Cyber & Risk

Understanding cyber security has never been as critical as it is today.

The importance of having cyber security and risk mitigation strategies is now well-embedded in the corporate conscience, with more and more senior executives required to know their exact security posture and how to respond in the event of an incident.

In a complex world where new threat vectors appear almost daily, organisations must be ready. How well prepared are you?

IBRS can help organisations understand how resilient their systems are, develop incident response plans and get the right policies in place to ensure compliance with the most rigorous of security standards.

Conclusion: The forthcoming General Data Protection Regulation (GDPR) legislation is being introduced by the European Union (EU), which has ramifications to organisations worldwide.

Key aspects of GDPR relate specifically to what data exactly an organisation should be able to legally keep and for how long. The underlying principle is that less is best in terms of data collected and kept. For the data to have been legally collected, an individual has to have explicitly given their consent to the organisation to collect, keep and process their personal data.

Details: Peter Hall; 05 May 2018

Conclusion: There are three levers being applied to the cyber security maturity of specific parts of the Australian economy. These three levers are the Notifiable Data Breaches Scheme, the Security of Critical Infrastructure Bill, and Prudential Standard CPS 234 “Information Security”. These levers each address an area of importance for the national economic wellbeing, and organisations should look at all three for insight into what is now expected to constitute reasonable and appropriate practice in cyber risk management. In turn, they address the importance of data value to customer trust, the importance of system control and supply chains to national security, and the importance of resilience to our economy.

Details: James Turner; 05 May 2018

Security Policy and Frameworks

Conclusion: In a world where organisations increasingly rely on the successful performance of their business systems it is important IT management takes the lead in managing the risk of systems failure and cyber security breaches from all sources.

Boards are ultimately responsible for monitoring risks. They direct IT (and business) management to create a framework and strategy to manage systems, including data, and cyber security risks. The framework must include policies, supported by processes and practices to ensure business systems operate successfully and the data stored is not compromised.

Details: Alan Hansell; 05 May 2018

More than 60 data breaches have been reported in the first six weeks of the country's new Notifiable Data Breach (NDB) scheme, with healthcare providers making up almost a quarter of the mandatory notifications.

Of the 63 notifications revealed in the first report by the Office of the Australian Information Commissioner since the laws came into effect on February 22, legal, accounting and management services businesses made up 16 per cent, while finance institutions composed 13 per cent.

IBRS cyber security advisor James Turner said many companies in the healthcare sector still did not realise the gravity of the responsibility on their shoulders in terms of keeping people's data safe.

"I've been talking to healthcare providers around the traps and I'm stunned by the lack of awareness of the NDB scheme. I'm hoping the industry bodies and royal colleges are doing something to raise awareness," he said.

Details: James Turner; 13 April 2018

Conclusion: UpGuard, Nuix and WithYouWithMe each have a proven capability to address an important aspect of the cyber defences of Australian organisations. WithYouWithMe is about people, UpGuard is about ensuring process is adhered to and exceptions are visible, and Nuix delivers technology which, through a data processing engine, enables organisations to make sense of large amounts of unstructured data.

Details: James Turner; 01 April 2018

Security Readiness

Conclusion: The General Data Protection Regulation (GDPR) legislation being introduced by the European Union (EU) in May has ramifications to organisations worldwide.

Australian organisations that have already invested in ensuring that they comply with the Australian Privacy Act 1988, and have a robust privacy management framework in place, may find that they already comply with aspects of the EU’s GDPR. However, GDPR does have more stringent requirements including requirements that are not within the Australian requirements, so effort and investment will be required by organisations that need to comply with GDPR.

When considering an organisation’s position and defensibility in terms of whether they complied or not, organisations will need to develop an understanding of the specific requirements, and how exactly they have implemented “technical and organisational measures to show that they have considered and integrated data protection into their processing activities”¹.

Details: Peter Hall; 01 April 2018

Talk to an IBRS Advisor

IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

Details: Joseph Sweeney; 27 March 2018

Do not mistake cyber security for being merely a technical discussion about IT problems to be fixed. Cyber security is now, and always has been, purely a response to risk. The risks have changed dramatically over the last 20 years, but the way many people view security is stuck in the 1990s.

Here in Australia, we're now under the Notifiable Breach Disclosure scheme and it's worth using this as a barometer to understand how well executives actually appreciate that they run digital companies working in a digital economy, with all the risks that come with hyper-connection and digital interdependence.

How well an organisation understands itself and its ability to work through responding to a suspected data breach is a direct reflection of how well it understands its business, as well as its dependence on technology and data. In other words, how well does the company understand and manage risk? Yeah, governance, that old chestnut.

People talk about digital transformation and disruption as though these were destinations to get to. But, digital transformation is a continual process and risk management is a necessary component. There is no finish line for transformation or risk management, there are only companies that will cease to be competitive.

Details: James Turner; 14 March 2018

Conclusion: The foreseeability of cyber incidents is widely accepted, but many organisations still have not done the work to identify their own exposures and ascertain what they would do in a crisis. The openness of shipping giant Maersk in talking about the impact of the NotPetya malware on the organisation should be viewed through the lens of “what would that look like if it happened to us?” The business impact of NotPetya on Maersk is clear, but so too are many of the risk mitigations that should be put in place before a cyber incident – and many of these are not directly related to technology. Finally, risk management is just as much about recovering from an incident as trying to prevent one.

Details: James Turner; 06 March 2018

Security Readiness

Conclusion: The forthcoming General Data Protection Regulation (GDPR) is new legislation being introduced by the European Union, which does have ramifications for organisations worldwide.

Being new, there is still a lot to be learned about what exactly some of the specific requirements will mean in practice and how they will impact organisations in being able to show that they have understood and completely complied with the regulation.

When considering an organisation’s position and defensibility in terms of did they comply or not, organisations will need to develop an understanding on the specific requirements, and how exactly they have implemented “technical and organisational measures to show that they have considered and integrated data protection into their processing activities”¹.

Details: Peter Hall; 06 March 2018

IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

Details: James Turner; 13 February 2018

Talk to an IBRS Advisor

Conclusion: Security awareness campaigns are essential for educating staff on security behaviours. However without staff engagement, these campaigns can fail to change behaviour – and behavioural change is the only outcome that really matters. Instead of continually focusing on security for the work environment, start focusing on esafety and educate staff on how to protect themselves in their online lives outside work. This has the benefit of informing staff on many of the risks that they can face personally, as well as educating them on practices and technologies that can help. Training staff on esafety also has the additional benefit of being the right thing to do and demonstrates corporate social responsibility.

Details: James Turner; 02 February 2018

Security Readiness

NewsThousands of Australian small businesses remain woefully unprepared for the introduction of new laws that will require them to publicly disclose if their customers' data is breached by hackers or technology problems, according to local industry experts and recently conducted research.

Mandatory data breach reporting laws come into effect in Australia in February, years after they were introduced in other countries, such as the US, but a new study by cyber security provider CyberArk has found 44 per cent of Australian businesses are not fully prepared.

While it is predictable enough for a security vendor to warn that businesses need to worry more about security, independent Australian cyber security expert James Turner, of IBRS and CISO Lens, said small businesses were "absolutely not" prepared for the new laws.

Details: James Turner; 29 January 2018

Cyber security experts have warned the long-term implications of chip vulnerabilities nicknamed Spectre and Meltdown discovered by researchers this week are still unknown, despite it appearing that cyber criminals were unaware of the flaws.

Australian cyber security expert James Turner, of IBRS and CISO Lens, told The Australian Financial Review just because these flaws were unlikely to have already been exploited, does not mean they could not be in the future.

"This is the exact reason why the security industry was screaming all through the last few years about the importance of security for the internet of things. The internet of things is billions of different devices, growing in size every month, all based substantially on hardware," he said

"It simply won't be economically viable to get everyone to replace the CPU on their TV, fridge, Alexa, lightbulb, thermostat, electric lock, and so on, just because we've found another hardware flaw that impacts billions of devices that are all hyper-connected."

Details: James Turner; 09 January 2018

Conclusion: Third party bug bounty programs can be an effective way of incentivising security researchers around the world to share a discovered vulnerability. Third party bug bounty programs are invaluable as they help provide a structure for responsible disclosure and minimise the opportunity for the vulnerability to be exploited. When a bug bounty company uses crowdsourcing of security researchers, it adds the gamefied imperative for the researchers to report quickly in order to get the bounty before their peers. Engaging with a crowdsourcing bug bounty company not only demonstrates a reasonable security measure, it also helps close the window of opportunity for criminals.

Details: James Turner; 04 January 2018

Security Readiness

Conclusion: The security capabilities of Cloud vendors have evolved rapidly since 2008. Specifically, the three big Cloud vendors Microsoft, Google and AWS understand the importance of trust and assurance for their corporate and government customers and are each working aggressively on continual service improvement. Most customers are more likely to suffer security issues with their own architecture, configurations and processes when trying to work with Cloud services than they are from any exposure from these leading Cloud vendors. The implications for IT organisations engaging with Cloud vendors are clear: along with good vendor management practices, IT organisations should purchase and architect for minimal configuration as much as practical. From a security perspective, and if Cloud is appropriate, “Cloud first” should be viewed as a cascading decision tree: SaaS first, then PaaS, then IaaS.

Details: James Turner; 03 December 2017

Security Policy and Frameworks

Talk to an IBRS Advisor

The adults in the lives of young people need to know more about security and safety in an online world and they could be learning this at work

The Office of the eSafety Commissioner deals with some of the most confronting aspects of abusive behaviour on the Internet: child exploitation material, image-based abuse, and cyber bullying, to name a few.

Julie Inman Grant, the eSafety Commissioner, is dedicated to helping ensure young people have positive experiences online.

To this goal, in the first week of November, the Office of the eSafety Commissioner, in conjunction with its New Zealand equivalent NetSafe, hosted Australia's first online safety conference.

About 400 delegates from around the world came to share ideas, approaches and research in the area of cyber safety.

Details: James Turner; 28 November 2017

Conclusion: Cyber security is an area in which organisations do not compete. They each face similar risks and threats, and it is only through the development of trusted relationships and the resulting collaboration that Australian organisations can work together to sustain their own operations and maintain the economic wellbeing of the nation in the face of cyber threats.

There is still a way to go, and leading Chief Information Security Officers (CISOs) with international experience believe we are between six and nine years behind the US and the UK. Australia is coming off a low base, but we are getting better quickly.

Details: James Turner; 03 November 2017

Security Readiness

Conclusion: Cyber security incidents are a foreseeable business risk, and organisations must learn from the ongoing litany of cyber incidents that accompany any digital enterprise. Organisations that have data at their core live or die by how they manage this asset. The Equifax data breach is an unfortunate example of an organisation of senior business executives that were not making decisions on cyber risk management that aligned with societal expectations. Equifax is a company with data at its core, and time will tell whether it was incompetence or negligence that resulted in the data breach this month. Either way, Equifax clearly failed to exercise due care in the reasonable protection of its wealth and sustainability in the face of eminently addressable risks. It is a serious mistake for any executive to think that risk management of digital assets is somehow merely an IT issue.

Details: James Turner; 03 October 2017

Commonwealth Bank of Australia has admitted it is culling the number of technology partners it works with as part of a cost cutting drive that has some industry observers concerned it is stepping back from its previous leadership position on cyber security.

CBA has been the subject of ongoing rumours in IT circles that it is taking the knife to its celebrated technology operations, and chief information officer David Whiteing confirmed to The Australian Financial Review that changes were under way, including some cyber security work going offshore.

However, Mr Whiteing rejected suggestions that any of the changes would compromise the quality of work or the bank's resilience, and insisted that the bank had not retreated from the national cyber security arena since the departure through ill health of its well respected chief information security officer, Ben Heyes, last year.

"The reality is this is a very competitive space and we have a global perspective around talent," Mr Whiteing said.

Details: James Turner; 27 September 2017

Security Readiness

When was the last time you had a delightful customer experience with insurance? Well, we need to talk about cyber insurance.

In 2013, the Financial Ombudsman Service penned a circular titled "Queensland floods – lessons learnt" and there are useful ideas for us to bring to the cyber insurance discussion.

The Financial Ombudsman Service noted that among the improvements between the experience of Queenslanders claiming on flood insurance in 2011, and then 2013, was the standardised definition from the government of what a flood is. Words matter.

It's easy when we're dealing with fire, theft and flood. Well, at least in theory it's easy. We've been dealing with natural disasters for millennia. But the cyber domain and the risks that come with it are comparatively new, and evolving rapidly. A year is a long time on the internet.

Details: James Turner; 06 September 2017

Security Readiness

Talk to an IBRS Advisor

Conclusion: Whilst the forthcoming General Data Protection Regulation (GDPR) is a European regulation, some Australian organisations are likely to be impacted and will need to comply. One of the requirements of the regulation is to appoint a Data Protection Officer (DPO), whose job role has very specific duties and legal responsibilities which are defined as part of the GDPR.

However, the guidelines are not completely clear as to when it is mandatory for an organisation to appoint a DPO. Australian organisations should consider if, 1: will they need to comply with the GDPR, and, 2: will they need to appoint a DPO?

Details: Peter Hall; 03 September 2017

Conclusion: Cyber insurance is claimed to help recoup the losses sustained by an organisation from a raft of incidents that may or may not be “cyber”. It is imperative that organisations understand their data assets and business processes, and the risks to these, before engaging with an insurer. With a changing legislative environment, there is a role to play for insurance against losses relating to cyber incidents, especially around first party costs and third party impacts. However, cyber insurance is still a very new area and the insurers are still finding their way. This means that prospective customers need to be more informed than ever.

Details: James Turner; 03 September 2017

Security Policy and Frameworks

Telstra has taken a high-profile step in its bid to establish itself as a significant player in the booming global cyber security market, with the official opening of the first of a string of new security operations centres, aimed at increasing the work it wins with government and corporate clients.

The multimillion-dollar Sydney centre was unveiled by chief executive Andy Penn alongside federal Cyber Security Minister Dan Tehan on Thursday afternoon, as the company continues its mission to prove to investors it has a solid post-NBN plan.

Telstra shares were hit hard after its annual results, led largely by Mr Penn announcing the company's much-loved dividend would be slashed by 30 per cent. Investors are now looking to the CEO to demonstrate that the company is on the front foot in establishing business lines in growing sectors.

Details: James Turner; 27 August 2017

Security Readiness

Conclusion: The recent high profile malware incidents, WannaCry and NotPetya, are a bellwether for a change in what the industry should reasonably expect online. WannaCry demonstrated that a group with nation state links can target everyone online, simply to harvest money. NotPetya demonstrated that a group with nation state links can target a nation’s economy with the explicit intention of causing economic trouble. Australia must prepare itself accordingly. It is no longer enough to know that we have a government agency that excels at cyber-spooking, we need a formalised capability to respond to global and national malware incidents.

Details: James Turner; 02 August 2017

Security Readiness

Conclusion: Despite increasing focus on information and data in an as-a-Service age, thought leadership in the data management discipline has waned. Today, few of the frameworks, methods and bodies of knowledge that emerged either from the data modelling fraternity or the records management community in the last decade remain active.

This leaves organisations seeking to address the impacts of increasing privacy regulation, cyber security risks from increased digital delivery or improving data integrity to support automation with only one real choice – the Data Management Association (DAMA)’s Data Management Book of Knowledge whose 2nd Edition (DMBoK2) has emerged after almost three years of international collaboration.

Despite the wait, DMBoK2 provides a much-needed update on an already solid foundation addressing contemporary issues with the exception of fully addressing the challenges of data science in its broadest form. Organisations seeking to comprehensively address data management would be well served by adopting DMBoK as a foundational model, thereby ensuring they have a single point of reference regardless of the specific outcomes or priorities that need to be addressed now or in the future.

Details: Sam Higgins; 02 August 2017

Talk to an IBRS Advisor

IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

Details: James Turner; 01 August 2017

"If your organisation is producing value then you must confront cyber risks because you have something at stake. WannaCry and NotPetya were just the latest in a long line of cyber security wakeup calls where industry runs the risk of just hitting the snooze button, yet again.

"Many top ASX companies have chief information security officers, or CISOs, to help them identify and manage cyber risks. If you've got a CISO then your organisation has had the epiphany that it is a digital business and it thrives, or withers, on its ability to deal with cyber risks in a hyper-connected world."

Details: James Turner; 14 July 2017

The Role of the CISO

Conclusion: Cyber threats and incidents will continue to be covered in the mainstream media, and local organisations will increasingly become part of this coverage. Not only may these stories get reported more frequently and in more depth, but local board members will become increasingly aware of what the technical aspects around cyber security mean. Reporting to the board is a blend of what the board – the people tasked with ensuring that the organisation is dealing responsibly with its risks – thinks is important with what the CIO and their team consider to be important. Finding the balance of information to report is important, and will be a continually evolving discussion between cyber security leaders and their boards.

Details: James Turner; 04 July 2017

IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

Details: James Turner; 29 June 2017

Who wasn't moved by the story of Alan Turing, the brilliant English mathematician whose dedicated team cracked the Nazi Enigma code and saved countless lives during World War 2?

Fast forward more than 70 years and the ability of terrorist groups such as Islamic State and al-Qa’ida to harness encryption methods on the internet has created its own Turing doomsday imperative. Either we crack the codes or our law enforcement agencies will remain in the dark about terrorist plans for more carnage.

Next week, political and national security chiefs from Australia, New Zealand, the US, Britain and Canada will meet privately in the Canadian capital, Ottawa. High on the agenda will be ways to combat terrorism, and one of the key points will be cracking encryption in messaging apps.

The task at this conference, known as Five Eyes, is incredibly difficult — nearly impossible.

Some of the most common messaging apps are Apple’s iMessage, Facebook Messenger, WhatsApp, Signal, Telegram and Wire. Every day, millions of people send billions of messages to each other, secure in the knowledge that new-age encryption technology means their conversations will remain private.

Details: James Turner; 23 June 2017

Security Readiness

Talk to an IBRS Advisor

Experts say efforts to get technology and social media firms to cooperate with the authorities in decrypting communications will be hard to achieve. The Australian government wants smartphone companies and social media platforms to ensure terrorists cannot hide behind anonymous posts or encrypted messages, but it has not said how or when.

In his recent national security statement to parliament, Australia’s prime minister Malcolm Turnbull said traffic on encrypted messaging platforms was difficult for security agencies to decrypt.

Most of the major platforms of this kind are based in the US, where a strong libertarian tradition resists government access to private communications, as the FBI found when Apple would not help unlock the iPhone of the dead San Bernardino terrorist,” he said. “The privacy of a terrorist can never be more important than public safety.”

James Turner, cyber security analyst at advisory and consulting company IBRS, added: “You can’t build crumple zones into encryption systems because it puts up big neon signs saying there’s a vulnerability.”

Instead of trying to gain access to the encrypted communications, Turner said governments should “aggressively target the endpoints”, especially as services such as Apple’s iMessage were being re-engineered to make encrypted content inaccessible to even Apple itself.

Details: James Turner; 21 June 2017

Security Readiness

Two years ago, mobile device management (MDM) was the buzz. Mobile security was an essential part of a mobility strategy, and every enterprise needed one. Today, not so much.

"About 18 months ago at least, businesses across the whole market realised that the issue wasn't around mobility. Mobility was subsumed by this idea of 'any device, anywhere'," according to Joseph Sweeney, an advisor with IBRS who specialises in end user computing, including mobility, future workplace strategies, and enterprise solutions.

"We're now starting to treat the desktop and the tablets and all these other devices as one and the same thing. Most of the strategies I'm working with do not distinguish between mobile device and desktop," Sweeney told ZDNet.

"What's changed is that instead of trying to say that here's a bunch of untrusted devices, and here's a bunch of trusted devices, people are realising that everything is an untrusted device, including the stuff in the office."

Details: Joseph Sweeney; 07 June 2017

Future Workplace

Conclusion: Much like the fable of the Boy Who Cried Wolf, the security industry has a limited number of opportunities to channel enterprise and national attention to cyber incidents. The WannaCry ransomware worm runs the risk of using up that credit for the security industry as so little impact was felt in Australia. The lack of local impact was more due to luck, and we cannot count on being that lucky twice. Therefore, IT and cyber security leaders must use the lessons from this experience now to prepare their organisations for a foreseeable future that includes similar incidents.

Details: James Turner; 04 June 2017

Security Readiness

IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

Details: James Turner; 25 May 2017

It's now a year since the launch of the Australian Cyber Security Strategy. Could progress be better? Of course. But the progress is good. Actually, it's great.

The collaboration between government and the private sector has had a fresh wind touch its sails and the level of cyber security collaboration between many of Australia's largest organisations is at an unprecedented level. The recent global wave of ransomware, variously termed WannaCry or WannaCrypt, was a live-fire exercise for testing the efficacy of this collaboration.

The recent launch of the ASX 100 Cyber Health Check report was an excellent step on the journey to a more complete understanding of what will come to be viewed as due care in the domain of cyber risk management, and the launch of the Australian Cyber Security Growth Network is already making waves for the local start-up community.

The prevailing sentiment is that we don't really have a choice other than to work together because we absolutely have to be good at this. Collaboration is

Details: James Turner; 16 May 2017

Security Readiness

Talk to an IBRS Advisor

Cyber security experts said Australian businesses and government agencies got lucky in avoiding potentially devastating effects from a global ransomware cyber attack, which wreaked havoc around the world at the weekend, but warned problems could emerge as organisations return to work on Monday.

Unlike in Britain, where some hospitals ground to a halt, no major victims of the so-called WannaCry malware attacks have emerged in Australia, where there was only one unnamed case of infection, after companies called in security staff on Saturday to quickly update software patches.

However, despite Prime Minister Malcolm Turnbull seeking to calm any local alarm over the weekend, the government's cyber security experts have copped some criticism for failing to show sufficient leadership in proactively advising organisations about the threats and required course of action.

Details: James Turner; 16 May 2017

Security Readiness

Conclusion: Ransomware is a widespread scourge in the local region and organisations must take steps to address this eminently foreseeable risk. User education is necessary, but it is not sufficient to address this risk – otherwise it would already have been dealt with. Organisations must review their information systems and become rigorous on technical hygiene strategies, such as patching. Using the revised Strategies to Mitigate Cyber Security Incidents from the Australian Signals Directorate (ASD) is an excellent starting point, as these are empirically validated. The critical action is to determine where these strategies are best applied, and this must be guided by the risk tolerance of the business.

Details: James Turner; 07 May 2017

Conclusion: Australian organisations and agencies need to embrace the European Union’s new General Data Protection Regulation (GDPR) legal framework for protecting and managing Private Individuals Information (PII). There is considerable risk to organisations that do not take action to comply, financially and to organisations’ brands.

There are also potential upsides in embracing the requirements and being able to demonstrate compliance with the accountability principles, and implementing both technical and organisational measures that ensure all processing activities comply with the GDPR.

Whilst Australian companies may already have practices in place that comply with the Australian Privacy Act 1988, GDPR has a number of additional requirements, including the potential appointment of “data protection officers”. Action should already be taking place, and organisations should not underestimate the time and effort it may take to reach and maintain compliance.

Details: Peter Hall; 04 April 2017

Conclusion: IT executives must appreciate that managed security services is not a simple IT outsourcing function, because cyber security it not merely an IT problem. Engagement with an MSSP (managed security service provider) is using a vendor to help manage the highly dynamic risks of conducting operations in a modern, hyper-connected environment. This engagement has cost implications for both parties and will require a commitment to continually reviewing suitability of services. Executives should aim to evolve their own cyber risk management capabilities around people, process and technology, because this internal maturity is required to get the most from engaging with an MSSP.

Details: James Turner; 04 April 2017

Security Readiness

Page 3 of 7

Start
Prev
1
2
3
4
5
6
7
Next
End

info@ibrs.com.au

© IBRS. All Rights Reserved. 2021