Risk Management

The Latest

28 October 2021: The US Senate voted unanimously to deny Huawei and ZTE from supplying equipment to US enterprises due to national security threats that would violate the Secure Equipment Act. Once approved by Pres. Joe Biden, the companies will not be granted equipment licenses by the Federal Communications Commission (FCC) under its ‘Covered Equipment or Services List’. A few days before, the Federal Bureau of Investigation (FBI) raided PAX Technology's Jacksonville warehouse after reports of alleged transmission of malware through the Chinese manufacturer's point-of-sale (PoS) terminals.

Why it’s Important.

As a member of Five Eyes (FVEY), an alliance of countries including Canada, New Zealand, the UK and the US, for joint cooperation in signals, military and human intelligence, Australia has previously followed the US in cutting off suspicious foreign tech companies' domestic presence due to national security concerns.

• Australia blacklisted Huawei and ZTE in 2018 from selling 5G equipment. The two firms vehemently dismissed accusations over high-speed mobile network espionage, citing discriminatory tactics even with a no-backdoor agreement. 
• In the same year, the Australian Defence Department banned messaging and payment app WeChat for failing to meet the organisation's standards for use on networks and mobile devices but not necessarily because of security and privacy issues.
• In late October 2021, PoS terminals from PAX were detected sending anomalous network traffic, which has seen formal requests to replace the equipment due to security concerns. 

The fundamental issue here is supply chain security - the ability of nation state actors to inject spyware (or other malware) into equipment that is broadly used globally. Even where the security risks are not validated, the potential remains. It must also be noted that in the recent past, allies of Australia have engaged in such activities.

With the current geopolitics on global telecommunications being influenced by the US, sweeping impacts on the global supply chain and reduced competition in the market are likely.  

IBRS expects this technology supply spat will expand into areas outside of telecommunications, such as industrial control systems and PoS. Any widespread technology that can be used to impact or monitor aspects of national economies are likely targets.

Who’s impacted

• Telecommunications procurement

What’s Next?

For organisations considering foreign-manufactured tech products and services, look more closely at the implications of selecting such equipment or platforms. While there is still no public evidence on the credibility of allegations against specific state actors, senior leaders must take security concerns in their organisation and assess the risks they are willing to take when selecting any vendor.

In addition to the security risks, there are also reputational risks, and risks associated with having to replace key solutions, such as is the case with the PAX PoS hardware.

Related IBRS Advisory

1. Choosing Huawei could be risky - but not why you think
2. Are you FRUSTRATED with procurement? Why procurement often goes off the rails

The Latest

29 April 2021: Cloud-based analytics platform vendor Snowflake has received ‘PROTECTED’ status under IRAP (Australian Information Security Registered Assessors Program).  

Why it’s Important

As IBRS has previously reported, Cloud-based analytics has reached a point in cost of operation and sophistication that it should be considered the de facto choice for future investments in reporting and analytics. However, IBRS does call out that there are sensitive data sets that need to be governed and secured to a higher standard. Often, such data sets are the reasons why organisations decide to keep their analytics on-premises, even if the cost analysis does not stack up against IaaS or SaaS solutions.

The irony here is that IT professionals now accept that even without PROTECTED status, Cloud infrastructure provides a higher security benchmark than most organisations on-premises environments.

However, security must not be overlooked in the analytics space. Data lakes and data warehouses are incredibly valuable targets, especially as they can hold private information that is then contextualised with other data sets.

By demonstrating IRAP certification, Snowflake effectively opens the door to working with Australian Government agencies. But it also signals that hyper-scale Cloud-based analytics platforms can not only offer a bigger bang for your buck, but greatly improve an organisation's security stance.

Who’s impacted

• CDO
• Data architecture teams
• Business intelligence/analytics teams
• CISO
• Public sector tech strategists

What’s Next?

Review the security certifications and stance of any Cloud-based analytics tools in use, including those embedded with core business systems, and those that have crept into the organisations via shadow IT (we are looking at you, Microsoft PowerBI!). Match these against compliance requirements for the datasets being used and determine if remediation is required.

When planning for an upgraded analytics platform, put security certification front and centre, but also recognise that like any Cloud storage, the most likely security breach will occur from poor configuration or excess permissions.

Related IBRS Advisory

1. Key lessons from the executive roundtable on data, analytics and business value
2. VENDORiQ: AWS Accelerates Cloud Analytics with Custom Hardware
3. IBRSiQ: AIS and Power BI Initiatives
4. VENDORiQ: Snowflakes New Services Flip The Analytics Model

The Latest

27 March 2021: Google has announced programs with two US-based insurance companies where clients taking up Google Cloud Platform security capabilities will receive discounts on cyber insurance premiums. 

Why it’s Important

The number of serious cyber incidents is on the increase and insurance premiums in the US have tripled over the last two years. Having a cyber incident response plan in place helps mitigate the risks and reduces the recovery time from a cyber incident, but also contributes to lowering the premium for cyber insurance. It is akin to having fitted window locks to a house, lowering insurance premiums in certain circumstances.

Google’s security posture, and threat assessment services, and services to manage security incidents effectively are sufficient to both reduce the frequency of security incidents and lessen their impact. Insurance actuaries see the benefit in such services and have determined there are savings to be made by the lower risk and risk mitigation profiles. 

Notwithstanding any special programs brokered between Cloud vendors and insurers, being able to demonstrate both a strong security posture and, importantly, an incident response plan will drive down an organisation's premiums, especially as insurance companies are inserting their own teams into incident response situations. 

Who’s Impacted

• CIO
• Development team leads
• Business analysts

What’s Next?

If not already done, organisations should undertake a cyber risk assessment and implement a cyber incident response plan backed by appropriate cyber insurance. 

Related IBRS Advisory

1. Improving Your Organisation’s Cyber Resilience
2. Incident Response Planning: More Than Dealing with Cyber Security Breaches and Outages
3. How Does Your Organisation Manage Cyber Supply Chain Risk?
4. Why You Need a Security Operations Centre

The Latest

9 March 2021: Dropbox has acquired DocSend for US$165 million. This is a welcome addition to managing the risks associated with information management in a collaborative environment. 

Why it’s Important

Dropbox’s acquisition is not about organic growth, as DocSend’s client base of 17,000 users is dwarfed by Dropbox’s estimated 600 million. The deal is more about positioning Dropbox against the likes of Adobe Document Cloud, by allowing organisations to track what happens to information once it is shared. Being able to manage and track document access is a critical aspect of modern, enterprise-grade file sharing which is needed for secure collaboration. It is a feature missing in most collaborative platforms - at least out of the box. 

Who’s impacted

• CIO
• Development team leads
• Business analysts

What’s Next?

Being able to manage access and track who’s accessed a document is a good start for closing the governance issues of most collaborative platforms (e.g. Teams, Slack, Zoom, Zoho, etc.)  However, organisations should look at adopting a zero trust model for information assets, involving identity management linked to access controls and an ‘encrypt everything by default’ mentality.  

Related IBRS Advisory

1. Did Dropbox just break knowledge management?
2. IBRS survey exposes Teams risk - The Australian - 21 January 2021
3. Microsoft Teams governance: Emerging better practices
4. Data loss by the back door, slipping away unnoticed
5. Workforce transformation Part 2: The evolving role of folders for controlled collaboration