Cyber & Risk

Understanding cyber security has never been as critical as it is today. 

The importance of having cyber security and risk mitigation strategies is now well-embedded in the corporate conscience, with more and more senior executives required to know their exact security posture and how to respond in the event of an incident.

In a complex world where new threat vectors appear almost daily, organisations must be ready. How well prepared are you? 

IBRS can help organisations understand how resilient their systems are, develop incident response plans and get the right policies in place to ensure compliance with the most rigorous of security standards. 

Conclusion: The increased proliferation of critical digital services has resulted in ransomware attacks becoming one of hackers’ means to make money. As a consequence, many organisations have become the victims of such attacks. IT organisations should implement a full recovery strategy to restore IT services in the event of ransomware attacks. The recovery strategy should become an integral part of the disaster recovery plan. This will raise business stakeholders’ trust in the service security and reduce the spread of this type of IT organised crime.

Read more ...

Conclusion: Cyber security is now one of the top priorities in many organisations. With an ever-increasing number of cyber-related incidents, cyber security risk has evolved from a technical risk to being regarded as a strategic enterprise risk. The role of the Chief Information Security Officer (CISO) has traditionally required strong technology skills to protect the organisation from security incidents. With boards and executives now requiring executive-level cyber leadership and accountability, the role of the CISO must evolve beyond the traditional technology domain to also encompass strategy, stewardship and compliance as well as being a trusted business advisor.

Read more ...

Conclusions: Patching systems is regularly touted as the panacea for security breaches, yet many organisations continue to struggle with that seemingly simple process. There is obviously more to the problem than just buying and deploying a patch management system.

Most organisations are well-intentioned; it is not that they do not want to patch. As one delves deeper into the tasks around patching, it soon becomes clear that many unintentional, and some intentional, roadblocks exist in almost every organisation.

This note attempts to sort through some of those roadblocks and offer some approaches to diminish their impact. Some resources are identified to help with the design and build of a patch service. There is a real dearth of well-structured information around the patching process overall.

Read more ...

Peter Sandilands, an advisor at analyst firm IBRS, called the discussion paper “a pre-judged survey” that is mostly looking for answers. He also questioned if the resulting recommendations would be published for review and commentary: “Is this window dressing, or are they going to do something out of this?”

The Australian government is charting its next cyber security strategy following an earlier A$230m blueprint laid out in 2016 to foster a safer cyber space for Australians.

In a discussion paper on Australia’s 2020 cyber security strategy, which is being led by an industry panel, minister for home affairs Peter Dutton said despite making strong progress against the goals set in 2016, the threat environment has changed significantly.

Full Story

 

IBRSiQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

Read more ...

Conclusion: As detailed in part one of this pair of notes, the Australian Signals Directorate’s Essential Eight (E8) are detailed technical recommendations for securing an information infrastructure. Implementing them has been touted as being effective against over 85 % of potential attacks. It is hard to ignore that benefit to an organisation’s security stance.

The first note went on to highlight the real-world implications of attempting to implement the E8; in particular, listing the prerequisites for the implementation. Each of the E8 assumes that an organisation has in place the underlying capabilities and information that provide the supporting base for each element of the E8.

While at first glance that appears to put a negative connotation on deploying the E8, in many ways it points to some basic processes and capabilities that any organisation should have in place to use its information infrastructure effectively. This note will explore those implications. It will help any organisation build the basics of an effective security regime.

Read more ...

Conclusion: Cyber security and data privacy are currently hot topics at both executive and board levels and security incidents feature in the media on an almost weekly basis. CIOs and executive teams will face increasing scrutiny from their boards with a focus on accountability, risk assessment, reporting and organisational resilience to cyber incidents. Boards are genuinely grappling with how to assess risks and how to ensure that the organisation is sufficiently well prepared to protect and respond appropriately to security incidents, within budget and resource constraints. CIOs and CISOs have a unique opportunity to engage with boards and provide the leadership that is expected, as the move to digital accelerates. In this note we highlight the recent trends and outline some of the key recommendations to practical steps to strengthen your organisation’s ability to protect itself holistically from cyber and data loss risks.

Read more ...

Conclusion: The Essential Eight from the Australian Signals Directorate constitutes a recommended set of strategies to reduce the risk of cyber intrusion. They are said to prevent up to 85% of potential attacks. They are certainly worth assessing as a strategy to apply as an organisation plans out its security strategy.

However, while they may seem simple at first glance, the prerequisites for their implementation are far reaching. These add significant cost and effort to any attempt to take advantage of the E8. In fact, the effort and planning can easily exceed the effort in seemingly just doing the E8.

This will be a two-part article. The first part will explain the question at hand and describe the premise being explored. The second part will work through the implications for an organisation and list the strategies to deal with them.

Read more ...

Conclusion: Current network and security deployments make many assumptions about the threat environment and which controls are effective. Many of these assumptions are predicated on an older security architecture that emphasised the perimeter. This perimeter then segregated the outside from the inside with an associated perception that inside was good or trustworthy and outside was bad and untrustworthy.

It is easy to see that for many, if not most organisations, the perimeter is no longer just considered a solid demarcation point between outside and inside. The internal network hosts contractors and consultants as well as integrates external services as if they are native to the network. Staff operate from partner and customer locations as well as from public networks via wi-fi hotspots in cafes, airport lounges and hotels.

This evolution requires a fresh security architecture to assist organisations to operate in the evolving network and service paradigms. The zero trust network (ZTN) philosophy lays out an architectural approach to deploying services, enabling staff and supporting customers. ZTN should be assessed by any organisation looking to move to an internet-driven, Cloud-supported and secure operating schema.

Read more ...

Conclusion: Organisations would hope that their data protection policies are in place and effective. Data loss protection is active on the email channel and data is encrypted while at rest within the organisation. Staff are often trying to share data with others or move data to where it may be easily accessible. A very common channel for this is one of the many Cloud-based file-sharing services such as Dropbox, iCloud or Google Drive.

These services conflict with data protection in several ways. In many cases the services used by staff are personal accounts owned by the staff member, not the organisation. This immediately places the data outside the control of the operation.
The sharing of the data can be open-ended where a) even the staff member loses control over who can access the data, and b) it is uncertain where the data is stored and in which jurisdiction.

If the data contains personal information, credit card details or confidential finance information, the organisation may find itself in breach of regulations such as the Notifiable Data Breach Regulation or Payment Card Industry requirements.

Read more ...

Conclusion: Many organisations are finding themselves being defrauded, especially when making or receiving payments electronically. It is not that the end systems are compromised but rather the payment information itself is being subverted in between the payer and the payee.

This is hard to defeat via technical means as the messages themselves look the same as any other payment request or invoice. A quality email filtering service will remove many of the clumsy attempts thus allowing more focus on the well-constructed efforts.

This article aims to help improve understanding of the threat and identify effective strategies to lessen the possibility of a business being impacted. Security defence consists of more than just technology. A well-rounded defence is composed of people, process and technology. Defeating business email compromise (BEC) is primarily achieved by the people and process segments.

The staff of a business are in the best position to detect attempts to compromise a payment, provided they have been armed with some knowledge of the types of attacks and permission to halt and question the details.

Many fraud attempts can be prevented by implementing a simple business process that allows all staff to question transactions that change payment details and use secondary channels to confirm those details.

Read more ...

Conclusion: The notifiable data breach regulations have had an impact on business priorities. For any organisation subject to the regulations, protection of personal information should have become a priority. One security technology, data loss prevention, could have offered some assistance. But it has had a mixed reception in the past due to many issues in both implementing and operating the service.

The continued move to SaaS for office systems such as document creation and email is also changing the market. Many capabilities that have been previously offered as standalone products are now being subsumed into the SaaS offerings as just adjunct functions. 

This simplifies the selection of the products and their ongoing management. A prime example of this is data loss prevention which is now being offered as a check-box selected capability in several SaaS offerings.

This could put data loss prevention within reach of small to medium businesses as a component of their personal information protection strategy.

Read more ...

Conclusion: Given the reality of shrinking budgets, organisations can struggle deciding what new products to purchase or techniques to implement. They hope the new capabilities will enhance their security posture, but new tools often need additional staff to operate them. Employing skilled security staff can itself be a challenge. A simple but pragmatic approach is to leverage IT operation’s budget and skills to improve operational hygiene and hence, overall security hygiene.

Read more ...

Conclusion: IT auditors typically consult with, and report their findings to, the board’s Audit and Risk Committee. Their POW (program of work) or activities upon which they will focus may or may not be telegraphed in advance to stakeholders, including IT management.

To avoid getting a qualified audit report for IT, e. g. when internal (systems) controls are weak or IT risks are unmanaged, business and IT management must first get their house in order, by tightening controls and addressing risks before the possible arrival of the audit team. Failure to get the house in order, before an audit, could be career limiting for IT and business managers.

Read more ...

Conclusion: Increasing emphasis in the media and in industry literature on cyber security and the risks of data breaches with service disruptions is likely to get extra attention in future from the board and their audit and risk committee (or ICT governance group).

Not only must the committee be concerned with risk prevention, astute members will also want to know how the organisation will recover from a data breach or ransomware attempt and restore the organisation’s operations, if an unexpected disruption to services occurs.

To minimise business risks, committee members must stay aware of local and international cyber security incidents, how they occurred and were addressed and what they need to do to make sure they are not replicated in their organisation.

Read more ...

Conclusion: Recently, several architectural models and tools have become available to enable the microsegmentation of networks, which helps improve overall security within organisations and can help limit the scope of any potential breach within an organisation. This can be achieved by aligning microsegmentation of networks with the organisation’s mission-critical systems profile.

Organisations should ensure microsegmentation is included in their security strategy. However, there are several different architectural approaches and organisations should explore these and select the approach that most suits their current or planned enterprise architecture and assess the benefits each approach may offer.

Read more ...

Related Articles:

"Network Virtualisation – Security drives adoption" IBRS, 2016-09-02 05:06:16

Conclusion: The Agency Head/CEO is responsible to accredit the ICT system for use at the PROTECTED level. The accreditation process is specific to the services being delivered for the organisation. The Australian Signals Directorate (ASD) certification process is a generic process that assesses the Cloud Service Provider’s (CSP) level of security only.

The Agency Head/CEO remains responsible as the Accreditation Authority (AA) to accredit the security readiness for the services to be delivered for their organisation. In practice the CIO/CISO will lead the accreditation process on behalf of the CEO.

ASD’s role as the Certifying Authority (CA) for PROTECTED Cloud services provides the agency/organisation using the CSP with independent assurance that the services offered meet government Information Security Registered Assessors Program (IRAP) requirements and vulnerability assessment requirements at the PROTECTED level. The certification process provides a consistent approach to the cyber risk assessment of the CSP’s environment only. The PROTECTED Cloud certification does not cover security assessment related to the design and maintenance of the customers’ services and/or software to be run on the PROTECTED Cloud platform.

The adoption of a PROTECTED Cloud solution will still require a regular review of the security posture. ASD will conduct regular reviews of their processes as the certifying authority (CA), and the Agency Head/CEO will be required to regularly review the accreditation of the service as a whole.

Read more ...

Conclusion: Over the past decade, the role of the Chief Information Security Officer (CISO) has risen to be one of great importance in many large and mid-sized organisations. While this remains the case, protecting information assets is more likely to be successful through ensuring all threats are managed under the same set of policies and principles. Managing threats to organisations can no longer be separated between departments or siloed out to service providers. With data in the Cloud and people on the ground in new geographies, the need to evolve the relationship between logical and physical controls has increased. The key to holistic security is to bring all aspects of security under one umbrella to ensure all bases are covered.

Read more ...

Conclusion: Australians have become increasingly concerned not only with what data is being held about them and others, but how this data is being used and whether the resulting information or analysis can or should be trusted by them or third parties.

The 2018 amendments to the Privacy Act for mandatory data breach notification provisions are only the start of the reform process, with Australia lagging a decade behind the US, Europe and UK in data regulation.

Therefore, organisations seeking to address the increasing concerns should look beyond existing data risk frameworks for security and privacy, moving instead to adopt robust ethical controls across the data supply chain1 that embodies principles designed to mitigate these new risks. Risks that include the amplification of negative bias that may artificially intensify social, racial or economic discord, or using data for purposes to which individual sources would not have agreed to.

Early adopters of effective data ethics will then have a competitive advantage over those who fail to address the concerns, particularly of consumers, as to how their data is used and if the results should be trusted.

Read more ...

Conclusion: Throughout the year, most businesses invite in a third party to conduct an information security risk assessment – as per best practice. Often this is a compliance exercise, other times it is just good housekeeping. Assessors are paid to find gaps in security controls based on the threat landscape and risk profile and provide recommendations for how to better secure the organisation with appropriate controls. With a thud-worthy report in hand, those charged with remediation must prioritise the recommended tasks to best use their resources to appropriately protect the organisation.

Read more ...

Conclusion: Relying on third parties to succeed in business has become the norm. Cost limitations and workforce requirements mean that businesses need to find efficient ways to achieve their goals. This regularly includes creating an ecosystem of organisations that offer technology, consulting and support services that can be leveraged when required for a fraction of the cost of employing a person or service in-house to the same end. This is great from a business perspective; however, engaging with third parties brings significant risk. Businesses are effectively opening their door to a perfect stranger and inviting them into their organisation to look around, share some data and stay a while. Managing the risk of having a third party connected to an organisation is important. An organisation’s security controls become meaningless once data is transferred to a third party. At the end of the day, if a cyber-attack occurs via a third party, there will be more than one reputation on the line in the eyes of current and future business partners, customers and clients. 

While the impact of a third-party data breach cannot be completely prevented, the key to resilience, detection and management of connections is awareness, being upfront about the security expectations and educating the workforce.

Read more ...

Related Articles:

"2FA is a no-brainer" IBRS, 2018-11-02 11:06:25

"When it comes to security, when is enough... enough?" IBRS, 2018-10-04 11:56:31

Conclusion: CIOs should consider the environments for their PROTECTED information, both when building new capability and/or when renewing older infrastructure and services. The need to have cost-effective infrastructure services (in-house or IaaS), accredited security of services and responsiveness for clients using the service are three key deliverables for any CIO.

The Australian Government has identified PROTECTED ratings be applied where systems and data are at risk and where the systems or data are critical to ensuring national interest, business continuity and integrity of an individual’s data. Critical business functions are a combination of the IT systems they run on and the data they consume.

Defining what should be afforded a PROTECTED rating and therefore adequately protected is an ongoing challenge. The Australian Government’s Information Security Manual (ISM) and recent legislation “Security of Critical Infrastructure Act 2018” detail the requirements and framework for reporting, on government-run IT systems and critical infrastructure. Using this framework as a base, organisations should assess whether the data or IT environments that support critical business functions should be treated as PROTECTED.

Read more ...

Related Articles:

"Canberra-based Azure is about much more than security" IBRS, 2018-04-14 13:43:57

"On-Premises Cloud: Real flexibility or just a finance plan?" IBRS, 2017-05-06 06:37:20

"Running IT-as-a-Service Part 33: How to transition to hybrid Cloud" IBRS, 2017-08-02 02:32:44

Conclusion: Fraud and cybercrime can both keep key stakeholders in a business awake at night. But these threats are often driven by very different malicious motivations. In the end, the two threats overlap but are very different. Fraud is a crime carried out for financial gain. Cybercrime on the other hand can be executed for many reasons including political, passion and even opportunistically, purely because a vulnerability was there. Aside from reasons/motivation, two other key differences include skill set needed to manage such threats and the delivery method of the event. Organisations need to prepare for both of these threats to be realised and cannot always rely on the controls of one to detect, prevent or manage the impact of the other.

Read more ...

Related Articles:

"When criminals hijack your organisation’s brand for phishing" IBRS, 2016-11-01 21:37:01

"When it comes to security, when is enough... enough?" IBRS, 2018-10-04 11:56:31

 IBRSiQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

Read more ...

Conclusion: Passwords are the weakest link (some might say second to humans) in the enterprise security chain. With compromised credentials (a username and password) being the leading cause of data breach1, passwords and even the stronger passphrases are no longer sufficient to protect users or businesses from unauthorised access to critical data and systems. As such, an additional layer of security, namely two-factor authentication (2FA), is now commonly available. The term two-factor or multi-factor authentication has become commonplace and while it materially reduces a business’s risk to several cyber threats, many end users feel that it is an inconvenience, slows down productivity and prefer not to “opt-in” if that is at all an option. The bottom line is that 2FA is complementary to strong passwords – it is not a replacement for them. Raising education and awareness of the importance of strong passwords is still needed and 2FA is simply another layer of protection, akin to a more secure bolt on the door to our sensitive information.

Read more ...

Conclusion: The question of “how much security is enough” often stems from attempts to define ballpark security budgets, meet compliance obligations and scope out security team size and make-up. But how much security is enough depends on a number of factors that an organisation must consider before seeking the endorsement of the security strategy and agreeing on an acceptable risk position.

Read more ...

Related Articles:

"Is security really an IT problem?" IBRS, 2018-08-01 08:53:13

"Sometimes good security does not mention security" IBRS, 2016-05-05 00:04:00

"Top 10 considerations when running an incident response drill" IBRS, 2018-09-04 13:29:16

The CIO Cyber & Risk Network Mandate:

To provide CIOs in Australian organisations with a forum in which to share their issues and approaches to cyber security and risk. The intended outcome is that organisations make better informed decisions to help protect their organisations, staff, customers and the economy.
Introduction
Not all Australian organisations are fortunate enough to have a Chief Information Security Officer. But not having a CISO doesn’t mean the challenge of managing cyber risk goes away. IBRS clients have been telling us that the frequency with which they are being asked to report on cyber security to their boards has increased. Now, four times a year is the minimum, and the board members are asking better, more in-depth, questions. The CIO Cyber and Risk Network is a vendor independent forum for CIOs to share with and learn from each other. 

Who can participate?

The CIO Cyber & Risk Network is a service for CIOs who are accountable for cyber security as part of their role.
To ensure that trusted relationships can develop, and provide an experience of continuity within the group, CIOs invited to participate will not exceed 20
The CIO Cyber & Risk Network is an invitation only forum. This is to ensure that the forum is not swayed by vested interests, and that the participating CIOs are assured of the confidentiality of the discussion.

Format

4 gatherings per year. Each gathering will be for 4 hours; 2 hours as a formal facilitated discussion and a 2 hour informal session which is an opportunity for the CIOs to have the 1:1 and small group conversations to follow up to the formal session.
IBRS will facilitate each gathering.
IBRS will also coordinate any external guests.
All gatherings are closed door, and held under the Chatham House Rule.
A summary of findings is distributed after each gathering
Participate in a distribution list of like minded CIOs
Should a CIO not be available to attend a gathering, sending a direct report is possible but discouraged. If direct reports are sent too often, as determined by the group, the CIOs’ invitation to participate may be withdrawn and no refund will be offered.

Highlights

CIO Cyber & Risk Network August 2018
The Cyber and Risk Network August gathering focused on four areas;
Incident Response & GDPR
Maturing Cyber Security functions - participants highlighted four very different approaches
Scaling Cyber Security functions - participants discussed six different strategies
Validation of Controls
Technical sharing among the participants provided some good market insights into new and established vendors offering security solutions

IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

Read more ...

Conclusion: There has been a lot of talk about incident response since the new data breach laws came into effect in Australia and Europe. But the laws alone should not be the driving force to having a response plan in place. Having a plan in place means more than talking about a plan, planning a plan and signing off on a plan. Being prepared puts you way ahead of the curve but being truly prepared means testing your incident response plan through drills and tabletop exercises. A drill provides an opportunity to understand realistic outcomes for risk scenarios and apply the lessons learned to your incident response efforts during a crisis.

Read more ...

Related Articles:

"Cyber insurance – it’s not the cybers you’re insuring" IBRS, 2017-09-02 01:58:42

"Learning from the misfortune of others – the Equifax breach" IBRS, 2017-10-02 23:02:39

"Maersk and NotPetya – a case study on business impact and cyber risk management" IBRS, 2018-03-06 07:14:54

"Use the NIST cyber­security framework to drive for visibility" IBRS, 2018-06-01 04:19:32

TechSci Research estimates the Australian managed security services (MSS) market will grow at a CAGR of more than 15 percent from 2018-23 as a result of the increased uptake of cloud computing and the popularity of bring-your-own-device (BYOD).

That’s a decent growth rate, enough to pique the interest of managed IT services providers looking to grow their business.

They already have established client relationships and those clients, like all businesses, face constant challenges keeping secure in the face of an every evolving threat landscape and a shortage of cyber skills.

Many managed IT services providers (MSPs) already offer some elements of security, such as antivirus, intrusion detection and managed firewall, but there’s a huge gap between these and offering a fully fledged managed security service via a 24x7 security operations centre (SOC) and security information and event management (SIEM) software to provide real-time analysis of threats, generate alerts and advice on remedial action.

Technical competence is one challenge faced by any MSP contemplating becoming an MSSP.

Full Story

Conclusion: If the broader business is to commit to investing in security, both emotionally and financially, they will need to buy into their responsibility. Security is likely to be seen as an IT problem because historically the minimum level of protection came through network and operating system security staff embedded deep in IT. Technical controls are not sufficient to protect an organisation from all known and potential threats as they are only as strong as the rules and configurations implemented by human operators. If nothing else, raising the profile of security to a broader audience with relevant, personalised messaging will begin to show the business how they can extract full value from security investments and dispel the belief that IT should solve the “security problem”.

Read more ...

Conclusion: A major benefit from using a framework is to support better decision making and help deliver consistent outcomes. When it comes to security and risk, a framework is only as useful as the intellectual effort required to understand the framework and how it applies to an organisation’s risks. While some frameworks call for much documentation, IBRS argues that security policies for their own sake are not as valuable as reviewing existing business policies and processes with a risk management lens.
The goal is to have business executives making informed decisions. As an organisation’s cyber risk management practices mature, the creation of documentation as a point of agreement within the organisation becomes more important, but starting the journey with document creation misses the whole point of risk management. Any framework is only as useful as its ability to directly support business outcomes.

Read more ...

Related Articles:

"Can IBRS assist on how to report on IT security metrics to business executives? " IBRS, 2018-05-13 23:32:09

"IT management leadership role in risk management" IBRS, 2018-05-04 18:43:08

"Use the NIST cyber­security framework to drive for visibility" IBRS, 2018-06-01 04:19:32

The timing couldn't have been worse for PageUp; two days before Europe's new data protection regime came into force the Melbourne-based online recruitment specialist's security systems detected suspicious activity.

By May 28 – three days after the General Data Protection Regulation went live – PageUp knew client data may have been compromised and that it had 72 hours to alert the British Information Commissioner's Office, due to the UK's incredibly stringent laws on breach disclosure.

It has also liaised with the Office of the Australian Information Commissioner as required under the mandatory data breach notification rules, which came into force in February.

On June 1 it alerted its customers; on June 5 it confirmed the breach publicly.

Read More

In terms of cyber security years, Australia is still in the dark ages, a period typified by a lack of records, and diminished understanding and learning.

We're only a few months into practising mandatory data breach notification, while many parts of the world have been doing this for years. The United States has been disclosing breaches for more than a decade.

Countries where data breach notification is the norm are still maturing, and there is no upper limit for our understanding on managing cyber risk. But you can see that by the steps other parts of the world are taking that they do see security incidents very differently to Australia.

This month, at the annual gathering of the Society for Corporate Governance in the United States, Commissioner Robert Jackson Jr. from the Securities and Exchange Commission (SEC) said investors are not being given enough information about cyber security incidents to make informed decisions.

Read More

Cyber security and risk advisor at analyst firm IBRS, James Turner, said the cyber skills shortage was prompting a wider rethink around the domain in terms of resourcing for the last few years.

“It’s partly about talent scarcity but it’s also about bringing fresh eyes. It shows up in the diversity of thinking around cyber issues,” Turner said.

“Diversity is incredibly valuable, it counters groupthink. You want that in your security team, and definitely in any good red team.”

Turner said human history was “littered with disasters that stemmed from a group of people all thinking the same way and not contemplating that there could be other views.”

“I’ve seen people from not just analytics backgrounds but also as broad as history, languages and music go into cyber security and be highly effective.” 

Full Story

 

PageUp People, a successful Australian Software-as-a-Service vendor, has been the victim of a crime, with a data breach that could be extremely damaging for its prospects. There are two lessons for the industry that are worth drawing particular attention to.

The first lesson is that we need the victim to survive. Once PageUp is safely through this incident, one of the most valuable things its executives can do for the industry is to share their experiences and the lessons learnt.

Sharing this information is important because, as one security executive from an ASX50 company said to me, it could have been any of us. And, it is only through sharing these experiences and the lessons from these crimes that we, as an industry, can improve.

Despite years of security incidents and data breaches worldwide, many Australian executives think their organisations are magically immune. It's far too easy to underestimate the potential impact, the flow-on consequences, and the personal cost for people involved or affected.

 
 

Conclusion: A requirement of the European Union’s (EU) General Data Protection Regulation (GDPR) is the concept of “data portability”, which provides a right to receive personal data an individual has provided in a “structured, commonly used, machine-readable format”, and to transmit that data to another organisation.

Underlying data portability is an assumption that data standards exist and are widely used across all public and private sector organisations, especially in specific vertical industries, such as Financial Services, Health or Utilities. In many cases in Australia, no such standards exist and there is no framework to encourage industry cooperation.

Australian organisations needing to comply with GDPR will have to develop an approach and strategy to how they will provide data portability when requested to do so.

Read more ...

Conclusion: The updated NIST cybersecurity framework (CSF) is a pragmatic tool to enable an organisation to gain clarity on its current level of capability for cyber risk management. Remembering that visibility, as a principle, is both an objective of the framework, but also a guide when working through the framework will make application of the framework much more valuable. Aiming for visibility will enable an organisation to accurately gauge itself against each function, category and subcategory. Visibility will enable an organisation to honestly assert current capability, and the gap to a more desirous level of capability. Achieving visibility will require ongoing collaboration with business stakeholders which, in turn, delivers visibility to these same stakeholders and ultimately enables informed decision making.

Read more ...

IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

Read more ...

Australian businesses currently face a cyber security triple threat that has nothing to do with warding off hackers.

Rather there are three new regulatory forces impacting specific points of the cyber security posture of the Australian economy, where relevant businesses will face all kinds of trouble if they fail to keep up to speed.

These external obligations are the Notifiable Data Breach (NDB) scheme, the Security of Critical Infrastructure Bill, and APRA's draft of Prudential Standard CPS 234.

There are lessons to be learned from all three of these external obligations. At a simplified level, the NDB scheme addresses the security of people's data; the Security of Critical Infrastructure Bill addresses the technology that supports our lives, and CPS 234 addresses the processes and governance that protect our wealth.


Full Story: