Why reporting cyber risk is essential to combatting cybercrime.

If you have been keeping up with the news in the year 2022, and let’s be honest, who hasn’t, you may have noticed that cybercrime is well and truly on the increase between the headlines of US election drama and increasing pandemic numbers.

Many organizations and businesses that made the transition to work-from-home arrangements earlier this year became victims of opportunistic cyber criminals who took advantage of easy access to remote IT systems. This is in contrast to the fact that only the largest organizations are at risk of being attacked by hackers.

According to a survey published in September by the international IT and technology news site ZDNet, there was a “sharp spike in sophisticated hands-on hacking activities” in 2020, with the first half of the year showing more instances than all of 2019 combined.

The research team at Crowdstrike, a cyber security business, came up with these conclusions and based them on “possible hands-on invasions.” The findings were published in a report that the company released.

“According to the business, the first half of 2020 witnessed 41,000 incursions, a figure that is larger than the 35,000 discovered throughout the entirety of 2019,” Danny Palmer, the author of the story that was published on ZDNet stated.

“Hands-on campaigns are based around hackers gaining access to the network—often via leaked or stolen credentials to an employee account or an exposed RDP server—then using the legitimate access that those accounts or systems offer to move across the network, gradually securing the means to gain more and more access.”

Since access is obtained from a legitimate source or account, this “hands-on” sort of cybercrime is typically much more difficult to discover than larger-scale hacks that are carried out by malicious actors.

“In the past, this level of competence was only seen in hacking groups that were supported by national governments; nevertheless, today, cybercriminal gangs routinely demonstrate that they possess the same level of expertise.”

Cyber Risk Diagram

But business professionals have been painfully aware of the increased hazards of cybercrime long before last year when remote working became the norm as a standard practice.

For the first time in the history of the report, the ninth Allianz Risk Barometer found that “Cyber incidents” outranked “Business interruption” by 2 percent as “the most important business risk globally.” This was the first time in the history of the report that “Cyber incidents” had taken the top spot.

This demonstrates that businesses (and the boards that govern them) are more aware of their digital vulnerabilities, as evidenced by the fact that it has risen to first place from its previous ranking of 15th place just seven years ago. This increased reliance on IT systems and data, as well as the rising number of high-profile incidents, have contributed to this awareness.

But how exactly are businesses supposed to remain on top of these risks in order to lessen the frequency of catastrophes and their severity?

The Australian government and the Australian Cyber Security Centre are of the opinion, as expressed in a recent article written by Andrew Tillett, Political Correspondent for the Australian Financial Review, that the best way to reduce the number of cyber incidents is to report and share information regarding those incidents.

According to what Tillett writes, “to counter the proliferation of online threats – which range from crudely worded criminal scams exploiting the COVID-19 pandemic through to persistent attacks by foreign governments” the government of Morrison has unveiled a cyber security strategy that costs $1.7 billion in order to combat these threats.

“The strategy includes hiring an additional 500 cyber spies, increasing information sharing of cyber threats, granting new powers to the cutting-edge Australian Signals Directorate so that it can step in and protect computer networks, and mandating that critical infrastructure providers strengthen their cyber security defenses.”

cyber risk reporting

Critical infrastructure providers such as banks, defense contractors, power and telecommunications companies, and others, will be required to report cyber security incidents to the Australian Cyber Security Centre as part of this new cyber security strategy. This will ensure that there is greater transparency regarding the state of cyber security in Australia.

This comes as a result of the discovery made by the Center that the private sector has been underreporting cyber occurrences, which has been to the disadvantage of their contemporaries.

According to what Tillett says in the article, “The center’s danger report, which was released the previous month, showed the agency responded to 2266 cyber events in 2019-20.” The federal and state governments were responsible for 35% of the reports.

Even though the head of the Australian Cyber Security Centre, Abigail Bradshaw, speculates that this could be because private organizations are trying to “protect commercial reputation” or are “concerned about the market response,” she makes it abundantly clear that disclosing a cyber breach not only protects you, but it also protects the “next victim.”

Who, then, is accountable for monitoring and reporting cyber events that occur within major organizations? And what is the most effective strategy to manage cyber risks so as to prevent big security breaches and events from happening in the first place?

Alex Pagoulatos, COO at SubRosa, believes that cyber risk management should be approached from the top down. Board directors and other business leaders should be the ones to identify key cyber risks, which should then be managed, tracked, and ultimately reported in order to facilitate quick responses and transparency.

According to Alex, “now is the moment to manage your risk in a systemized and transparent way, as government mandates for cyber risk reporting are on the horizon.” “With the increasing amount of cybercrime, and on the horizon are government mandates for cyber risk reporting.”

01

An example risk matrix from within SubRosa's GRC platform

“It is crucial for managing risk and ensuring that people responsible for compliance have all of the information they need to ensure that cyber threats are visible at the appropriate levels, including at the very top.

“This requires an integrated system, such as SubRosa’s GRC, that can provide large organizations with a consistent view of how all risks, including cyber and IT risks, are maintained and controlled; a simplified approach to compliance across key regulatory frameworks related to information security; and the ability to respond to cyber and IT breaches quickly in order to keep key stakeholders informed.”

Risk is an intelligent and flexible risk management software that delivers crucial insights and decision-making in a corporate environment that is both fast-paced and constantly changing. Risk was developed by the company Risk. It is the most effective instrument for risk management, including the management of cyber and IT hazards.

Want to learn more about cyber risk management?

Complete the form for a member of the team to get in touch with you!

Learn more.

Featured solution:

Protect your workforce from social engineering attacks with cyber awareness training.

Read the blog:

Phishing 101: How to recognize a social engineering attack against your organization.

Risk insights:

Gain insights into how malicious threat actors are attacking your network.

Contact Us

Submit an RFP

About

Blog

Client Support