Balancing cybersecurity investment: Addressing threats for mutuals and co-operatives

10 July 2023

By Chris Nguyen, Head of Information Security, Experteq

Chris is the Head of Information Security at Experteq, a trusted IT partner for organisations that operate in highly secure and regulated environments that is owned by Australian mutuals. Experteq is a BCCM associate member. Email Chris. 

Here at Experteq, we have witnessed firsthand the unique challenges faced by mutuals and co-operatives in maintaining a strong cybersecurity posture. In today’s rapidly evolving threat landscape with many high-profile cyber breaches, finding the right balance between investing in cybersecurity measures and managing the potential costs of a breach is a critical concern for mutuals and co-ops looking to maintain their trusted position with members.

Here are some of the challenges organisations are facing today:

• Financial fraud: For mutual banks specifically, financial fraud poses a significant risk, taking various forms such as account takeovers, credit card fraud, and wire transfer fraud. However, other industries such as healthcare, pharmaceuticals and technology, particularly those dealing with financial transactions, are not immune to the risks of financial fraud.
• Phishing and social engineering: Cybercriminals often use phishing and social engineering tactics to target organisations in all industries, exploiting their trusting nature. Over 90 per cent of cyberattacks begin with a phishing email. Initial access to an organisation is so crucial within the attack chain that there is a dedicated market for initial access brokers.
• Third-party and supply chain risks: Organisations across industries rely on third-party vendors and partners for various services. This interconnectedness can introduce additional cybersecurity risks, making thorough due diligence on all third parties and continuous monitoring of their security posture crucial. This was demonstrated during the SolarWinds compromise, where threat actors used such third party breaches to gain access to Microsoft, Intel, Cisco, and a long list of US federal agencies.
• Compliance with Australian regulations: For Australian financial services mutuals, compliance with specific requirements of Australian Prudential Regulation Authority (APRA) standards is essential. Co-ops and mutuals across all industries need to comply with privacy laws and other specific frameworks.

Strategies for fortifying cybersecurity and balancing investment

Drawing from our experience, the following strategies can help organisations strengthen their cybersecurity posture while balancing investments and managing the potential impact of a breach:

• Implement a robust risk management framework: Develop a comprehensive risk management framework that covers cyber risk. This framework should include regular risk assessments, prioritisation of critical assets, and ongoing monitoring of your organisation’s security posture. An Information Security Management Systems (ISMS) framework or a National Institute of Standards and Technology Cyber Security Framework (NIST-CSF) could be used to manage risks.
• Enhance authentication measures: Adopt multi-factor authentication (MFA) for both employees and customers to reduce the risk of unauthorised access to sensitive data and systems. Implementing strong password policies and leveraging biometric authentication (where available) can further enhance security across various industries.
• Develop a comprehensive incident response plan: Prepare for potential cyber incidents by developing a comprehensive incident response plan that outlines the steps to detect, contain, and recover from a breach. Regularly testing and updating this plan is crucial to ensure its effectiveness.
• Strengthen employee and customer awareness: Provide ongoing security awareness training and information for employees and customers to help them recognise and respond to potential threats, such as phishing attacks and social engineering tactics. This training should be tailored to the unique risks and updated regularly to address emerging threats.
• Monitor and manage third-party risks: Conduct regular assessments of third-party vendors and partners to ensure they meet your organisation’s security standards. Implementing contractual clauses that outline security expectations and requirements can help reduce third-party risk and maintain a secure supply chain across various industries.
• Leverage cost-effective cybersecurity solutions: Cybersecurity doesn’t have to break the bank. Leverage cost-effective solutions, such as open-source tools, cloud-continuous evaluation and adjustment
• based services, and outsourcing certain security functions to managed service providers, to achieve a high level of protection at a fraction of the cost of in-house solutions.
• Cyber insurance: While not a substitute for robust cybersecurity measures, cyber insurance can help organisations manage the financial risks associated with a cyberattack. By providing coverage for expenses related to incident response, legal fees, and regulatory fines, cyber insurance can serve as a safety net that helps businesses recover from a breach more quickly and with fewer financial repercussions.
• Continuous evaluation and adjustment: The threat landscape is constantly evolving, making it essential for organisations to regularly evaluate and adjust their cybersecurity investments. By staying informed of emerging threats and industry trends, businesses can make informed decisions about where to allocate resources and how to adapt their security strategies. Two key sites I suggest you follow are ACSC and CISA and you can sign up to their alerts.

In an increasingly connected world, the importance of effective cybersecurity cannot be overstated. By taking a proactive approach to cybersecurity mutuals and co-ops can not only protect valuable assets but also maintain the trust of their members and stakeholders.