Cyber & Risk

Understanding cyber security has never been as critical as it is today. 

The importance of having cyber security and risk mitigation strategies is now well-embedded in the corporate conscience, with more and more senior executives required to know their exact security posture and how to respond in the event of an incident.

In a complex world where new threat vectors appear almost daily, organisations must be ready. How well prepared are you? 

IBRS can help organisations understand how resilient their systems are, develop incident response plans and get the right policies in place to ensure compliance with the most rigorous of security standards. 

Cyber security experts have warned the long-term implications of chip vulnerabilities nicknamed Spectre and Meltdown discovered by researchers this week are still unknown, despite it appearing that cyber criminals were unaware of the flaws.

Australian cyber security expert James Turner, of IBRS and CISO Lens, told The Australian Financial Review just because these flaws were unlikely to have already been exploited, does not mean they could not be in the future.

"This is the exact reason why the security industry was screaming all through the last few years about the importance of security for the internet of things. The internet of things is billions of different devices, growing in size every month, all based substantially on hardware," he said

"It simply won't be economically viable to get everyone to replace the CPU on their TV, fridge, Alexa, lightbulb, thermostat, electric lock, and so on, just because we've found another hardware flaw that impacts billions of devices that are all hyper-connected."

Full Story

Conclusion: Third party bug bounty programs can be an effective way of incentivising security researchers around the world to share a discovered vulnerability. Third party bug bounty programs are invaluable as they help provide a structure for responsible disclosure and minimise the opportunity for the vulnerability to be exploited. When a bug bounty company uses crowdsourcing of security researchers, it adds the gamefied imperative for the researchers to report quickly in order to get the bounty before their peers. Engaging with a crowdsourcing bug bounty company not only demonstrates a reasonable security measure, it also helps close the window of opportunity for criminals.

Read more ...

Conclusion: The security capabilities of Cloud vendors have evolved rapidly since 2008. Specifically, the three big Cloud vendors Microsoft, Google and AWS understand the importance of trust and assurance for their corporate and government customers and are each working aggressively on continual service improvement. Most customers are more likely to suffer security issues with their own architecture, configurations and processes when trying to work with Cloud services than they are from any exposure from these leading Cloud vendors. The implications for IT organisations engaging with Cloud vendors are clear: along with good vendor management practices, IT organisations should purchase and architect for minimal configuration as much as practical. From a security perspective, and if Cloud is appropriate, “Cloud first” should be viewed as a cascading decision tree: SaaS first, then PaaS, then IaaS.

Read more ...

 

The adults in the lives of young people need to know more about security and safety in an online world and they could be learning this at work

The Office of the eSafety Commissioner deals with some of the most confronting aspects of abusive behaviour on the Internet: child exploitation material, image-based abuse, and cyber bullying, to name a few.

Julie Inman Grant, the eSafety Commissioner, is dedicated to helping ensure young people have positive experiences online.

To this goal, in the first week of November, the Office of the eSafety Commissioner, in conjunction with its New Zealand equivalent NetSafe, hosted Australia's first online safety conference.

About 400 delegates from around the world came to share ideas, approaches and research in the area of cyber safety.

 Full Story

Conclusion: Cyber security is an area in which organisations do not compete. They each face similar risks and threats, and it is only through the development of trusted relationships and the resulting collaboration that Australian organisations can work together to sustain their own operations and maintain the economic wellbeing of the nation in the face of cyber threats.

There is still a way to go, and leading Chief Information Security Officers (CISOs) with international experience believe we are between six and nine years behind the US and the UK. Australia is coming off a low base, but we are getting better quickly.

Read more ...

Conclusion: Cyber security incidents are a foreseeable business risk, and organisations must learn from the ongoing litany of cyber incidents that accompany any digital enterprise. Organisations that have data at their core live or die by how they manage this asset. The Equifax data breach is an unfortunate example of an organisation of senior business executives that were not making decisions on cyber risk management that aligned with societal expectations. Equifax is a company with data at its core, and time will tell whether it was incompetence or negligence that resulted in the data breach this month. Either way, Equifax clearly failed to exercise due care in the reasonable protection of its wealth and sustainability in the face of eminently addressable risks. It is a serious mistake for any executive to think that risk management of digital assets is somehow merely an IT issue.

Read more ...

Commonwealth Bank of Australia has admitted it is culling the number of technology partners it works with as part of a cost cutting drive that has some industry observers concerned it is stepping back from its previous leadership position on cyber security.

CBA has been the subject of ongoing rumours in IT circles that it is taking the knife to its celebrated technology operations, and chief information officer David Whiteing confirmed to The Australian Financial Review that changes were under way, including some cyber security work going offshore.

However, Mr Whiteing rejected suggestions that any of the changes would compromise the quality of work or the bank's resilience, and insisted that the bank had not retreated from the national cyber security arena since the departure through ill health of its well respected chief information security officer, Ben Heyes, last year.

"The reality is this is a very competitive space and we have a global perspective around talent," Mr Whiteing said.

 Full Story

When was the last time you had a delightful customer experience with insurance? Well, we need to talk about cyber insurance.

In 2013, the Financial Ombudsman Service penned a circular titled "Queensland floods – lessons learnt" and there are useful ideas for us to bring to the cyber insurance discussion.

The Financial Ombudsman Service noted that among the improvements between the experience of Queenslanders claiming on flood insurance in 2011, and then 2013, was the standardised definition from the government of what a flood is. Words matter.

It's easy when we're dealing with fire, theft and flood. Well, at least in theory it's easy. We've been dealing with natural disasters for millennia. But the cyber domain and the risks that come with it are comparatively new, and evolving rapidly. A year is a long time on the internet.

Full Story

Conclusion: Whilst the forthcoming General Data Protection Regulation (GDPR) is a European regulation, some Australian organisations are likely to be impacted and will need to comply. One of the requirements of the regulation is to appoint a Data Protection Officer (DPO), whose job role has very specific duties and legal responsibilities which are defined as part of the GDPR.

However, the guidelines are not completely clear as to when it is mandatory for an organisation to appoint a DPO. Australian organisations should consider if, 1: will they need to comply with the GDPR, and, 2: will they need to appoint a DPO?

Read more ...

Conclusion: Cyber insurance is claimed to help recoup the losses sustained by an organisation from a raft of incidents that may or may not be “cyber”. It is imperative that organisations understand their data assets and business processes, and the risks to these, before engaging with an insurer. With a changing legislative environment, there is a role to play for insurance against losses relating to cyber incidents, especially around first party costs and third party impacts. However, cyber insurance is still a very new area and the insurers are still finding their way. This means that prospective customers need to be more informed than ever.

Read more ...

Telstra has taken a high-profile step in its bid to establish itself as a significant player in the booming global cyber security market, with the official opening of the first of a string of new security operations centres, aimed at increasing the work it wins with government and corporate clients.

The multimillion-dollar Sydney centre was unveiled by chief executive Andy Penn alongside federal Cyber Security Minister Dan Tehan on Thursday afternoon, as the company continues its mission to prove to investors it has a solid post-NBN plan.

Telstra shares were hit hard after its annual results, led largely by Mr Penn announcing the company's much-loved dividend would be slashed by 30 per cent. Investors are now looking to the CEO to demonstrate that the company is on the front foot in establishing business lines in growing sectors.

Full Story

Conclusion: The recent high profile malware incidents, WannaCry and NotPetya, are a bellwether for a change in what the industry should reasonably expect online. WannaCry demonstrated that a group with nation state links can target everyone online, simply to harvest money. NotPetya demonstrated that a group with nation state links can target a nation’s economy with the explicit intention of causing economic trouble. Australia must prepare itself accordingly. It is no longer enough to know that we have a government agency that excels at cyber-spooking, we need a formalised capability to respond to global and national malware incidents.

Read more ...

 Conclusion: Despite increasing focus on information and data in an as-a-Service age, thought leadership in the data management discipline has waned. Today, few of the frameworks, methods and bodies of knowledge that emerged either from the data modelling fraternity or the records management community in the last decade remain active.

This leaves organisations seeking to address the impacts of increasing privacy regulation, cyber security risks from increased digital delivery or improving data integrity to support automation with only one real choice – the Data Management Association (DAMA)’s Data Management Book of Knowledge whose 2nd Edition (DMBoK2) has emerged after almost three years of international collaboration.

Despite the wait, DMBoK2 provides a much-needed update on an already solid foundation addressing contemporary issues with the exception of fully addressing the challenges of data science in its broadest form. Organisations seeking to comprehensively address data management would be well served by adopting DMBoK as a foundational model, thereby ensuring they have a single point of reference regardless of the specific outcomes or priorities that need to be addressed now or in the future.

Read more ...

IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

Read more ...

"If your organisation is producing value then you must confront cyber risks because you have something at stake. WannaCry and NotPetya were just the latest in a long line of cyber security wakeup calls where industry runs the risk of just hitting the snooze button, yet again.
 
"Many top ASX companies have chief information security officers, or CISOs, to help them identify and manage cyber risks. If you've got a CISO then your organisation has had the epiphany that it is a digital business and it thrives, or withers, on its ability to deal with cyber risks in a hyper-connected world."
 

Conclusion: Cyber threats and incidents will continue to be covered in the mainstream media, and local organisations will increasingly become part of this coverage. Not only may these stories get reported more frequently and in more depth, but local board members will become increasingly aware of what the technical aspects around cyber security mean. Reporting to the board is a blend of what the board – the people tasked with ensuring that the organisation is dealing responsibly with its risks – thinks is important with what the CIO and their team consider to be important. Finding the balance of information to report is important, and will be a continually evolving discussion between cyber security leaders and their boards.

Read more ...

IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs. 

Read more ...

Who wasn't moved by the story of Alan Turing, the brilliant English mathematician whose dedicated team cracked the Nazi Enigma code and saved countless lives during World War 2?

Fast forward more than 70 years and the ability of terrorist groups such as Islamic State and al-Qa’ida to harness ­encryption methods on the internet has created its own Turing doomsday imperative. Either we crack the codes or our law enforcement agencies will remain in the dark about terrorist plans for more carnage.

Next week, political and ­national security chiefs from Australia, New Zealand, the US, Britain and Canada will meet privately in the Canadian capital, Ottawa. High on the agenda will be ways to combat terrorism, and one of the key points will be cracking encryption in messaging apps.

The task at this conference, known as Five Eyes, is incredibly difficult — nearly impossible.

Some of the most common messaging apps are Apple’s iMessage, Facebook Messenger, Whats­App, Signal, Telegram and Wire. Every day, millions of people send billions of messages to each other, secure in the knowledge that new-age encryption technology means their conversations will remain private.

Full Story

Experts say efforts to get technology and social media firms to cooperate with the authorities in decrypting communications will be hard to achieve. The Australian government wants smartphone companies and social media platforms to ensure terrorists cannot hide behind anonymous posts or encrypted messages, but it has not said how or when.

In his recent national security statement to parliament, Australia’s prime minister Malcolm Turnbull said traffic on encrypted messaging platforms was difficult for security agencies to decrypt.

Most of the major platforms of this kind are based in the US, where a strong libertarian tradition resists government access to private communications, as the FBI found when Apple would not help unlock the iPhone of the dead San Bernardino terrorist,” he said. “The privacy of a terrorist can never be more important than public safety.”

James Turner, cyber security analyst at advisory and consulting company IBRS, added: “You can’t build crumple zones into encryption systems because it puts up big neon signs saying there’s a vulnerability.”

Instead of trying to gain access to the encrypted communications, Turner said governments should “aggressively target the endpoints”, especially as services such as Apple’s iMessage were being re-engineered to make encrypted content inaccessible to even Apple itself.

Full Story

 

Two years ago, mobile device management (MDM) was the buzz. Mobile security was an essential part of a mobility strategy, and every enterprise needed one. Today, not so much.

"About 18 months ago at least, businesses across the whole market realised that the issue wasn't around mobility. Mobility was subsumed by this idea of 'any device, anywhere'," according to Joseph Sweeney, an advisor with IBRS who specialises in end user computing, including mobility, future workplace strategies, and enterprise solutions.

"We're now starting to treat the desktop and the tablets and all these other devices as one and the same thing. Most of the strategies I'm working with do not distinguish between mobile device and desktop," Sweeney told ZDNet.

"What's changed is that instead of trying to say that here's a bunch of untrusted devices, and here's a bunch of trusted devices, people are realising that everything is an untrusted device, including the stuff in the office."

Full Story

Conclusion: Much like the fable of the Boy Who Cried Wolf, the security industry has a limited number of opportunities to channel enterprise and national attention to cyber incidents. The WannaCry ransomware worm runs the risk of using up that credit for the security industry as so little impact was felt in Australia. The lack of local impact was more due to luck, and we cannot count on being that lucky twice. Therefore, IT and cyber security leaders must use the lessons from this experience now to prepare their organisations for a foreseeable future that includes similar incidents.

Read more ...

IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs. 

Read more ...

It's now a year since the launch of the Australian Cyber Security Strategy. Could progress be better? Of course. But the progress is good. Actually, it's great.

The collaboration between government and the private sector has had a fresh wind touch its sails and the level of cyber security collaboration between many of Australia's largest organisations is at an unprecedented level. The recent global wave of ransomware, variously termed WannaCry or WannaCrypt, was a live-fire exercise for testing the efficacy of this collaboration.

The recent launch of the ASX 100 Cyber Health Check report was an excellent step on the journey to a more complete understanding of what will come to be viewed as due care in the domain of cyber risk management, and the launch of the Australian Cyber Security Growth Network is already making waves for the local start-up community.

The prevailing sentiment is that we don't really have a choice other than to work together because we absolutely have to be good at this. Collaboration is

Full Story

Cyber security experts said Australian businesses and government agencies got lucky in avoiding potentially devastating effects from a global ransomware cyber attack, which wreaked havoc around the world at the weekend, but warned problems could emerge as organisations return to work on Monday.

Unlike in Britain, where some hospitals ground to a halt, no major victims of the so-called WannaCry malware attacks have emerged in Australia, where there was only one unnamed case of infection, after companies called in security staff on Saturday to quickly update software patches.

However, despite Prime Minister Malcolm Turnbull seeking to calm any local alarm over the weekend, the government's cyber security experts have copped some criticism for failing to show sufficient leadership in proactively advising organisations about the threats and required course of action.

Full Story

Conclusion: Ransomware is a widespread scourge in the local region and organisations must take steps to address this eminently foreseeable risk. User education is necessary, but it is not sufficient to address this risk – otherwise it would already have been dealt with. Organisations must review their information systems and become rigorous on technical hygiene strategies, such as patching. Using the revised Strategies to Mitigate Cyber Security Incidents from the Australian Signals Directorate (ASD) is an excellent starting point, as these are empirically validated. The critical action is to determine where these strategies are best applied, and this must be guided by the risk tolerance of the business.

Read more ...

Conclusion: Australian organisations and agencies need to embrace the European Union’s new General Data Protection Regulation (GDPR) legal framework for protecting and managing Private Individuals Information (PII). There is considerable risk to organisations that do not take action to comply, financially and to organisations’ brands.

There are also potential upsides in embracing the requirements and being able to demonstrate compliance with the accountability principles, and implementing both technical and organisational measures that ensure all processing activities comply with the GDPR.

Whilst Australian companies may already have practices in place that comply with the Australian Privacy Act 1988, GDPR has a number of additional requirements, including the potential appointment of “data protection officers”. Action should already be taking place, and organisations should not underestimate the time and effort it may take to reach and maintain compliance.

Read more ...

Conclusion: IT executives must appreciate that managed security services is not a simple IT outsourcing function, because cyber security it not merely an IT problem. Engagement with an MSSP (managed security service provider) is using a vendor to help manage the highly dynamic risks of conducting operations in a modern, hyper-connected environment. This engagement has cost implications for both parties and will require a commitment to continually reviewing suitability of services. Executives should aim to evolve their own cyber risk management capabilities around people, process and technology, because this internal maturity is required to get the most from engaging with an MSSP.

Read more ...

Conclusion: Security awareness programs are an attempt to change staff behaviour for the protection of an organisation’s information assets, and also an attempt to change corporate culture to support and encourage desirable behaviours. However, security awareness programs also run the risk of overwhelming staff with too much fear, uncertainly, and doubt. A disempowering message is more likely to result in either no behavioural change or, potentially, an undesirable change. Instead, security awareness programs should focus on helping staff develop and sustain the skills and knowledge required to execute on their work, and also maintain a mind state of “relaxed alert”, or “Code Yellow” in Cooper’s Colour Codes.

Read more ...

 IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

Read more ...

Conclusion: An audit is an integrity check that assesses whether an organisation is doing what it said it would do, and what others should reasonably expect it to do. The previous sentence also points out that it’s not enough to have better practices documented. An organisation must also be able to demonstrate that staff are adhering to these. There are some excellent resources available for organisations preparing for a cyber security audit. The real gold will be in the quality of the conversations and resulting maturity in perspective at the most senior levels of an organisation that occur through the work that is carried out in preparation for the audit.

Read more ...

Forensic software firm Nuix has begun a search for a new chief executive with a "global IPO skill set", all but confirming plans to pursue a public listing in 2017 that may deliver the ASX a new $1 billion-plus technology company.

The move comes at the same time as the company has appointed cyber security expert and former US ambassador to Australia, Jeffrey Bleich, to its board, signalling a greater focus on its cyber products.

The company, which was founded in 2000 by a team of computer scientists and last year was instrumental in the Panama Papers investigation by providing the technology that was used to analyse the documents, is expected to be worth more than $1 billion when it lists.

Full Story

Cyber security experts have warned the federal government must put aside budget deficit concerns and invest in upgrading aging computer systems vulnerable to a damaging attack from a foreign state. 

 
Concerns about such an attack intensified after the United States government recently accused Russia of using cyberpower to influence the outcome of the 2016 presidential election by ordering attacks on the Democratic National Committee's computers and those of other political organisations.
 
 
 

Conclusion: Bugcrowd, Hivint, Kasada, and Secure Code Warrior each has a proven capability to address an important aspect of the cyber defences of Australian organisations. The Australian Cyber Security Strategy, launched in April 2016, advocates the promotion of local capabilities where Australia can build globally competitive solutions. These four vendors are already being used by leading local cyber security executives, and their capabilities are acknowledged.

Read more ...

Related Articles:

"Hot cyber security vendors for your shortlist Part 3 – more Aussies" IBRS, 2018-03-31 07:06:21

"Hot cyber security vendors for your shortlist – Part 1" IBRS, 2016-12-03 02:41:25

After making a splash in the data centre, software-defined networking (SDN) is now becoming increasingly relevant for the enterprise WAN, with analysts saying the software-defined WAN (SD-WAN) has the potential to reduce capital and operational expenditure, hasten network provisioning and increase network availability.

In their recent paper, ‘Cloud and Drive for WAN Efficiencies Power Move to SD-WAN’, IDC analysts Brad Casemore, Rohit Mehra and Nav Chander discussed how SD-WAN can help organisations meet the network requirements of their branches and remote sites.

Full Story

Conclusion: In the IBRS Security Leadership capability maturity model, buying more product is level 2: Alienated, and is typified by IT teams that are struggling to take on the challenge of cyber security because they address it as a technical problem. Buying product without a clear understanding of the business risk it is aiming to address is a guarantee for failure. But for organisations that understand that cyber risk is much more than IT, know there is a business risk that comes with cyber capability, and have the organisational will to address it, technology can make a significant difference in automating and accelerating capability. These three vendors, Crowdstrike, CyberArk and Tanium, are well regarded by leading Australian customers.

Read more ...

Related Articles:

"Hot cyber security vendors for your shortlist Part 2 – Aussie startups" IBRS, 2017-01-01 10:35:40

"Hot cyber security vendors for your shortlist Part 3 – more Aussies" IBRS, 2018-03-31 07:06:21

Conclusion: Organisations must proactively manage exactly which data is kept, secured, and backed up, as well as which data must be archived or permanently deleted. Data hoarding adds considerably to storage costs as well as potentially exposing organisations to risks especially if the data is inappropriate, unencrypted, or could put an organisation’s brand at risk.

Organisations need to have clear policies on exactly what sort of data is to be kept, especially when there are legal, regulatory or other specific reasons for keeping the data. Additionally, organisations need to be clear on what should not be kept.

Organisations cannot leave the management of this issue at simply expecting compliance to a policy. Business stakeholders must be closely involved in defining the business imperative for tracking data relevance and the value of data. Data specialists equipped with the appropriate tools will be required to specifically find data and manage it based on defined policies.

Read more ...

FireEye has recently struck a deal Microsoft, designed to place the security vendor's iSIGHT Intelligence into Windows Defender, an inbuilt Windows security offering.

Terms of the deal will see FireEye gain access to telemetry from every device running Windows 10, serving up access to almost 22 per cent of the total desktop market, alongside laptops and Windows mobile phones.

Widening the security scope further, Microsoft previously intended to have one billion devices running Windows 10 by 2019.

While the vendor has since backtracked on this statement - stating that the process would take longer than originally predicted - the direction of travel is clear.

Full Story

 

Conclusion: While there is a limit to what organisations can do when criminals misappropriate corporate brands to run phishing campaigns against customers, this does not absolve organisations of all responsibility. Crime on the Internet continues to be an entirely foreseeable risk, so organisations should review their customer engagement processes to ensure they are not training their customers to be easy targets for criminals.

Read more ...

The Reserve Bank of Australia's top technology executive has said the central bank's networks are being probed by potential hackers every two seconds and that almost 70 per cent of the emails received by RBA addresses are malicious.

In a wide-ranging speech to an annual conference held by technology research giant Gartner in Queensland, RBA chief information officer Sarv Girn highlighted the conflicting challenges involved with running an innovative tech strategy, while also remaining secure.

He said the RBA's tech strategy was a delicate balancing act between the need for resilience and the need to innovate and react to changes being wrought by the numerous disrupters in the booming start-up fintech sector.

"Whilst attaining digital reliability has been a crucial need for many years, the impact and consequence of getting this wrong in today's economy can threaten the very viability of an organisation," Mr Girn said.

Full Story

Commonwealth Bank of Australia's technology chief has led calls for increased cooperation among businesses and public sector agencies regarding cyber attacks, following the release of a government report highlighting increasing threats.

The government's peak cyber security agency the Australian Cyber Security Centre (ACSC), released an annual threat report on Wednesday morning, warning that government agencies were being compromised by hackers and that many businesses were too secretive about the threats they were facing.

While security industry insiders said the report did little to provide new information or practical advice about well-known threats, CBA's chief information officer David Whiteing told The Australian Financial Review he viewed it as an important contribution to a nation-wide effort to uplift the awareness of security teams and the general public

The report provided anecdotes about recent assistance that government departments and private sector organisations had needed from The Australian Signals Directorate (ASD) in tackling cyber attacks

Full Story