Technological advancements have revolutionised the utility and infrastructure sectors and brought opportunities and efficiencies on a never-before-seen scale. However, Tommy Viljoen, Leading Partner, Cyber Security and Governance at Deloitte Australia, who has spent the past decade focusing on avoiding and remediating cyber attacks, warns that these developments go hand-in-hand with cyber attacks – one of the greatest risks facing critical infrastructure today.
Ahead of his appearance at the 2019 Asset Management for Critical Infrastructure Conference, running from 20–21 August at Swissotel in Sydney, we talked to Mr Viljoen about how cyber attacks can impact businesses and what companies can do to protect themselves.
Generally speaking, the motivation behind cyber attacks is malicious as they are designed to cause wide-spread damage to organisations and their systems. Specifically, they can be described as inappropriate or inadvertent access to or disclosure of information, manipulation of information; destruction of information or equipment; and prevention of online access to information of equipment.
Preparing for the worst
Mr Viljoen says it is crucial that organisations bridge the gap between technology and their core business and that companies that ignore the risks of cyber attacks do so at their peril.
“I regularly come across three main misconceptions,” Mr Viljoen said.
“Firstly, companies think that cyber attacks won’t happen to them. But we are seeing so many successful attacks or inadvertent errors, that companies need to plan for ‘when’ they are the target of cyber attacks, not ‘if’.
“Secondly, often companies treat cyber attacks as a ‘low risk’ threat, with minor consequences. But they can be extremely costly for a company’s reputation, and health and safety record. Cyber attacks can also present significant financial implications; I can think of many organisations that have recovery bills and regulatory fines that run into the hundreds of millions.
“Lastly, organisations wrongly think they have adequately covered their corporate network, but don’t recognise that everything that is connected to the network – corporate, operational and recreational equipment as well as home computers and devices – all create a digital footprint that can be subject to an attack.”
Mr Viljoen said it’s not ‘one size fits all’ when it comes to protection against cyber attacks. He has worked with financial services, government and companies that deliver infrastructure and services to develop, acquire and consume cyber capabilities commensurate with the nature of their business and cyber threats and risks facing them.
However, Mr Viljoen said there were common principles for organisations in the utility and infrastructure sectors to consider to help plan their cyber security.
“It’s crucial that organisations operating in the critical infrastructure sector identify what they care about most, and then ensure it is protected from an attack or inadvertent cyber activity,” Mr Viljoen said.
“There must be clear line of sight of what is happening with the critical assets when it comes to cyber and there must be plans in place for how to respond if an attack or error occurs.
“When it comes down to it, the more you care about the assets, the more mature your levels of protection, monitoring and response needs to be.”
Tommy will provide advice and help organisations demystify their critical infrastructure cyber protection measures in his presentation, How to manage critical infrastructure cyber attack risk, at the 2019 Asset Management for Critical Infrastructure Conference, running from 20–21 August at Swissotel in Sydney. Tickets are still available – you can register at assetmanagementevent.com.au/buy-tickets.