Directors can be held personally liable for destructive cyber-attacks, but super funds are complacent about the mounting threat, a cyber security adviser said in a session entitled ‘The anatomy of a hack’.

Carl Woerndle, cyber security advisor at Deloitte, said the chief executive played a critical role in combating attacks and that it was vital the board understood the threat, as a “cyber-attack on a company may result in its directors being held personally liable under the Corporations Act for failing to discharge their duty to act with due care and diligence”.

Prior to his role at Deloitte, Woerndle was the chief executive of Distribute IT, which had a 10 per cent market share of .au domain names. A cyber-attack destroyed his business in a few days which had been profitable and growing with a positive cash flow.

“We had hackers, rather than stealing our data, deliberately bring down our structure. Within three days of the attack starting our clients started to bail. Three days destroyed nine years of building the business,” Woerndle said.

He said that attacks were common and growing in sophistication.

“I had 30,000 clients and on average five of them a day were being destroyed by hackers.”

The best way for funds to defend themselves was to “prepare, prepare, prepare”. Woerndle said plans need to be made in advance so that funds are ready to deal with a major event. Once a plan has been developed it needs to be tested by a third party as would more accurately simulate the situation and the need for crisis response.

Monitoring the dark web – the portion of the web that cannot be found using search engines and houses such infamous sites as the Silk Road – is a vital part of defending funds against cyber-attacks as it allows resources to be intelligently and efficiently deployed.

“Funds have limited resources and the scatter gun approach, where you try to cover everything, spreads you too thinly and makes you more vulnerable. Having that intelligence allows you to target the way in which you respond.”

Another key is avoiding tipping off hackers that their presence has been detected with knee-jerk reactions, such as pulling out computers and shutting down networks. If a hacker is in a system they could have been there for months and have multiple access points.

Closing down access of one of these points will encourage the hacker to implement their plan of attack and dramatically decrease the time available to respond to the threat. Additionally, knee-jerk reactions remove vital components needed for forensic analysis and diminishes the ability to mount a legal case.