Emeritus Professor William (Bill) Caelli, AO
FACS, Fellow ISC2, Hon CISM
The world has changed as a result of the COVID-19 pandemic. With this, the business environment for both the private and public sectors alike has urgently followed in response. Businesses went “on-line” at all levels often over the open, public Internet. The systems used at both the consumer/client and the business/server ends now must face massively heightened threats to confidentiality, integrity, and availability (CIA).
Thus, business trust and confidence in “going on-line” must be largely constrained and modified by the fact of usage in many business cases of systems designed and aimed to be used and operated in a past era of a more trusted information and communications technology (ICT) environment. Moreover, business users are now even faced with usage and even dependence upon ICT products, systems, and services not really designed or developed for critical business operations including the home-based personal computer (PC) connected to business servers via Internet data communications/Internet service providers (ISPs). In addition, attacks on such systems have massively grown in number over a short period with the level of the sophistication of those attacks likewise massively advanced and deployed at criminal as well as nation-state levels.
Globally there has been a notable response by governments through the creation of a more regulatory regime for cybersecurity in both public and private sector operations. These have associated and enhanced legal/societal responsibilities now placed on enterprise management, particularly in the nations of the European Union (EU) and the USA, but also elsewhere including in Australasia and SE Asia.
In fact, the business must now utilize standards for information security risk assessment and management that can clearly outline perceived threats, identify vulnerabilities and propose appropriate countermeasures. In turn, this identification of the threat/countermeasure situation must address the CIA imperative through knowledge and installation of necessary cybersecurity technologies and their associated management processes with relevant personnel involvement.
Overall, this places obligations on business management to understand and plan for compliance under any national or international laws and regulations that are aimed at the governance of information systems. An example includes the emerging legal responsibility for data breach notification to affected parties by management should that occur. Further legislative requirements must be expected in response to the heightened levels of attacks on information systems globally as a result of business responses to the COVID pandemic.
