Boards set to face the music on cyber security lapses


“The sophistication of attacks, and of cyber criminals, is on the rise. Criminals use scaled automated attacks, and 77 per cent of all cyber attacks use sophisticated bots. They are well funded organisations. And the businesses they’re attacking, cyber likely isn’t their core competency.”

“The upskilling of professionals in the space, and new technology adoption, typically has a cost associated with it. You need teams internally to know what to look for, but also to be able to speak the language between security and business to bridge that gap, and say to CEOs and investors and the board, that there are real risks that come with real costs if we’re not protecting ourselves.”


Ms Leibel, who also co-authored a book designed to educate boards on the business risks related to cyber security, said many directors struggled with the concept that IT teams spend a lot of money on cyber but are never done, as new risks emerge constantly. But even a well-resourced IT team can’t keep businesses safe on their own, she said.

“IT departments are spending a lot of money around technology controls, in the event of a cyber breach. But in a lot of the ransomware incidents [we’ve seen lately] it’s actually been an employee clicking on a phishing email that let the attackers in.”

“It’s about awareness across all employees. It’s thinking about the third party, so your vendors that you work with, and people that have access to your data, where they’re storing it and how they’re keeping that safe.”

In the case of something like ransomware, companies also need protocols for during and after the attack, which should be documented and rehearsed, right down to who will be managing social media and what the message will be to customers.


“Once you’ve lost the trust of your customers, it really does impact your retention and your attracting of new customers. So it can actually have a significant impact on your growth, your aspirations as an organisation,” Ms Leibel said.

Both Leibel and Murray agreed that one of the most positive steps businesses could take is sharing experience and expertise, rather than dealing with attacks internally.

“Most Australian companies probably wouldn’t know what to do if they fell victim to a ransomware attack. So it is the right time for the public and private sectors to come together to put a framework, put policy and put best practices in place,” Murray said.

“We need to band together in this kind of collective protection ideology, which says ‘let’s break the economics of cybercrime’. And you can do that much better if you’re collaborating than if you’re operating in a silo.”

Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.