cyber attack compromise assessments, phishing attack campaigns and dark web analysis
4. Ensuring continuous 24/7/365 information monitoring, intrusion detection and rapid cyber incident response services either internally or via an outsourced management security services provider
5. Implementing and testing appropriate information resilience plans and procedures via cyber incident response plans, cyber business continuity plans and disaster recovery plans.

So, what is the best approach?

BDO in Brisbane Cyber Security Partner, John Borchi, said all organisations, regardless of their size, maturity or location must begin their IT change or digital transformation project with cyber security in mind.

John Borchi

“It is imperative to ask the right cyber security questions up-front,” Mr Borchi explained.

“Many organisations think cyber security is all about software and systems, but in reality it cuts across every element of their organisation, especially as organisations seek to do more business online or work internally more efficiently using digital platforms.

“Organisations must consider who needs access to their information and systems and why, what the cyber risks are for these, and what practical and reasonable measures they should put in place to protect the information, their consumers and staff.

“All of these considerations translate into workable policies and processes, and the team and capabilities they need to be able to support their environment.

“The bottom line is that it is a balance between doing business efficiently and making sure organisations protect themselves legally (as with privacy legislation), ethically (with what consumers expect from them) and commercially (so they can continue to operate).

“Importantly, they must not ‘rest on their laurels’ and think what was sufficient pre-COVID-19 is going to be fit-for-purpose in today’s new reality.”

“Proactive risk assessments are crucial to ensure business owners and managers across the organisation truly understand their cyber posture and have plans in place to strengthen detection and response measures, so they can have confidence in their organisation’s ability to respond to a cyber attack should the worst occur,” he said.

Not all is lost

Organisations who currently find themselves dealing with the side effects of a lack of cyber security planning up front can still take action to improve their information and data security approach.

“The first step is to understand your organisation’s current cyber security posture so you know where to focus your efforts,” Mr Fouche said.

“Assess where the vulnerabilities exist, identify measures to rectify them and then develop and implement a plan to ensure you stay on-top of your cyber risks.

“It takes time and effort, but the risk and costs of not doing it are far greater.”

To determine the cyber posture of your organisation and benchmark its performance against industry peers, take part in the 2020 BDO and AusCERT Cyber Security Survey today.