Earlier this month, Sandra Brown of TRANSEARCH International Australia hosted a Boardroom Lunch with expert panellist Michael Gorton AM, Principal, Russell Kennedy Lawyers. Participants heard in striking detail about the Board’s responsibility in response to computer viruses and other digital hacking, which are a significant risk to Australian organisations.
Recent experience at The Royal Melbourne Hospital in which a serious computer virus infection substantially affected the hospital’s technology and communications systems for several days highlights the risk of hacking in our modern age.
So many of our systems are now technology based and our organisations are increasingly dependent on software and systems to ensure that our businesses survive. We have increasingly experienced massive technological advances, increasing our ability to communicate, grow, learn, profit and connect.
However, there are those who will always seek to profit from our businesses reliance on technology, and we now face the age of hacking and cyber assault.
Infection by computer viruses occurs on a regular basis. More pernicious hacking attempts occur through a person in another country with a screen and keyboard. Cyber theft occurs as hackers seeks to acquire online property, intellectual property and access to bank accounts.
Despite this, there are reports that less than 40% of Australian corporate boards are currently aware of the extent of their own cyber protection. Small businesses, with less resources are at particular risk and there are reports that a staggering 60% of small businesses who are hacked are forced into closure within six months of the hacking.
Corporate boards therefore need to avoid complacency. We sometimes have a false sense of security in relation to cyber safety. Companies must keep updating their cyber defences, because hackers are always adapting and existing firewalls are consistently challenged. A recent KPMG report indicated that Australia cyber security incidents rose by 109%. Reports indicate that cyber hacking steals an average of $3.6 million per company every year – including not for profit businesses like hospitals and aged care facilities.
Cyber risk should therefore be a significant part of any risk management framework for a corporate board to consider. Strategies for cyber protection include:
Boards and Audit and Risk committees have a role to play in oversighting management responses to cyber security issues. Boards should be proactive in seeking appropriate assurance that the company has appropriate systems in place, that they are updated regularly and that IT departments are aware of the most up-to-date hacking issues.
The challenges for Boards to consider and the questions to be raised include:
All of these issues are worthy of consideration at the Board level.