In recent weeks, cybercrime and data breaches have become unavoidable topics in Australia. Many citizens have been forced to confront – for the first time – the reality of living in a disrupted digital world, where our personal data has become the most valuable commodity.
Of course, as tech leaders, this is a topic that keeps us awake at night. No part of our economy has proven immune from the impacts of cybercrime and data breaches.. Government agencies at all levels, large organisations, critical infrastructure providers, small-to-medium enterprises, families and individuals have all been targets.
Our customers sleep soundly at night in the knowledge there will be no unauthorised access to their physical digital infrastructure located in our data centres.
The $33 billion question
However, it’s not just CISOs who should be worried, particularly when considering this key question: What is the true cost to our economy of cybercrime?
It’s a $33 billion question because that’s how much Australian organisations self-reported in cybercrime losses during FY21. And that doesn’t even cover the hefty financial penalties that apply to companies that fail to protect their customer data.
The cost extends far beyond the financial. Aside from the financial costs there are the non-financial costs to individual companies that are victims of these attacks. This includes reputational damage, remedial distraction, service interruptions and process breakdowns. Cybercrime also poses a major threat to consumer trust, innovation, and growth across the digital economy.
In other words, security risk management is fast becoming every business leader’s problem – not just for CISOs and CSOs.
The four pillars of security risk management
At NEXTDC, we’ve been talking for some time about the importance of an integrated approach to security risk management around digital infrastructure. The conversation so far has been focused on how there must be a ‘mesh’ or integrated approach to physical and cyber security. These are the first two pillars of robust security risk management and, , they have converged to the point where you can’t have one without the other.
As I like to say, securing your internal critical infrastructure is only half the story. You can have the most advanced cyber security systems in place and still be compromised by a physical breach of your facility.
However, there are two additional pillars to security risk management. These are less well-known but are no less important – people and processes, and supply chain and business continuity. And responsibility for those extends far beyond the technology department.
The remainder of this article will focus on the people and processes pillar. A subsequent blog will address supply chains and business continuity.
What does converged security mean from a people and process perspective?
Most of us are familiar with the terms converged or integrated security risk management, but what does that really mean from a people and process perspective? For most organisations, it comes down to what it is you’re trying to protect against. In general, that will fall into one of two categories: accidental or deliberate (malicious) human actions.
While it’s usually the malicious actors who get the most airtime (put your hand up if you immediately visualise a shadowy figure in a hoodie hunched over a laptop when you hear the word ‘hacker’!) – the evidence suggests we should be far more worried about accidental actions.
Malicious actors are everywhere, constantly active and becoming increasingly sophisticated, but human error is still the greatest cause of data breaches. Robust physical environments – supported by cutting edge technology, education to create awareness amongst people and the right processes to support them – are still the most important component of holistic security strategy.
Build a ‘ready for anything’ security mesh
As pressure continues to mount around data protection and sovereignty, an enhanced security posture is best achieved by partnering strategically with a trusted provider. A supply chain partner who will take on not only the heavy lifting that gets you to your ideal state, faster and safely, but also without significant capital investment in infrastructure, personnel and meeting compliance.
Your provider’s security risk management must be completely aligned with yours, so ensure you ask the right questions during the evaluation process. Make sure you dig deep into factors such as:
- Security awareness programs, policies and procedures for staff and suppliers (including personnel screening, both pre-employment and also right throughout tenure)
- Compliance with the certification programs and standards relevant to your organisation and industry
- Internal and external audit procedures.
Your customers, regulators, investors and partners are depending on you to get security risk management right and the consequences of falling short in this area can be very expensive and long lasting.
