Cyber & Risk

Understanding cyber security has never been as critical as it is today. 

The importance of having cyber security and risk mitigation strategies is now well-embedded in the corporate conscience, with more and more senior executives required to know their exact security posture and how to respond in the event of an incident.

In a complex world where new threat vectors appear almost daily, organisations must be ready. How well prepared are you? 

IBRS can help organisations understand how resilient their systems are, develop incident response plans and get the right policies in place to ensure compliance with the most rigorous of security standards. 

TechSci Research estimates the Australian managed security services (MSS) market will grow at a CAGR of more than 15 percent from 2018-23 as a result of the increased uptake of cloud computing and the popularity of bring-your-own-device (BYOD).

That’s a decent growth rate, enough to pique the interest of managed IT services providers looking to grow their business.

They already have established client relationships and those clients, like all businesses, face constant challenges keeping secure in the face of an every evolving threat landscape and a shortage of cyber skills.

Many managed IT services providers (MSPs) already offer some elements of security, such as antivirus, intrusion detection and managed firewall, but there’s a huge gap between these and offering a fully fledged managed security service via a 24x7 security operations centre (SOC) and security information and event management (SIEM) software to provide real-time analysis of threats, generate alerts and advice on remedial action.

Technical competence is one challenge faced by any MSP contemplating becoming an MSSP.

Full Story

Conclusion: If the broader business is to commit to investing in security, both emotionally and financially, they will need to buy into their responsibility. Security is likely to be seen as an IT problem because historically the minimum level of protection came through network and operating system security staff embedded deep in IT. Technical controls are not sufficient to protect an organisation from all known and potential threats as they are only as strong as the rules and configurations implemented by human operators. If nothing else, raising the profile of security to a broader audience with relevant, personalised messaging will begin to show the business how they can extract full value from security investments and dispel the belief that IT should solve the “security problem”.

Read more ...

Conclusion: A major benefit from using a framework is to support better decision making and help deliver consistent outcomes. When it comes to security and risk, a framework is only as useful as the intellectual effort required to understand the framework and how it applies to an organisation’s risks. While some frameworks call for much documentation, IBRS argues that security policies for their own sake are not as valuable as reviewing existing business policies and processes with a risk management lens.
The goal is to have business executives making informed decisions. As an organisation’s cyber risk management practices mature, the creation of documentation as a point of agreement within the organisation becomes more important, but starting the journey with document creation misses the whole point of risk management. Any framework is only as useful as its ability to directly support business outcomes.

Read more ...

Related Articles:

"Can IBRS assist on how to report on IT security metrics to business executives? " IBRS, 2018-05-13 23:32:09

"IT management leadership role in risk management" IBRS, 2018-05-04 18:43:08

"Use the NIST cyber­security framework to drive for visibility" IBRS, 2018-06-01 04:19:32

The timing couldn't have been worse for PageUp; two days before Europe's new data protection regime came into force the Melbourne-based online recruitment specialist's security systems detected suspicious activity.

By May 28 – three days after the General Data Protection Regulation went live – PageUp knew client data may have been compromised and that it had 72 hours to alert the British Information Commissioner's Office, due to the UK's incredibly stringent laws on breach disclosure.

It has also liaised with the Office of the Australian Information Commissioner as required under the mandatory data breach notification rules, which came into force in February.

On June 1 it alerted its customers; on June 5 it confirmed the breach publicly.

Read More

In terms of cyber security years, Australia is still in the dark ages, a period typified by a lack of records, and diminished understanding and learning.

We're only a few months into practising mandatory data breach notification, while many parts of the world have been doing this for years. The United States has been disclosing breaches for more than a decade.

Countries where data breach notification is the norm are still maturing, and there is no upper limit for our understanding on managing cyber risk. But you can see that by the steps other parts of the world are taking that they do see security incidents very differently to Australia.

This month, at the annual gathering of the Society for Corporate Governance in the United States, Commissioner Robert Jackson Jr. from the Securities and Exchange Commission (SEC) said investors are not being given enough information about cyber security incidents to make informed decisions.

Read More

Cyber security and risk advisor at analyst firm IBRS, James Turner, said the cyber skills shortage was prompting a wider rethink around the domain in terms of resourcing for the last few years.

“It’s partly about talent scarcity but it’s also about bringing fresh eyes. It shows up in the diversity of thinking around cyber issues,” Turner said.

“Diversity is incredibly valuable, it counters groupthink. You want that in your security team, and definitely in any good red team.”

Turner said human history was “littered with disasters that stemmed from a group of people all thinking the same way and not contemplating that there could be other views.”

“I’ve seen people from not just analytics backgrounds but also as broad as history, languages and music go into cyber security and be highly effective.” 

Full Story

 

PageUp People, a successful Australian Software-as-a-Service vendor, has been the victim of a crime, with a data breach that could be extremely damaging for its prospects. There are two lessons for the industry that are worth drawing particular attention to.

The first lesson is that we need the victim to survive. Once PageUp is safely through this incident, one of the most valuable things its executives can do for the industry is to share their experiences and the lessons learnt.

Sharing this information is important because, as one security executive from an ASX50 company said to me, it could have been any of us. And, it is only through sharing these experiences and the lessons from these crimes that we, as an industry, can improve.

Despite years of security incidents and data breaches worldwide, many Australian executives think their organisations are magically immune. It's far too easy to underestimate the potential impact, the flow-on consequences, and the personal cost for people involved or affected.

 
 

Conclusion: A requirement of the European Union’s (EU) General Data Protection Regulation (GDPR) is the concept of “data portability”, which provides a right to receive personal data an individual has provided in a “structured, commonly used, machine-readable format”, and to transmit that data to another organisation.

Underlying data portability is an assumption that data standards exist and are widely used across all public and private sector organisations, especially in specific vertical industries, such as Financial Services, Health or Utilities. In many cases in Australia, no such standards exist and there is no framework to encourage industry cooperation.

Australian organisations needing to comply with GDPR will have to develop an approach and strategy to how they will provide data portability when requested to do so.

Read more ...

Conclusion: The updated NIST cybersecurity framework (CSF) is a pragmatic tool to enable an organisation to gain clarity on its current level of capability for cyber risk management. Remembering that visibility, as a principle, is both an objective of the framework, but also a guide when working through the framework will make application of the framework much more valuable. Aiming for visibility will enable an organisation to accurately gauge itself against each function, category and subcategory. Visibility will enable an organisation to honestly assert current capability, and the gap to a more desirous level of capability. Achieving visibility will require ongoing collaboration with business stakeholders which, in turn, delivers visibility to these same stakeholders and ultimately enables informed decision making.

Read more ...

IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

Read more ...

Australian businesses currently face a cyber security triple threat that has nothing to do with warding off hackers.

Rather there are three new regulatory forces impacting specific points of the cyber security posture of the Australian economy, where relevant businesses will face all kinds of trouble if they fail to keep up to speed.

These external obligations are the Notifiable Data Breach (NDB) scheme, the Security of Critical Infrastructure Bill, and APRA's draft of Prudential Standard CPS 234.

There are lessons to be learned from all three of these external obligations. At a simplified level, the NDB scheme addresses the security of people's data; the Security of Critical Infrastructure Bill addresses the technology that supports our lives, and CPS 234 addresses the processes and governance that protect our wealth.


Full Story:

Conclusion: The forthcoming General Data Protection Regulation (GDPR) legislation is being introduced by the European Union (EU), which has ramifications to organisations worldwide.

Key aspects of GDPR relate specifically to what data exactly an organisation should be able to legally keep and for how long. The underlying principle is that less is best in terms of data collected and kept. For the data to have been legally collected, an individual has to have explicitly given their consent to the organisation to collect, keep and process their personal data.

Read more ...

Conclusion: There are three levers being applied to the cyber security maturity of specific parts of the Australian economy. These three levers are the Notifiable Data Breaches Scheme, the Security of Critical Infrastructure Bill, and Prudential Standard CPS 234 “Information Security”. These levers each address an area of importance for the national economic wellbeing, and organisations should look at all three for insight into what is now expected to constitute reasonable and appropriate practice in cyber risk management. In turn, they address the importance of data value to customer trust, the importance of system control and supply chains to national security, and the importance of resilience to our economy.

Read more ...

Conclusion: In a world where organisations increasingly rely on the successful performance of their business systems it is important IT management takes the lead in managing the risk of systems failure and cyber security breaches from all sources.

Boards are ultimately responsible for monitoring risks. They direct IT (and business) management to create a framework and strategy to manage systems, including data, and cyber security risks. The framework must include policies, supported by processes and practices to ensure business systems operate successfully and the data stored is not compromised.

Read more ...

More than 60 data breaches have been reported in the first six weeks of the country's new Notifiable Data Breach (NDB) scheme, with healthcare providers making up almost a quarter of the mandatory notifications.

Of the 63 notifications revealed in the first report by the Office of the Australian Information Commissioner since the laws came into effect on February 22, legal, accounting and management services businesses made up 16 per cent, while finance institutions composed 13 per cent.

IBRS cyber security advisor James Turner said many companies in the healthcare sector still did not realise the gravity of the responsibility on their shoulders in terms of keeping people's data safe.

"I've been talking to healthcare providers around the traps and I'm stunned by the lack of awareness of the NDB scheme. I'm hoping the industry bodies and royal colleges are doing something to raise awareness," he said.

Full Story



 

Conclusion: UpGuard, Nuix and WithYouWithMe each have a proven capability to address an important aspect of the cyber defences of Australian organisations. WithYouWithMe is about people, UpGuard is about ensuring process is adhered to and exceptions are visible, and Nuix delivers technology which, through a data processing engine, enables organisations to make sense of large amounts of unstructured data.

Read more ...

Conclusion: The General Data Protection Regulation (GDPR) legislation being introduced by the European Union (EU) in May has ramifications to organisations worldwide.

Australian organisations that have already invested in ensuring that they comply with the Australian Privacy Act 1988, and have a robust privacy management framework in place, may find that they already comply with aspects of the EU’s GDPR. However, GDPR does have more stringent requirements including requirements that are not within the Australian requirements, so effort and investment will be required by organisations that need to comply with GDPR.

When considering an organisation’s position and defensibility in terms of whether they complied or not, organisations will need to develop an understanding of the specific requirements, and how exactly they have implemented “technical and organisational measures to show that they have considered and integrated data protection into their processing activities”1.

Read more ...

IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.
 

Read more ...

Do not mistake cyber security for being merely a technical discussion about IT problems to be fixed. Cyber security is now, and always has been, purely a response to risk. The risks have changed dramatically over the last 20 years, but the way many people view security is stuck in the 1990s.

Here in Australia, we're now under the Notifiable Breach Disclosure scheme and it's worth using this as a barometer to understand how well executives actually appreciate that they run digital companies working in a digital economy, with all the risks that come with hyper-connection and digital interdependence.

How well an organisation understands itself and its ability to work through responding to a suspected data breach is a direct reflection of how well it understands its business, as well as its dependence on technology and data. In other words, how well does the company understand and manage risk? Yeah, governance, that old chestnut.

People talk about digital transformation and disruption as though these were destinations to get to. But, digital transformation is a continual process and risk management is a necessary component. There is no finish line for transformation or risk management, there are only companies that will cease to be competitive.


Full Story

Conclusion: The foreseeability of cyber incidents is widely accepted, but many organisations still have not done the work to identify their own exposures and ascertain what they would do in a crisis. The openness of shipping giant Maersk in talking about the impact of the NotPetya malware on the organisation should be viewed through the lens of “what would that look like if it happened to us?” The business impact of NotPetya on Maersk is clear, but so too are many of the risk mitigations that should be put in place before a cyber incident – and many of these are not directly related to technology. Finally, risk management is just as much about recovering from an incident as trying to prevent one.

Read more ...

Conclusion: The forthcoming General Data Protection Regulation (GDPR) is new legislation being introduced by the European Union, which does have ramifications for organisations worldwide.

Being new, there is still a lot to be learned about what exactly some of the specific requirements will mean in practice and how they will impact organisations in being able to show that they have understood and completely complied with the regulation.

When considering an organisation’s position and defensibility in terms of did they comply or not, organisations will need to develop an understanding on the specific requirements, and how exactly they have implemented “technical and organisational measures to show that they have considered and integrated data protection into their processing activities”1.

Read more ...

IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.
 

Read more ...

Conclusion: Security awareness campaigns are essential for educating staff on security behaviours. However without staff engagement, these campaigns can fail to change behaviour – and behavioural change is the only outcome that really matters. Instead of continually focusing on security for the work environment, start focusing on esafety and educate staff on how to protect themselves in their online lives outside work. This has the benefit of informing staff on many of the risks that they can face personally, as well as educating them on practices and technologies that can help. Training staff on esafety also has the additional benefit of being the right thing to do and demonstrates corporate social responsibility.

Read more ...

NewsThousands of Australian small businesses remain woefully unprepared for the introduction of new laws that will require them to publicly disclose if their customers' data is breached by hackers or technology problems, according to local industry experts and recently conducted research.

Mandatory data breach reporting laws come into effect in Australia in February, years after they were introduced in other countries, such as the US, but a new study by cyber security provider CyberArk has found 44 per cent of Australian businesses are not fully prepared.

While it is predictable enough for a security vendor to warn that businesses need to worry more about security, independent Australian cyber security expert James Turner, of IBRS and CISO Lens, said small businesses were "absolutely not" prepared for the new laws.

Full Story

Cyber security experts have warned the long-term implications of chip vulnerabilities nicknamed Spectre and Meltdown discovered by researchers this week are still unknown, despite it appearing that cyber criminals were unaware of the flaws.

Australian cyber security expert James Turner, of IBRS and CISO Lens, told The Australian Financial Review just because these flaws were unlikely to have already been exploited, does not mean they could not be in the future.

"This is the exact reason why the security industry was screaming all through the last few years about the importance of security for the internet of things. The internet of things is billions of different devices, growing in size every month, all based substantially on hardware," he said

"It simply won't be economically viable to get everyone to replace the CPU on their TV, fridge, Alexa, lightbulb, thermostat, electric lock, and so on, just because we've found another hardware flaw that impacts billions of devices that are all hyper-connected."

Full Story

Conclusion: Third party bug bounty programs can be an effective way of incentivising security researchers around the world to share a discovered vulnerability. Third party bug bounty programs are invaluable as they help provide a structure for responsible disclosure and minimise the opportunity for the vulnerability to be exploited. When a bug bounty company uses crowdsourcing of security researchers, it adds the gamefied imperative for the researchers to report quickly in order to get the bounty before their peers. Engaging with a crowdsourcing bug bounty company not only demonstrates a reasonable security measure, it also helps close the window of opportunity for criminals.

Read more ...

Conclusion: The security capabilities of Cloud vendors have evolved rapidly since 2008. Specifically, the three big Cloud vendors Microsoft, Google and AWS understand the importance of trust and assurance for their corporate and government customers and are each working aggressively on continual service improvement. Most customers are more likely to suffer security issues with their own architecture, configurations and processes when trying to work with Cloud services than they are from any exposure from these leading Cloud vendors. The implications for IT organisations engaging with Cloud vendors are clear: along with good vendor management practices, IT organisations should purchase and architect for minimal configuration as much as practical. From a security perspective, and if Cloud is appropriate, “Cloud first” should be viewed as a cascading decision tree: SaaS first, then PaaS, then IaaS.

Read more ...

 

The adults in the lives of young people need to know more about security and safety in an online world and they could be learning this at work

The Office of the eSafety Commissioner deals with some of the most confronting aspects of abusive behaviour on the Internet: child exploitation material, image-based abuse, and cyber bullying, to name a few.

Julie Inman Grant, the eSafety Commissioner, is dedicated to helping ensure young people have positive experiences online.

To this goal, in the first week of November, the Office of the eSafety Commissioner, in conjunction with its New Zealand equivalent NetSafe, hosted Australia's first online safety conference.

About 400 delegates from around the world came to share ideas, approaches and research in the area of cyber safety.

 Full Story

Conclusion: Cyber security is an area in which organisations do not compete. They each face similar risks and threats, and it is only through the development of trusted relationships and the resulting collaboration that Australian organisations can work together to sustain their own operations and maintain the economic wellbeing of the nation in the face of cyber threats.

There is still a way to go, and leading Chief Information Security Officers (CISOs) with international experience believe we are between six and nine years behind the US and the UK. Australia is coming off a low base, but we are getting better quickly.

Read more ...

Conclusion: Cyber security incidents are a foreseeable business risk, and organisations must learn from the ongoing litany of cyber incidents that accompany any digital enterprise. Organisations that have data at their core live or die by how they manage this asset. The Equifax data breach is an unfortunate example of an organisation of senior business executives that were not making decisions on cyber risk management that aligned with societal expectations. Equifax is a company with data at its core, and time will tell whether it was incompetence or negligence that resulted in the data breach this month. Either way, Equifax clearly failed to exercise due care in the reasonable protection of its wealth and sustainability in the face of eminently addressable risks. It is a serious mistake for any executive to think that risk management of digital assets is somehow merely an IT issue.

Read more ...

Commonwealth Bank of Australia has admitted it is culling the number of technology partners it works with as part of a cost cutting drive that has some industry observers concerned it is stepping back from its previous leadership position on cyber security.

CBA has been the subject of ongoing rumours in IT circles that it is taking the knife to its celebrated technology operations, and chief information officer David Whiteing confirmed to The Australian Financial Review that changes were under way, including some cyber security work going offshore.

However, Mr Whiteing rejected suggestions that any of the changes would compromise the quality of work or the bank's resilience, and insisted that the bank had not retreated from the national cyber security arena since the departure through ill health of its well respected chief information security officer, Ben Heyes, last year.

"The reality is this is a very competitive space and we have a global perspective around talent," Mr Whiteing said.

 Full Story

When was the last time you had a delightful customer experience with insurance? Well, we need to talk about cyber insurance.

In 2013, the Financial Ombudsman Service penned a circular titled "Queensland floods – lessons learnt" and there are useful ideas for us to bring to the cyber insurance discussion.

The Financial Ombudsman Service noted that among the improvements between the experience of Queenslanders claiming on flood insurance in 2011, and then 2013, was the standardised definition from the government of what a flood is. Words matter.

It's easy when we're dealing with fire, theft and flood. Well, at least in theory it's easy. We've been dealing with natural disasters for millennia. But the cyber domain and the risks that come with it are comparatively new, and evolving rapidly. A year is a long time on the internet.

Full Story

Conclusion: Whilst the forthcoming General Data Protection Regulation (GDPR) is a European regulation, some Australian organisations are likely to be impacted and will need to comply. One of the requirements of the regulation is to appoint a Data Protection Officer (DPO), whose job role has very specific duties and legal responsibilities which are defined as part of the GDPR.

However, the guidelines are not completely clear as to when it is mandatory for an organisation to appoint a DPO. Australian organisations should consider if, 1: will they need to comply with the GDPR, and, 2: will they need to appoint a DPO?

Read more ...

Conclusion: Cyber insurance is claimed to help recoup the losses sustained by an organisation from a raft of incidents that may or may not be “cyber”. It is imperative that organisations understand their data assets and business processes, and the risks to these, before engaging with an insurer. With a changing legislative environment, there is a role to play for insurance against losses relating to cyber incidents, especially around first party costs and third party impacts. However, cyber insurance is still a very new area and the insurers are still finding their way. This means that prospective customers need to be more informed than ever.

Read more ...

Telstra has taken a high-profile step in its bid to establish itself as a significant player in the booming global cyber security market, with the official opening of the first of a string of new security operations centres, aimed at increasing the work it wins with government and corporate clients.

The multimillion-dollar Sydney centre was unveiled by chief executive Andy Penn alongside federal Cyber Security Minister Dan Tehan on Thursday afternoon, as the company continues its mission to prove to investors it has a solid post-NBN plan.

Telstra shares were hit hard after its annual results, led largely by Mr Penn announcing the company's much-loved dividend would be slashed by 30 per cent. Investors are now looking to the CEO to demonstrate that the company is on the front foot in establishing business lines in growing sectors.

Full Story

Conclusion: The recent high profile malware incidents, WannaCry and NotPetya, are a bellwether for a change in what the industry should reasonably expect online. WannaCry demonstrated that a group with nation state links can target everyone online, simply to harvest money. NotPetya demonstrated that a group with nation state links can target a nation’s economy with the explicit intention of causing economic trouble. Australia must prepare itself accordingly. It is no longer enough to know that we have a government agency that excels at cyber-spooking, we need a formalised capability to respond to global and national malware incidents.

Read more ...

 Conclusion: Despite increasing focus on information and data in an as-a-Service age, thought leadership in the data management discipline has waned. Today, few of the frameworks, methods and bodies of knowledge that emerged either from the data modelling fraternity or the records management community in the last decade remain active.

This leaves organisations seeking to address the impacts of increasing privacy regulation, cyber security risks from increased digital delivery or improving data integrity to support automation with only one real choice – the Data Management Association (DAMA)’s Data Management Book of Knowledge whose 2nd Edition (DMBoK2) has emerged after almost three years of international collaboration.

Despite the wait, DMBoK2 provides a much-needed update on an already solid foundation addressing contemporary issues with the exception of fully addressing the challenges of data science in its broadest form. Organisations seeking to comprehensively address data management would be well served by adopting DMBoK as a foundational model, thereby ensuring they have a single point of reference regardless of the specific outcomes or priorities that need to be addressed now or in the future.

Read more ...

IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

Read more ...

"If your organisation is producing value then you must confront cyber risks because you have something at stake. WannaCry and NotPetya were just the latest in a long line of cyber security wakeup calls where industry runs the risk of just hitting the snooze button, yet again.
 
"Many top ASX companies have chief information security officers, or CISOs, to help them identify and manage cyber risks. If you've got a CISO then your organisation has had the epiphany that it is a digital business and it thrives, or withers, on its ability to deal with cyber risks in a hyper-connected world."
 

Conclusion: Cyber threats and incidents will continue to be covered in the mainstream media, and local organisations will increasingly become part of this coverage. Not only may these stories get reported more frequently and in more depth, but local board members will become increasingly aware of what the technical aspects around cyber security mean. Reporting to the board is a blend of what the board – the people tasked with ensuring that the organisation is dealing responsibly with its risks – thinks is important with what the CIO and their team consider to be important. Finding the balance of information to report is important, and will be a continually evolving discussion between cyber security leaders and their boards.

Read more ...