AICD round table: Pandemic puts cybersecurity in the spotlight for directors
Cybersecurity is now one of the “hot topics” of Australian boardrooms, accelerated by the big increase in e-commerce.
Cybersecurity is now one of the “hot topics” of Australian boardrooms, accelerated by the big increase in e-commerce as a result of the pandemic and having more staff working from home.
A round table of leading company directors organised for The Australian by the Australian Institute of Company Directors was told that companies were concerned that Australia had a shortage of skills when it came to dealing with cybersecurity.
They said companies needed to be more vigilant in dealing with suppliers to ensure they also had high levels of cybersecurity.
“It’s definitely at the forefront,” said Coles director Wendy Stops, who is a member of the council of the University of Melbourne and former director of the Commonwealth Bank.
“All of the boards I am involved with — whether it is a bank or a supermarket or a university or a charity — have got this front and centre.”
She said with many people working from home as a result of the pandemic, there was a new need to make sure internal security systems were effective.
The exponential growth in online shopping during COVID had put the spotlight on cybersecurity.
“It’s certainly very heavily on the table in all of the boards I am involved in,” she said. “There is a lot of discussion and a lot of reassurance being sought that the organisation is on top of it.”
Ms Stops said Australia had a shortage of resources when it came to combating cybersecurity.
“A lot of organisations have been struggling to get good leadership and good people to help drive it,” she said.
“It’s going to be an ongoing challenge.”
She said Australian companies were prepared to share their cybersecurity expertise.
“It’s in the interests of the country to make sure we protect everything,” she said.
“So at least there’s a lot more sharing and co-operation going on.”
Amcor chair and ANZ director Graeme Liebelt said banks were investing more in cybersecurity.
Mr Liebelt, who is also a director of Australian Foundation Investment Company, said there were now many cybersecurity threats from “bad actors”.
“The environment is such that the bad actors are seeing opportunities,” he said.
“We’re getting more and more attacks from different places.
“The financial industry is really stepping up the extent to which cybersecurity has become a focus.
“Not only does it disrupt your business if you have a problem, but it is a reputational risk and you get hammered by the authorities.
“There is a lot of pressure from the likes of (bank regulator) the Australian Prudential Regulation Authority and its equivalents elsewhere in the world.”
He said a lot more companies were putting their IT operations in the cloud.
While there were initial concerns about the security of the cloud, he said people were now arguing that it was the most secure way to operate.
Fortescue Metals director Penny Bingham-Hall said companies were spending a lot more upgrading their IT systems.
Ms Bingham-Hall, who is also a director of BlueScope and property company Dexus, said there was a lack of expertise on cybersecurity and IT issues at the board level.
“There is a lack of skill generally around cybersecurity, both at the executive and director level,” she said. “It’s an issue we’ve all got to keep in top of.
“If you’ve been through an attack, you come up the learning curve pretty quickly.”
AICD chief executive Angus Armour said the move to working from home during COVID had increased the need for cybersecurity.
“The work-from-anywhere concept is going to continue to put great emphasis on the need for more cyber resilience,” he said.
“The more distributed your workforce, the more you are going to need to invest.”
Mr Armour said governments were also expecting companies to be more aware of cybersecurity issues.
He said more than 800 AICD members had undertaken the AICD course on cybersecurity in the past six to 12 months.
“There has been a big uptake in interest,” he said.
“Many people are coming to grips with the fact if they have not had a great deal of exposure in the past it is an area where they really need to focus.”
Queensland Sugar chair and Santos director Guy Cowan said cybersecurity was now considered a key risk by boards.
He said Santos now did weekly updates for its chief executive on IT and cybersecurity issues, which were made available to the broader organisation.
The company had also organised specialist audits of its IT systems to do penetration testing of its vulnerability to cyber hacks.
Companies also needed to be more aware of the cybersecurity risks when it came to dealing with their suppliers.
“If you have a key supplier and they have a problem can it impact on your business?” Mr Cowan asked.
“Should the procurement function really be focusing on how safe supplier systems are?”
Mr Cowan said companies should consider some sort of independent certification system to show their suppliers also had strong cybersecurity.
Ms Bingham-Hall said there was a risk that suppliers could become Trojan horses for their computer systems at the point where they connected into a company’s IT system. Companies needed to be vigilant about their electronic interface with suppliers to make sure there were no weak links.
Ms Stops said companies should treat cybersecurity issues like health and safety issues, with companies giving their staff training against the dangers of outside attack.
“A cyber breach should be treated almost like a serious safety incident,” she said.
She said companies needed to install a culture among staff where they all felt responsible for the cybersecurity of the organisation.
More Coverage
CBA rolls out AI agent for business customers
Commonwealth Bank is introducing an AI agent for tens of thousands of business customers that will handle queries and provide ChatGPT-style responses.
Meet ‘Matilda’ – Australia’s chance to ride the DeepSeek wave
China has shown the world artificial intelligence can be done on the cheap, opening the door for Australia to catapult itself into a new digital Cold War.