Despite Australia’s major security breaches recently, we continue to have a ‘she’ll be right’ outlook. Perhaps it’s the blue skies, the relative safety of our location or having an economy that always seems to just about cope. As a society, we believe it won’t happen to us. But this is not reality. Our interconnected world means it’s not a case of if, but when. And the mid market is not immune to the worsening and multidimensional cyber threat environment.
In this article, KPMG partners share their perspective on mid market organisations and family and private businesses , especially those within critical infrastructure, shifting to a whole-of-business approach when it comes to cyber security. They touch on what’s driving the need for change, the hurdles to overcome, and what can be done to build a more resilient business.
SOCI reforms: Encouraging an integrated risk approach
Security of Critical Infrastructure reforms (SOCI) have been introduced by the government to strengthen the security and resilience of Australia’s critical infrastructure. Greg Miller, KPMG Partner for Critical Infrastructure, says, ‘SOCI encourages security to be tackled in an integrated way, with organisations assessing and mitigating risks related to hazards, personnel, physical risks, supply chain and cyber.’ Instead of managing these different areas in a siloed way, Miller says businesses must be able to identify how they interplay with one another. ‘Our economy and society are so strongly interconnected that a vulnerability in one will have cascading impacts. Currently, that is where we see a gap.’
This also means it’s not just an organisation’s assessment of risk that matters. It must be aligned with the government’s expectations and that of your customers, stakeholders, and the wider community.
Organisations need to comprehend who they rely on and who relies on them.
First, organisations can step back and determine what is critical for their activities, down to minor details. ‘Take a hospital, for example,’ says Miller. ‘Imagine if their laundry services stopped working. What happens if a hospital cannot access clean sheets?’ It may be that the smallest cog in the machine has the biggest impact.
Bringing IT and OT together
A common theme in mid market businesses is the dichotomy of its Information Technology (IT) and Operational Technology (OT) departments. While IT focuses on data protection, confidentiality, and privacy, OT is engaged with running assets – keeping the lights on or the water flowing.
Angela Pak, KPMG National Lead, Cyber Security Operational Technology, says, ‘Technology has forced these two areas to become one. Yet they often speak different languages and have different objectives, at least on paper.’ Our highly integrated world also creates more challenges.
‘When they consult the different frameworks, whether that’s SOCI, ISO, IEC or NIST, confusion sets in.’ Instead of starting at the frameworks, Pak suggests they revisit them once an organisation has figured out their critical activities – crown jewels needing protection and risk appetite. ‘Looking at the frameworks through this lens often means the jigsaw pieces come together.’
In Pak’s experience, embedding the controls is the biggest challenge for businesses. ‘There are many factors involved, but to ensure the best chance of success, focus on collaboration, communication and clear indicators to control efficiency. This will result in more sustainable controls.’
You are only as strong as your weakest link, and what organisations are finding is that OT is that link.
Other hurdles organisations face are related to talent and budget. Once controls have been designed, finding the capability in the OT space to embed them is a challenge. In-demand roles see low retention levels, meaning knowledge leaves the business too easily. Funding often drops away after controls have been developed and implemented, leaving a gap for crucial annual refinements.
A holistic approach: Aligning cyber and business strategies
Sitting above regulatory reform and a shared goal for IT and OT teams, is aligning cyber security and organisational strategies. For many mid market companies, cyber security is focused on technology solutions instead of business strategy, says Gergana Winzer, KPMG Partner, Enterprise Advisory Cyber Services. ‘In our experience, cyber is approached tactically. Organisations buy standalone pieces of technology that only solve parts of the problem.’ There is a better way.
Changing the narrative and making cyber a conversation for all departments will give you the best chance of building a resilient culture and move the organisation forward in its cyber maturity journey. ‘When cyber and business strategies align, it increases efficiency and focuses effort on prioritising the most significant risks.’
Critical infrastructure mid market organisations must take cyber security seriously. The threat landscape is expanding, and the knock-on effect of an attack should not be underestimated. A holistic approach aligning cyber security and organisational strategy incorporates the appropriate regulation across all business areas. It brings IT and OT together to work towards a common goal and will increase resilience so mid market businesses can be prepared when the worst happens.
Businesses can look at cyber strategically, asking where it sits in the risk register and aligning the strategy with wider organisational goals. This encourages purposeful action that positively impacts all business areas.