engage consulting group - connecting business and people

Enjoy our Blogs. Remember to register to receive automatic email notification when new blog posts are published.

How to reduce cyber risks in data-intensive firms

Posted by Sam Pitruzzello on 11/02/19 8:21 PM
Find me on:

 

cybersecurity

 

In this blog we explore three strategies that professional services firms should apply to reduce their cyber-risks.

The impact of a cyber security event can bring an entire business operation to a standstill. In a past blog, we highlighted the large cost of cyber-attacks to Australian organisations. We also presented some concerning statistics that showed almost 60 percent of Australian businesses are interrupted by cyber-crime every month. Furthermore, 60 percent of SMEs hit with a significant cyber security incident will go out of business within six months. Most cyber-security threats come from external sources. However, external threats can be perpetuated by an insider’s inadvertent actions and in some cases malicious actions.

Dark Reading’s Strategic Security Survey showed that over 25 percent of cyber-security breaches are caused by insiders – your trusted employees. The report also found that 44 percent of organisations say authorised users and employees pose the greatest threat to data security and 61 percent of organisations believe negligent users will be the primary cause of a data breach in the next 12 months (Vijayan, 2018). So do you really know what your employees are getting up to online? Cyber criminals understand these weakness and use this to their advantage by launching sophisticated cyber-attacks including social engineering and advanced persistent threats (APT) to get to the information they’re after.

Professional services firms such as accountants, law firms and consultants have rich client data and a wealth of personally identifiable information. This type of information is attractive for cyber-criminals and is used primarily for extortion and identity theft. More importantly, professional services firms are data-intensive relying heavily on computer and information systems. Therefore, reliable uninterrupted access to information systems and data is crucial for business operations. An excellent case study of how a professional services firm suffered as a result of a cyber-attack is the global law firm DLH Piper. DLH Piper, like many global companies, had their entire operations crippled by the Petya ransomware event in June 2017. The Petya ransomware attack struck across the globe shutting down computers at many multinational businesses, including the Australian offices of DLH Piper (ABC News, 2017). Ransomware is malicious software that locks up computer files with unbreakable encryption and then demands a ransom in bitcoin for its release. Another driver for professional services firms is the importance of maintaining the privacy of sensitive client data from theft and loss.

General Data Protection Regulation (GDPR)

Australian businesses need to comply with the EU’s General Data Protection Regulation (GDPR) requirements. These requirements came into force on 25 May 2018 and apply to Australian businesses of any size if they “have an establishment in the European Union (EU), if they offer goods and services in the EU, or if they monitor the behaviours of individuals in the EU” (Australian Government, OAIC, 2017). The GDPR includes requirements that are similar to the Australian Privacy Act 1988. Additional measures have been included in the GDPR to foster transparent information handling practices and business accountability around data handling. Australian businesses need to have confirmed by now whether they are covered by the GDPR, and if so, take steps to implement any necessary changes to ensure compliance.

Three strategies to reduce cyber-risks and comply with GDPR

There are three strategies you can implement to reduce cyber-security risks and comply with the GDPR regulations – conduct an audit of your client database, run a cyber-security education and awareness program and take out dedicated cyber-insurance. An audit of your client base will uncover any potential links with the EU. If there are, there is a requirement to understand and comply with the GDPR. Regardless of whether you have any client links to the EU, it is good practice to understand the GDPR as it is considered a high standard privacy policy. Education is an important component to protect your business and employees from cyber-attacks. In the ransomware case, the global infection of computer systems would have started from at least one person opening a malicious email. Business Email Compromise (BEC) and email Phishing remains the most widely used cyber-attack vector. Organisations that have trained their users through simulated phishing tests and security awareness training can significantly reduce these risks. From a risk management and business insurance perspective, many insurance companies now offer dedicated cyber-insurance policies that provide further cover for your business. The premiums on cyber-insurance policies can be reduced by demonstrating an organisational wide commitment to reducing the risks of cyber-attacks by implementing appropriate technologies, strengthening business processes around handling client data and investing in the education your employees.

If you wish to further explore how to implement these three strategies in your firm, please contact us directly.

References:

ABC News 2017, ‘Petya cyber attack: Ransomware virus hits computer servers across globe, Australian office affected’, ABC News, accessed 8 February 2019, <https://www.abc.net.au/news/2017-06-28/ransomware-virus-hits-computer-servers-across-the-globe/8657626>

Australian Government 2017, ‘General Data Protection Regulation guidance for Australian businesses’, accessed on 11 February 2019, Office of the Australian Information Commissioner, ‘https://www.oaic.gov.au/media-and-speeches/news/general-data-protection-regulation-guidance-for-australian-businesses>

Vijayan, J 2018, DarkReading, ‘Data Breaches: Vulnerability Rising’, DarkReading

Topics: cybersecurityeducation, cybersecurity, Cyber security insurance, GDPR