Australian businesses need to remain on high alert after news that Russian cyber attacks have affected hundreds of businesses over the past year, according to the Australian Cyber Security Centre. So far infrastructure organisations have been immune, however the high risk of further attacks illustrates the need for cyber security to be top of mind for boards of directors of energy and utilities businesses. Our cyber security expert Stu Goodwin explains why.
- It’s a growing threat here to stay
Cyber security is a complex – and permanent – risk to all types of organisations. No longer confined to the IT domain, today’s escalating cyber risk profile has the full attention of astute boards of directors. In a world where cyberattacks can topple critical infrastructure such as electricity grids, cyber security is becoming a perpetual board meeting agenda item.
The chronically urgent cyber threat has seen government and regulatory bodies insist that critical infrastructure providers enhance their defence capabilities. In a seemingly insurmountable nexus, ever-more sophisticated cyber threats are occurring at a time when more assets are exponentially connecting to the energy network. This heightens the vulnerability of the network, which requires aggressive resource allocation to effectively protect it.
- Cyber security is more than IT
Within the Energy and Utilities (E&U) sector, effective cyber security equates to the proper protection of information technology and operational technology. While these two aspects have historically been unrelated in security terms, the age has dawned where a holistic approach is the only way to cultivate a robust cyber security model. Successful attempts to achieve this are accountable to board-level acknowledgement of the inherent risk profile of operational technology.
Organisations with mature cyber defences prioritise integrated security measures across technology, personnel and physical assets. Controls are interrelated and interdependent across the entity and across physical locations. Like all strategic business decisions, cyber security governance is most effective when led by directors and senior management.
- You need a defence-ready position
When guided by awareness of the integrated risks, senior management can more rapidly acknowledge, assess and treat threats as they arise. Importantly, this stance positions the organisation to proactively minimise risk. Knowing what’s on the horizon can make all the difference. Keeping cyber security permanently on the board agenda is a key action in sustaining appropriate defences. Director institute publications advise that board members comprehend the organisation’s cyber security position as clearly as they understand the financial position.
- Leverage successful global models
Cyber security programs operating in Europe and the US provide strong leads for Australian utilities companies in how to engineer robust solutions. Of particular value are models that assist non-technical decision makers to understand their cyber security position, such as the US energy market’s Cybersecurity Capability Maturity Model (C2M2). This model, introduced to Australia by Litmus Group/PPB Advisory, provides a common business language to assess vulnerabilities and prioritise investments to enhance security capabilities.
- You need to make confident, swift decisions
The C2M2 model is useful for rapidly helping clients comprehend their own cyber maturity and what steps they need to take to confidently counter risks. It facilitates clear board reporting using business-focused language. This eliminates the typical uncertainty surrounding cyber security issues at the board level and paves the way to the whole leadership team being able to collectively make faster, more accurate decisions.