Risky Business: How resilient is your business to a cyber attack?

As businesses continue to increase their reliance on data platforms (electronic storage, access and transfer of data) as part of their daily business practices; the associated risks of cyber threats and attacks can no longer be ignored, and must be factored into their risk assessment models.

The leading cause of notifiable data breaches are malicious criminal attacks that are specifically tailored and manufactured by third parties to exploit business vulnerabilities. Between July – December 2019, Australia had 537 notifiable data breaches, where 64 percent were malicious. This was an increase from the previous quarter. In considering the figures, business can no longer ignore the risk of a targeted and purposely manufactured data breach attacks.

In February 2020, supply chain heavyweight Toll Group (Toll) suffered a devastating ransomware attack that resulted in shutting down its delivery and tracking systems for its parcel deliveries. Aside from business interruption for Toll, its major customers such as Unilever, Telstra, Optus, Officeworks, to name a few, have had their businesses interrupted. Consequently, Toll has incurred financial, customer and reputational losses that has been marked as one of the largest supply chain cyber-attacks in Australian corporate history.

In early May 2020, Toll was again the target of a ransomware attack after it discovered unusual activity on some of its servers. After shutting some IT systems, using business continuity plans and manual processes to enable the continuance of business services, Toll was more prepared than the first incident. However, the customer and reputational cost is still unknown.

The Toll incidents signal a message to all businesses that they must consider how resilient they are to a targeted cyber-attack or threat. Resilience can be measured by assessing the ability to prepare for, respond to and recover from a cyber-attack.

Further, there are potential risks and penalties for company directors that must be taken into account. The Australian Securities Investment Commissions’ Cyber Resilience Report stated that effective corporate governance should include the management and assessment of cyber risks as part of the corporate governance regime. This signals that company directors and officers cannot ignore cyber risk as part of their duties of due care and diligence. This is in addition to the European Union General Data Protection Regulation that must be considered by Australian businesses if they trade goods and services or monitor the behaviour of individuals in the European Union.

With the continuous rise of cybercrime, corporations must be prepared for the likihood of an attack. We no longer operate in a commercial environment that does not consider a cyber-threat or attack response plan.

If you have any questions or concerns please contact us.