Cyber Brief for CFOs: October 2024
Each month, the team at Eftsure monitors the headlines for the latest accounts payable (AP) and security news. We bring you all …
Eftsure sat down with Nigel Phair, to discuss his most recent book, Cybercrime in Australia: 20 Years of In-Action.
Nigel is Director, Enterprise at UNSW’s Institute for Cyber Security in Canberra. He is an influential analyst on the intersection of technology, crime and society. Prior to his role in academia, Nigel had a 21 year career with the Australian Federal Police (AFP), in which he achieved the rank of Detective Superintendent and lead investigations at the Australian High Tech Crime Centre for four years.
Nigel has published four acclaimed books on the international impact of cyber-crime and is a regular media commentator. He provides executive and board advice on strategy, risk & governance of technology, and is a non-executive director on a number of Australian boards.
I think it comes down to culture, particularly at the state and territory policing levels. Police commissioners are focused on news headlines and allocate resources accordingly.
I don’t think the upper echelons of our policing agencies fully appreciate how much time we, as citizens and consumers, spend in the online environment. From first thing in the morning, to last thing at night, we are online doing a range of personal and professional things. We need to think of the internet as another public place – just like an online ‘town square’.
Only when the upper echelons of law enforcement fully understand how much we use the online environment, then will they begin to understand the extent to which crime is perpetrated through that environment. At that point will they start dedicating more policing resources to fighting cyber-crime.
Essentially that’s right.
We should replicate our traditional offline policing methods in the online environment.
If you think of a bricks and mortar business, like a shop or a factory, they take physical security measures, such as locking their doors or running CCTV. They take responsibility for making sure everything is secure.
Businesses need to put that same level of thinking into their online environment – it’s all about risk management.
They need to think: “I have a customer database, I have unique intellectual property, I have an online sales platform…What do I need to do to protect that as best I can and become a resilient business?”
Cyber security has become a catch all phrase. Many businesses are rightfully creating a cyber security strategy.
I make the distinction between the two because a lot of the focus is on cyber security threats. However, we are not focused as much as we should be on the low-level cyber-crime threats, such as fraud and scams, most of which are never reported to authorities. We estimate only one in five such cyber-crimes is being reported.
Both police and business need to recognise the threat from lots of low-level cyber-crime. Organisations need to develop strategies of how to avoid cyber-crime, just as they fight crime in offline environments.
Definitely the CFO.
The CFO is focused on the dollars and cents. So, that’s the person who should be in charge of the cyber-crime strategy.
It’s the CFO who should oversee the risk assessments and conduct the cost-benefit analyses when it comes to investing in cyber-crime mitigation.
On the whole – no.
Of course there are some exceptions. But it all starts with having the right culture.
Some 97% of the businesses in Australia are small businesses. They are busy trying to run their businesses and cyber-crime is not their focus. As a country, we need to do a lot more thinking into what constitutes ‘risk’ in an online environment.
I think we do some things really well. And some things not so well.
So, when I look at the Australian Cyber Security Centre (ACSC), and their Joint Cyber Security Centres (JCSCs) around the nation, I think there’s a really positive aspect. However, they are mostly focused on larger businesses. Larger businesses usually have the wherewithal, and the ability, to create and implement cyber-crime strategies.
I would like to see law enforcement work more closely within the JCSC framework to support small to medium businesses.
Crime prevention is an essential function of policing. It’s a lot more efficient for police to prevent a crime rather than investigate it after the fact. That same focus on crime prevention should be applied to the online environment, with a greater focus on small to medium businesses.
I would like to see law enforcement embedded within the JCSCs to reach out to small to medium businesses, giving them the tools, techniques and advice they need. I think that would be a really valuable part of a whole-of-nation strategy to reduce cyber-crime.
‘No’ is the answer.
Some businesses are doing email security well, but the majority are not even looking at it.
Unfortunately, we still have a culture of “it won’t happen to me” – people think that cyber-crime is something that happens to other businesses. That’s why we have over 300,000 cyber-crimes a year.
That number will keep going up until businesses actually decide to do something about it.
Nigel Phair, thank you for joining Eftsure in conversation.
Each month, the team at Eftsure monitors the headlines for the latest accounts payable (AP) and security news. We bring you all …
The finance industry is undergoing a major transformation thanks to the rapid adoption of AI technology. Much of this trend has been …
Discover how Australia and the US are tackling payment fraud, using the UK’s proactive measures as a benchmark. Learn why prevention is key to staying ahead of scams.
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.