Cyber & Risk

Understanding cyber security has never been as critical as it is today. 

The importance of having cyber security and risk mitigation strategies is now well-embedded in the corporate conscience, with more and more senior executives required to know their exact security posture and how to respond in the event of an incident.

In a complex world where new threat vectors appear almost daily, organisations must be ready. How well prepared are you? 

IBRS can help organisations understand how resilient their systems are, develop incident response plans and get the right policies in place to ensure compliance with the most rigorous of security standards. 

Conclusion: Ransomware is a widespread scourge in the local region and organisations must take steps to address this eminently foreseeable risk. User education is necessary, but it is not sufficient to address this risk – otherwise it would already have been dealt with. Organisations must review their information systems and become rigorous on technical hygiene strategies, such as patching. Using the revised Strategies to Mitigate Cyber Security Incidents from the Australian Signals Directorate (ASD) is an excellent starting point, as these are empirically validated. The critical action is to determine where these strategies are best applied, and this must be guided by the risk tolerance of the business.

Read more ...

Conclusion: Australian organisations and agencies need to embrace the European Union’s new General Data Protection Regulation (GDPR) legal framework for protecting and managing Private Individuals Information (PII). There is considerable risk to organisations that do not take action to comply, financially and to organisations’ brands.

There are also potential upsides in embracing the requirements and being able to demonstrate compliance with the accountability principles, and implementing both technical and organisational measures that ensure all processing activities comply with the GDPR.

Whilst Australian companies may already have practices in place that comply with the Australian Privacy Act 1988, GDPR has a number of additional requirements, including the potential appointment of “data protection officers”. Action should already be taking place, and organisations should not underestimate the time and effort it may take to reach and maintain compliance.

Read more ...

Conclusion: IT executives must appreciate that managed security services is not a simple IT outsourcing function, because cyber security it not merely an IT problem. Engagement with an MSSP (managed security service provider) is using a vendor to help manage the highly dynamic risks of conducting operations in a modern, hyper-connected environment. This engagement has cost implications for both parties and will require a commitment to continually reviewing suitability of services. Executives should aim to evolve their own cyber risk management capabilities around people, process and technology, because this internal maturity is required to get the most from engaging with an MSSP.

Read more ...

Conclusion: Security awareness programs are an attempt to change staff behaviour for the protection of an organisation’s information assets, and also an attempt to change corporate culture to support and encourage desirable behaviours. However, security awareness programs also run the risk of overwhelming staff with too much fear, uncertainly, and doubt. A disempowering message is more likely to result in either no behavioural change or, potentially, an undesirable change. Instead, security awareness programs should focus on helping staff develop and sustain the skills and knowledge required to execute on their work, and also maintain a mind state of “relaxed alert”, or “Code Yellow” in Cooper’s Colour Codes.

Read more ...

 IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

Read more ...

Conclusion: An audit is an integrity check that assesses whether an organisation is doing what it said it would do, and what others should reasonably expect it to do. The previous sentence also points out that it’s not enough to have better practices documented. An organisation must also be able to demonstrate that staff are adhering to these. There are some excellent resources available for organisations preparing for a cyber security audit. The real gold will be in the quality of the conversations and resulting maturity in perspective at the most senior levels of an organisation that occur through the work that is carried out in preparation for the audit.

Read more ...

Forensic software firm Nuix has begun a search for a new chief executive with a "global IPO skill set", all but confirming plans to pursue a public listing in 2017 that may deliver the ASX a new $1 billion-plus technology company.

The move comes at the same time as the company has appointed cyber security expert and former US ambassador to Australia, Jeffrey Bleich, to its board, signalling a greater focus on its cyber products.

The company, which was founded in 2000 by a team of computer scientists and last year was instrumental in the Panama Papers investigation by providing the technology that was used to analyse the documents, is expected to be worth more than $1 billion when it lists.

Full Story

Cyber security experts have warned the federal government must put aside budget deficit concerns and invest in upgrading aging computer systems vulnerable to a damaging attack from a foreign state. 

 
Concerns about such an attack intensified after the United States government recently accused Russia of using cyberpower to influence the outcome of the 2016 presidential election by ordering attacks on the Democratic National Committee's computers and those of other political organisations.
 
 
 

Conclusion: Bugcrowd, Hivint, Kasada, and Secure Code Warrior each has a proven capability to address an important aspect of the cyber defences of Australian organisations. The Australian Cyber Security Strategy, launched in April 2016, advocates the promotion of local capabilities where Australia can build globally competitive solutions. These four vendors are already being used by leading local cyber security executives, and their capabilities are acknowledged.

Read more ...

After making a splash in the data centre, software-defined networking (SDN) is now becoming increasingly relevant for the enterprise WAN, with analysts saying the software-defined WAN (SD-WAN) has the potential to reduce capital and operational expenditure, hasten network provisioning and increase network availability.

In their recent paper, ‘Cloud and Drive for WAN Efficiencies Power Move to SD-WAN’, IDC analysts Brad Casemore, Rohit Mehra and Nav Chander discussed how SD-WAN can help organisations meet the network requirements of their branches and remote sites.

Full Story

Conclusion: In the IBRS Security Leadership capability maturity model, buying more product is level 2: Alienated, and is typified by IT teams that are struggling to take on the challenge of cyber security because they address it as a technical problem. Buying product without a clear understanding of the business risk it is aiming to address is a guarantee for failure. But for organisations that understand that cyber risk is much more than IT, know there is a business risk that comes with cyber capability, and have the organisational will to address it, technology can make a significant difference in automating and accelerating capability. These three vendors, Crowdstrike, CyberArk and Tanium, are well regarded by leading Australian customers.

Read more ...

Conclusion: Organisations must proactively manage exactly which data is kept, secured, and backed up, as well as which data must be archived or permanently deleted. Data hoarding adds considerably to storage costs as well as potentially exposing organisations to risks especially if the data is inappropriate, unencrypted, or could put an organisation’s brand at risk.

Organisations need to have clear policies on exactly what sort of data is to be kept, especially when there are legal, regulatory or other specific reasons for keeping the data. Additionally, organisations need to be clear on what should not be kept.

Organisations cannot leave the management of this issue at simply expecting compliance to a policy. Business stakeholders must be closely involved in defining the business imperative for tracking data relevance and the value of data. Data specialists equipped with the appropriate tools will be required to specifically find data and manage it based on defined policies.

Read more ...

FireEye has recently struck a deal Microsoft, designed to place the security vendor's iSIGHT Intelligence into Windows Defender, an inbuilt Windows security offering.

Terms of the deal will see FireEye gain access to telemetry from every device running Windows 10, serving up access to almost 22 per cent of the total desktop market, alongside laptops and Windows mobile phones.

Widening the security scope further, Microsoft previously intended to have one billion devices running Windows 10 by 2019.

While the vendor has since backtracked on this statement - stating that the process would take longer than originally predicted - the direction of travel is clear.

Full Story

 

Conclusion: While there is a limit to what organisations can do when criminals misappropriate corporate brands to run phishing campaigns against customers, this does not absolve organisations of all responsibility. Crime on the Internet continues to be an entirely foreseeable risk, so organisations should review their customer engagement processes to ensure they are not training their customers to be easy targets for criminals.

Read more ...

The Reserve Bank of Australia's top technology executive has said the central bank's networks are being probed by potential hackers every two seconds and that almost 70 per cent of the emails received by RBA addresses are malicious.

In a wide-ranging speech to an annual conference held by technology research giant Gartner in Queensland, RBA chief information officer Sarv Girn highlighted the conflicting challenges involved with running an innovative tech strategy, while also remaining secure.

He said the RBA's tech strategy was a delicate balancing act between the need for resilience and the need to innovate and react to changes being wrought by the numerous disrupters in the booming start-up fintech sector.

"Whilst attaining digital reliability has been a crucial need for many years, the impact and consequence of getting this wrong in today's economy can threaten the very viability of an organisation," Mr Girn said.

Full Story

Commonwealth Bank of Australia's technology chief has led calls for increased cooperation among businesses and public sector agencies regarding cyber attacks, following the release of a government report highlighting increasing threats.

The government's peak cyber security agency the Australian Cyber Security Centre (ACSC), released an annual threat report on Wednesday morning, warning that government agencies were being compromised by hackers and that many businesses were too secretive about the threats they were facing.

While security industry insiders said the report did little to provide new information or practical advice about well-known threats, CBA's chief information officer David Whiteing told The Australian Financial Review he viewed it as an important contribution to a nation-wide effort to uplift the awareness of security teams and the general public

The report provided anecdotes about recent assistance that government departments and private sector organisations had needed from The Australian Signals Directorate (ASD) in tackling cyber attacks

Full Story

Conclusion: To be effective a cyber security program that controls access to hardware, software and data needs to be comprehensive and include all stakeholders. The challenge for IT and line management is to shape the message to the audience in terms they understand so they take their responsibilities seriously.

Read more ...

Conclusion: This research note sets out and describes the Security Leadership capability maturity model. In using this model, organisations must be honest about their current level before they can even speculate on the benefits of working towards a higher maturity level. Working towards higher levels of maturity has clear benefits for both IT and the business, as well as business alignment of IT. However, a critical part of the journey will be dealing with any resentment from business units about their experience to date. Security Leadership cannot emerge unless prior bad experiences around service delivery are acknowledged and addressed, because it is a commitment to trust and resilience from the organisation as a team.

Read more ...

  • Gain valuable insights into how security leaders are positioning cyber-security and risk within their organisations
  • Be able to self-assess how your organisation measures up on the IBRS capability maturity model for security leadership
  • Learn how to position cyber-security so that it is aligned to business priorities 

"This Master Advisory Presentation is designed to guide and stimulate discussion between business and technology groups, and point the way for more detailed activity. It also provides links to further reading to support these follow-up activities." James Turner, Author of the Security Leadership MAP.

For a deeper understanding of how security impacts the way business is done, download your copy now. 

Read more ...

A security leader understands today’s cyber risks, how these apply to their organisation and market, and has management’s confidence to address these risks responsibly. A security leader guides the organisation through the realities of the new business environment, aligning the organisation’s practices and technologies to its risk appetite, and ensures these controls match and support the organisation’s desire for growth and innovation.

This MAP is designed to guide and stimulate discussion between business and technology groups, and point the way for more detailed activity. It also provides links to further reading to support these follow-up activities.

Read more ...

Conclusion: The introduction of Software Defined Networking (SDN) offerings touted a number of benefits around simpler and more agile network management and provisioning, lowering capital and operational costs.

Read more ...

With the recent issues that the ABS has experienced trying to execute an online census, IBRS is sharing an Advisory Paper by James Turner which reviews a practical framework that helps organisations make better decisions with their information assets and service providers.

Applying the Five Knows of Cyber Security is a must read for organisations that may be exposing themselves to risks through their supply chain.

Read more ...

IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

Read more ...


Business leaders must accept that ransomware attacks are a foreseeable risk. 

Conclusion: Ransomware has proven such a successful cash cow for criminals that it is unlikely they will voluntarily stop their attacks. This means that business leaders must accept that further ransomware attacks are a foreseeable risk. While there are important conversations around the level of appropriate technical controls that an organisation may wish to implement, this conversation can only occur after business leaders have decided whether they want their organisation to help fund organised crime, or not. For organisations with a strong corporate social responsibility ethos, this is a very easy decision to make, but it is imperative that business leaders understand why they are committing to better technical hygiene and accepting tighter technical controls.

Read more ...

Conclusion: IT executives in financial services organisations have expressed frustration at the seemingly vague requirements of APRA, but this misses the true intention of APRA. APRA is not anti-Cloud, but the regulator insists that financial services organisations consult with APRA so that APRA can gauge the maturity of the proposed plan. This is not a mechanism to forbid Cloud, but rather a sanity check to ensure the stability of the Australian financial market by ensuring that organisations are not abrogating their risk identification and management responsibilities.

Read more ...

Outside of the big four banks and Telstra, Australia lacks world-class cyber security teams.

by James Turner

A few weeks ago I was fortunate enough to attend the world's largest cyber-security event, RSA Conference, in San Francisco. This year was the 25th anniversary of the conference, and there were 40,000 attendees, and over 500 vendors exhibiting.

My experience at RSAC reflected my experiences at many other international cyber-security gatherings over the years. I have come to the conclusion that Australia has pockets of cyber-security leadership that are world-class, and in some instances, world-leading. But these pockets of capability – almost all at the top end of town – are insufficient for the nation's needs.

In Australia we have a small number of organisations with big cyber-security teams, and established leaders with excellent bench strength in their direct reports. Principally, these pockets of cyber maturity are in the big four banks, and a hothouse of talent that has emerged in Telstra.

Conclusion: Cyber security can be perceived by outsiders as an occult domain. Psychologically, people can respond in many ways to something they do not understand with responses ranging from denial to fear. Consequently, a frequent challenge to better security maturity is inertia, rooted in ignorance. It is imperative that security practitioners break down this barrier by communicating with decision makers in a way that empowers the decision maker. Consequently, valuable conversations about risk and threats can be grounded in conversations about reliability, resilience, safety, assurance and reputation. Security may not need to be mentioned and, in many cases, even raising the label of security can undermine initiatives that had security as an objective.

Read more ...

Conclusion: As cyber security gains awareness among business leaders, many organisations are undertaking new cyber risk management initiatives. However, these initiatives can be misdirected if business leaders are not clear on why they are doing them. On the journey to improving an organisation’s cyber security maturity, the question “why?” is a powerful tool to test alignment of security to business requirements.

Read more ...

Conclusion: Organisations must understand that cyber risk is not merely a technical issue that can be delegated to IT but is a business issue that comes hand-in-hand from operating in a modern, online, ecosystem. Until cyber risk is treated as a business risk, we will continue to see organisations fighting a rear-guard action to threats that should have been designed-against through better digital business strategy.

Read more ...

Conclusion: Unless an organisation has an already strong cyber security capability, or the budget and appetite to progress its maturity very quickly through expanding its headcount and changing business processes, it is unlikely that any security tool purchases will help. Instead, organisations aspiring to improve their cyber security maturity should focus on business alignment through risk driven conversations, and addressing and automating technical hygiene issues.

Read more ...

Conclusion: Open Data initiatives have been supported by all levels of enterprises, especially government, for a number of years. To date the success stories have not matched the hype.

In many cases local IT departments have been left out of Open Data initiatives.

Read more ...

Conclusion: The role of a cyber security executive is challenging at the best of times, as they need to continually strike a balance between informing and influencing, without continually alarming. But the context surrounding why an organisation creates a cyber security executive role is critical to the success of cyber risk management. Executive level commitment is required continually to ensure that the cyber security executive’s message and mandate are understood by all. Ultimately, a neutered cyber security executive will result in a fragile organisation with excessive, inappropriate, or inadequate controls. Organisations with controls that are mismatched to their objectives will be easy pickings for both attackers and regulators.

Read more ...

Conclusion: The challenge with handling threat intelligence is in assessing its relevance to an organisation, determining an appropriate response and then continual execution and reassessment. Consequently, the more comprehensive the threat intelligence service is, the greater the requirement for a customer to have existing, mature cyber security capability. Organisations must understand how they will use a threat intelligence service and what business benefit it will deliver to their organisation.

Read more ...

Conclusion: The IT industry has hit a breaking point where the artificial grouping of information security and IT has left many organisations vulnerable. Business units have viewed information security as an IT problem, and IT has abdicated responsibility for many aspects of operations that should be viewed as basic hygiene. It is time for organisations that want to establish a reputation of trust with their stakeholders, to view information security very differently. This will require IT to take on more responsibility for security hygiene issues, and for many security practitioners to make the mental shift from technical do-ers to risk communicators. All organisations must know who, internally, is ultimately accountable for cyber-security and that this person is adequately informed, and empowered to execute on this accountability.

Read more ...

Conclusion: There are two compelling information security reasons for creating a sense of purpose and ownership within an organisation. The first is that a sense of purpose and ownership will empower staff so that they move from responding to basic security hygiene matters, towards pre-empting issues. The second reason is so that organisations look out beyond themselves and work towards a more resilient ecosystem.

This level of resilience maturity is vital and will be driven by leadership and a continuing commitment to talent development. Astute security leaders will use cultural indicators such as engagement and sense of purpose and ownership, as a guide to the ability of the organisation to withstand security incidents.

Read more ...

Conclusion: Non-IT executives are often reported as being concerned about the prospect of a cyber incident, but as security is not their area of expertise, responsibility for mitigation and preparation is often devolved to IT. This is a mistake, because as much as lack of any security could be devastating, applying the wrong controls to an organisation can be equally debilitating. Security is a response to risk, and it is the ongoing mandate of executives to demonstrate that they are guiding their organisation through foreseeable risks. Consequently, many organisations would benefit from the appointment of an information security officer who is able to translate between IT and the business and ensure that cyber risks are prepared for responsibly.

Read more ...

This paper explores why IT security in supply chains is an important topic and sets out a model for organisations to review their exposure and then communicate these issues internally, and with suppliers.

The IT dependencies that organisations now have are largely invisible and can be easily taken for granted, much like the infrastructure involved to have electricity or water be provided to a home. And just like electricity and water, when there is an incident in the IT supply chain, the impact can be considerable on the end consumer.

 Security in the supply chain can seem like an overwhelmingly technical topic, and it is a large topic, but it is not insurmountable. An increasing number of security leaders are looking at the supply chain as the ecosystem that their organisations operate in, and are starting to work on securing the resilience of every link in the chain – and this will take time, effort, and collaboration.

Read more ...

Conclusion: It is undeniable that Cloud services will only become more important to organisations. However, executives must bear in mind that as increasing Cloud adoption meets an onslaught of cyber-attacks, regulators and courts will be looking for evidence that organisations exercised due care in vendor selection and support of information security initiatives. The great challenge is in communicating to non-technical people what are often thought of as merely technical issues. In this shifting market, an approach such as the “Five Knows of Cyber Security” can prove invaluable in shifting a technical conversation to a governance conversation.

Read more ...

Conclusion: Security leaders know that it is not enough for the security group to do its job; they must be seen to be doing their job. This need for communication between security and the business is resulting in organisations creating outreach roles. Many organisations have yet to realise that this communications gap directly impacts their risk management capabilities. While the security team may be executing its work with technical accuracy, it is not serving the true needs of the business. The key to bridging this gap is an outreach function.

Read more ...

Conclusion: Lockheed Martin’s Cyber Kill Chain framework is a potentially valuable perspective for highly risk averse and highly targeted organisations. Its language is militaristic and technical, which means that it is most suitable for people already inclined to that way of thinking, but in contrast, it may be inappropriate and ineffective with other audiences. Due to its militaristic language, the policy intentions of this framework may be (and have been) reinterpreted by stakeholders, resulting in a misalignment of effort in managing risks.

Read more ...