The threat of cyberattacks continues to overwhelm many organisations, and it\u2019s simply not a matter of \u2018if\u2019 but \u2018when\u2019 corporate networks will be breached by hackers.\nAt this month\u2019s CIO Summit in Melbourne, IT leaders from organisations in many industries gathered for a roundtable luncheon to discuss the measures they are using to minimise the risk of cyber threats with a particular focus on the weakest link in any security strategy \u2013 email. The luncheon was sponsored by Mimecast.\nNicholas Lennon, country manager, at Mimecast, said email is the lifeblood of business productivity and a direct route to attack employees, and traditional email gateways no longer provide good enough protection.\n\u201cInbound links and their source domains need to be analysed and checked in real-time. Simple email attachment policies need to be upgraded with a sandbox or transcription service to combat weaponised Office documents and PDF files,\u201d Lennon said.\nLennon added that primary cloud services like Microsoft Office 365 are growing quickly in Australia and present old and new risks to organisations.\n\u201cMultiple layers of security are still required, especially as a popular cloud service becomes one giant lock to pick. Email is so critical to the daily operations of banks, hospitals, and governments, that secure backup systems are needed,\u201d he said.\nSuzanne Hall, ICT manager at VincentCare Victoria, said to minimise risk of all threats, all emails at the organisation are run through two filters. The ICT team also conducts frequent and ongoing education and training for staff regarding emails, potential for viruses and the consequences of virus attacks.\n\u201cTo minimise the potential damage of email threats, VincentCare uses a regimented Active Directory security structure to manage user access to applications, data, and network drives.\n\u201cIn the event of a virus attack, the attack is contained to data, files, and network drives accessible to the user who clicked on the email threat. The security structure limits a viruses\u2019 ability to spread throughout our ICT environment,\u201d Hall said.\n\u201cAlso since moving to a private cloud in 2014, there has been an increased ability for fast data recovery in the event of a virus attack. Data can be quickly restored from the previous night\u2019s online backups as opposed to having a restore from tape backups, which was a longer process when data was stored on-premise.\u201d\nWendy Pryor, head of digital and emerging technology, at Museum Victoria, said the organisation has introduced Exchange Online Protection in the cloud, which provides anti-spam and anti-virus services.\n\u201cOur strategy is multi-faceted and includes maintaining and updating policies and procedures and acting on them, and activating the \u2018human firewall\u2019 through ongoing education of staff.\n\u201cIt\u2019s also about implementing a patch management strategy as well as updating app software to current versions; monitoring and acting on alerts from multiple sources; maintaining a regime for data backups and snapshots; and isolating affected machines in the event of a threat,\u201d Pryor said.\nLaw firm, Griffith Hack has a full time staff member whose main focus is network and security, said CIO, Andrew Mitchell.\n\u201cWe do not allow direct downloading of any software from the internet. If there is a business requirement, IT will review, download and test accordingly before installation,\u201d he said.\nThe need for data classification\nData is more valuable the ever before and organisations need to pay special attention to customer, financial, and intellectual property, said Mimecast\u2019s Lennon.\nThis makes data classification an important part of any security strategy. VincentCare classifies data into two categories: critical data\/apps, and other data\/apps.\n\u201cWe classify data for disaster recovery (DR) purposes rather than for security purposes,\u201d said ICT manager, Suzanne Hall.\n\u201cOur critical data is replicated to a secondary data centre for DR to ensure they are fully recoverable within the required timeframes in the event of an IT disaster.\nGriffith Hack\u2019s Mitchell said the organisation has not classified its data as every piece of information either received or sent out is captured. However, his company does classify data at a systems level, he said.\n\u201cFor example, all incoming email is captured and distributed properly to a relevant individual or group. We do monitor due to a business process requirement and we do have security policies for every document created internally,\u201d he said.\nMuseum Victoria\u2019s Pryor said the company has commenced the process of data classification to inform its storage planning.\n\u201cThe results of classification will flow into our business continuity plan and cloud strategy because we will be much clearer about our requirements,\u201d said Pryor.\nDealing with the fallout after an attack\nHow an organisation responds to an attack and communicates with internal staff and external customers can often determine the extent of reputational damage.\nThe everyday implications of a data breach are now well understood, and there are costs associated with loss of data, breach remediation, PR damage limitation and fines, said Mimecast\u2019s Lennon.\n\u201cWorse still, there\u2019s a loss of trust and reputation with customers and employees that has a deep and long-lasting impact,\u201d he said. \u201cIf your organisation is hacked, you should expect great scrutiny on your security investments in technology and training,\u201d he said.\n\u201cAustralia will soon introduce mandatory data breach notification laws and organisations need to ensure they begin planning for these into their disaster scenarios to reduce the risk of future fines.\u201d\nIn the event of a breach, internal communications would be provided as soon as it was identified \u2013 stating the nature of the attack while telling users what to look out for, and asking them what they have received, said Griffith Hack\u2019s Mitchell.\n\u201cFor external customers, if it is deemed appropriate to communicate, for instance, something potentially impacting them, then communications would be prepared by the business,\u201d he said.\nVincentCare Victoria\u2019s Hall said in the event of a security breach, the extent and implications of the attack will be investigated and contained as far as reasonably practicable.\n\u201cThe details of the breach will be escalated to executive management for an assessment of risk. All notification to individuals or organisations who may be potentially impacted as a result of the breach, would be through the CEO,\u201d Hall said.\nBarrie Williams, senior manager, infrastructure advice and delivery group, at the Department of Treasury and Finance in Victoria, believes threats to an organisation\u2019s operational functions should be addressed holistically.\n\u201cExecutive management must be responsible for establishing a level of risk appetite and the necessary policies, procedures and plans to ensure that a breach would be economically unlikely,\u201d he said.\n\u201cAnd if a breach was to occur, the business has the tools, resources, knowledge, and tested practices to contain, restrain, and terminate the activity. We need to get past the silo mentality of exclusive responsibility. In a working environment, security should be everyone\u2019s responsibility,\u201d he said.