It’s manual work, producing a tangible product. Not the first company you would expect to be a cyber attack target. Might not have even made a top 100 target list. However, in June 2021, JBS USA was shut down by a sophisticated cyber attack from an organised cybercrime syndicate.
The breach impacted more than the USA, with processing plants across the world, including Australia, shut down while global IT experts got to work to resolve the problem. Employees, retailers, shareholders and customers all had to wait in the dark to find out when operations would be up and running again.
In the end, JBS USA paid AU$14m in bitcoin ransom to decrypt their systems or stop their data from being released without their permission. JBS said this was a hedge against risk to its customers – although that’s quite a risk to take when your data is already in the hands of criminals and the horse has well and truly bolted. Not all ransoms paid end this way.
Now, as a business, JBS has invested a lot in technology and automation of their systems. As a global organisation, they have an extensive digital footprint. While I don’t know exactly what systems they did have in place, I think it is safe to assume that they have processes in place to protect against cyber breaches.
However, there are questions that can be posed in light of the breach that can be applied to any business before a cyber event occurs. How often is the cyber strategy reviewed? Had the IT team rolled out improvements that created new vulnerabilities? As the company grew and made acquisitions, did they conduct cyber due diligence or incorporate new businesses into the cyber fold? With the benefit of hindsight, what would the company do differently?
What is stopping you from investing in your cyber security?
Cyber is an expensive business. Talking to clients and Boards, we know that this is sometimes a barrier, particularly for companies that don’t see the inherent value in their data, clients or IP. That cost is of course compounded hugely if your business experiences a hack or data breach – with latest figures suggested the average breach costs AU$3.35m in 2020.
Some questions for Boards and executives to consider are:
- How many proposals or requests for funding have you knocked back in relation to cyber because it was too expensive or outside budget?
- How many reports have you read from an expert or internal audit function without really knowing what you were reading, what it meant and how to really “fix” it?
- How is cyber being reported to you and what is being reported?
- When did you last review the board skills matrix? How comfortable were you that the board had the cyber risk knowledge requirement covered?
- How much cyber due diligence do you do around acquisitions?
We are likely to see more cyber crime, more hacks and more ransoms in future – not less. More sophisticated criminals, and more vulnerabilities as companies invest in more tech. Ask yourself if your company truly understands your risks and has the appropriate protections in place to prevent your business from paying well above the odds for lack of preparedness.