Why effective cyber-protection needs to start from the top

cyber-security

By Phil Kernick, Co-Founder and Chief Technology Officer of CQR Consulting

Around the globe, cyber-security threats are real and rising and Australia’s energy and utilities sector is far from immune.

Australia is the world’s largest coal exporter and home to numerous listed companies which explore and develop fossil fuels and renewable energy assets.

The country’s competitive utilities market comprises a plethora of players involved in the distribution and generation of water, electricity and gas.

Maintaining effective cyber-security defences has become a strategic challenge, as hackers and cyber-criminals continue to home in on organisations with highly valuable commercial information and sensitive personal data in their keeping.

Mitigating cyber-risk effectively calls for a top-down approach, with buy-in and support from senior executives across the enterprise.

Exploring the challenge

The past two decades have seen information technology undergo an extreme transformation. Once synonymous with processing power in the data centre, it’s now engrained in almost every aspect of daily life, at home and at work. That’s resulted in a change to the threat landscape.

Once a rarity, cyber-security incidents are now unremarkable and managing the risks associated with them has become part and parcel of running an organisation, rather than merely an issue for the tech team.

For many energy and utilities companies, the challenges of implementing effective cyber-security practices are exacerbated by the legacy solutions that are still in use – ageing equipment and core infrastructure that can be difficult to patch and protect.

Related article: A fresh approach to cyber security in the energy sector

Getting the board on board

Unfortunately, executive-level discussion about cyber risks tends to revolve around fear, in many enterprises. Attention is typically focused on the dire implications of an attack and the fallout it could cause.

Often, security professionals will present alarming data about the rates of attack and the extent of potential damage. Their overriding message is that, if everything is not fixed quickly, the organisation could find itself in real trouble.

A more constructive focus would be on how, beyond reducing the threat level, becoming proactive about cyber-security can benefit energy and utilities companies more broadly, by bolstering their reputation for integrity and rigour.

Enterprises in the sector also need to consider cyber-risk from a legal perspective. In common with all other organisations of size, they need to comply with the Australian Privacy Principles laid down by the Office of the Australian Information Commissioner.

Enterprises which handle the personal data of individuals from EU countries are also subject to that bloc’s stringent GDPR regulations. These regulations extend to all organisations that hold the personal data of EU citizens, regardless of geographic location.

Executives also have a duty to manage the level of cyber risk faced by their enterprise, and should keep the reasonableness test front of mind when assessing their planned level of action.

This is important because risk reduction steps that would be deemed reasonable today are very different from what they were 10 years ago. Decision makers need to ensure their responses are evolving over time and commensurate with current threat levels.

Related article: Why utilities can’t afford not to harness data

A problem for the institution, not the IT department

Viewing cyber security as a technology problem, rather than a governance problem, is a mistake. Energy and utilities providers which take that approach and postulate that the purchase of another new piece of technology will solve the problem perpetrate the myth that it’s possible to buy your way to safety.

And a myth it is. While products are clearly an essential piece of the security puzzle, it’s vital energy and utilities companies develop much broader strategies to deal with rising threat levels.

Creating a multi-disciplinary team comprising representatives from across the organisation is the best way to ensure all aspects of cyber-risk are assessed and each division or business unit is aware of its role, both in mitigation and response, should an incident occur.

Time to act

The danger to organisations posed by hackers and cyber-criminals is real and rising. Threats are becoming increasingly targeted and sophisticated, according to advice released by the Australian Cyber Security Centre in 2019. Business leaders surveyed for PwC’s 2018 Global Economic Crime and Fraud Survey: Australian Report flagged cyber-crime as the most disruptive economic crime of our era.

Taking an enterprise-wide approach to cyber-security, championed by executives from all business units, will help mitigate the risk for energy and utilities companies prepared to put the issue on the agenda in the boardroom as well as in the IT shop.