CFOs Must Take Ownership of Cyber-Crime Strategy

With 300,000 cyber-crimes each year, costing over $42 billion, Australia has less than 100 dedicated cyber-crime investigators. Do you think Australian police forces are investing adequately in the fight against cyber-crime?

I think it comes down to culture, particularly at the state and territory policing levels. Police commissioners are focused on news headlines and allocate resources accordingly.

I don’t think the upper echelons of our policing agencies fully appreciate how much time we, as citizens and consumers, spend in the online environment. From first thing in the morning, to last thing at night, we are online doing a range of personal and professional things. We need to think of the internet as another public place – just like an online ‘town square’.

Only when the upper echelons of law enforcement fully understand how much we use the online environment, then will they begin to understand the extent to which crime is perpetrated through that environment. At that point will they start dedicating more policing resources to fighting cyber-crime.

So, in the meantime Australian businesses are left to fend for themselves?

Essentially that’s right.

We should replicate our traditional offline policing methods in the online environment.

If you think of a bricks and mortar business, like a shop or a factory, they take physical security measures, such as locking their doors or running CCTV. They take responsibility for making sure everything is secure.

Businesses need to put that same level of thinking into their online environment – it’s all about risk management.

They need to think: “I have a customer database, I have unique intellectual property, I have an online sales platform…What do I need to do to protect that as best I can and become a resilient business?”

You argue Australia needs a dedicated cyber-crime strategy, distinct from our national cyber security strategy. What is the difference between the two, and is this division something that should be replicated within the private sector?

Cyber security has become a catch all phrase. Many businesses are rightfully creating a cyber security strategy.

I make the distinction between the two because a lot of the focus is on cyber security threats. However, we are not focused as much as we should be on the low-level cyber-crime threats, such as fraud and scams, most of which are never reported to authorities. We estimate only one in five such cyber-crimes is being reported.

Both police and business need to recognise the threat from lots of low-level cyber-crime. Organisations need to develop strategies of how to avoid cyber-crime, just as they fight crime in offline environments.

Given the levels of fraud and scams, should an organisation’s CFO or CISO take responsibility for its cyber-crime strategy?

Definitely the CFO.

The CFO is focused on the dollars and cents. So, that’s the person who should be in charge of the cyber-crime strategy.

It’s the CFO who should oversee the risk assessments and conduct the cost-benefit analyses when it comes to investing in cyber-crime mitigation.

Are Australian CFOs equipped to develop cyber-crime strategies?

On the whole – no.

Of course there are some exceptions. But it all starts with having the right culture.

Some 97% of the businesses in Australia are small businesses. They are busy trying to run their businesses and cyber-crime is not their focus. As a country, we need to do a lot more thinking into what constitutes ‘risk’ in an online environment.

What policies could we be implementing to help businesses?

I think we do some things really well. And some things not so well.

So, when I look at the Australian Cyber Security Centre (ACSC), and their Joint Cyber Security Centres (JCSCs) around the nation, I think there’s a really positive aspect. However, they are mostly focused on larger businesses. Larger businesses usually have the wherewithal, and the ability, to create and implement cyber-crime strategies.

I would like to see law enforcement work more closely within the JCSC framework to support small to medium businesses.

Crime prevention is an essential function of policing. It’s a lot more efficient for police to prevent a crime rather than investigate it after the fact. That same focus on crime prevention should be applied to the online environment, with a greater focus on small to medium businesses.

I would like to see law enforcement embedded within the JCSCs to reach out to small to medium businesses, giving them the tools, techniques and advice they need. I think that would be a really valuable part of a whole-of-nation strategy to reduce cyber-crime.

With the rapid increase we are seeing in Business Email Compromise, are businesses taking the lead in training their own staff on email risk awareness?

‘No’ is the answer.

Some businesses are doing email security well, but the majority are not even looking at it.

Unfortunately, we still have a culture of “it won’t happen to me” – people think that cyber-crime is something that happens to other businesses. That’s why we have over 300,000 cyber-crimes a year.

That number will keep going up until businesses actually decide to do something about it.

Nigel Phair, thank you for joining Eftsure in conversation.