Main
Log in

Security Leadership

 

 

Conclusion: Identity has historically been a thorny problem with concerns over identity theft and the need for verification. Now that biometrics are becoming so accessible to register and verify customers and clients, the business rules used to define the purpose of any identity and access management system should be reassessed in the broader context of business integrity. That is, to assess identity management in three dimensions of first, who the entity claims to be (person, business or thing), second, where the entity exists (geographically and digitally), and third, the entity’s behaviour.

By taking a broader view of identity to address the flow of an entity from a business integrity viewpoint, identity ceases to be just a token and becomes a life cycle. As a result, bona fide customers and clients can access services and products easily and safely, and non-bona fide customers and clients can more easily be isolated and denied access.

Conclusion: Organisations would hope that their data protection policies are in place and effective. Data loss protection is active on the email channel and data is encrypted while at rest within the organisation. Staff are often trying to share data with others or move data to where it may be easily accessible. A very common channel for this is one of the many Cloud-based file-sharing services such as Dropbox, iCloud or Google Drive.

These services conflict with data protection in several ways. In many cases the services used by staff are personal accounts owned by the staff member, not the organisation. This immediately places the data outside the control of the operation.
The sharing of the data can be open-ended where a) even the staff member loses control over who can access the data, and b) it is uncertain where the data is stored and in which jurisdiction.

If the data contains personal information, credit card details or confidential finance information, the organisation may find itself in breach of regulations such as the Notifiable Data Breach Regulation or Payment Card Industry requirements.

Conclusion: Many organisations are finding themselves being defrauded, especially when making or receiving payments electronically. It is not that the end systems are compromised but rather the payment information itself is being subverted in between the payer and the payee.

This is hard to defeat via technical means as the messages themselves look the same as any other payment request or invoice. A quality email filtering service will remove many of the clumsy attempts thus allowing more focus on the well-constructed efforts.

This article aims to help improve understanding of the threat and identify effective strategies to lessen the possibility of a business being impacted. Security defence consists of more than just technology. A well-rounded defence is composed of people, process and technology. Defeating business email compromise (BEC) is primarily achieved by the people and process segments.

The staff of a business are in the best position to detect attempts to compromise a payment, provided they have been armed with some knowledge of the types of attacks and permission to halt and question the details.

Many fraud attempts can be prevented by implementing a simple business process that allows all staff to question transactions that change payment details and use secondary channels to confirm those details.

Conclusion: The notifiable data breach regulations have had an impact on business priorities. For any organisation subject to the regulations, protection of personal information should have become a priority. One security technology, data loss prevention, could have offered some assistance. But it has had a mixed reception in the past due to many issues in both implementing and operating the service.

The continued move to SaaS for office systems such as document creation and email is also changing the market. Many capabilities that have been previously offered as standalone products are now being subsumed into the SaaS offerings as just adjunct functions. 

This simplifies the selection of the products and their ongoing management. A prime example of this is data loss prevention which is now being offered as a check-box selected capability in several SaaS offerings.

This could put data loss prevention within reach of small to medium businesses as a component of their personal information protection strategy.

Conclusion: Given the reality of shrinking budgets, organisations can struggle deciding what new products to purchase or techniques to implement. They hope the new capabilities will enhance their security posture, but new tools often need additional staff to operate them. Employing skilled security staff can itself be a challenge. A simple but pragmatic approach is to leverage IT operation’s budget and skills to improve operational hygiene and hence, overall security hygiene.

Conclusion: Recently, several architectural models and tools have become available to enable the microsegmentation of networks, which helps improve overall security within organisations and can help limit the scope of any potential breach within an organisation. This can be achieved by aligning microsegmentation of networks with the organisation’s mission-critical systems profile.

Organisations should ensure microsegmentation is included in their security strategy. However, there are several different architectural approaches and organisations should explore these and select the approach that most suits their current or planned enterprise architecture and assess the benefits each approach may offer.

Conclusion: Over the past decade, the role of the Chief Information Security Officer (CISO) has risen to be one of great importance in many large and mid-sized organisations. While this remains the case, protecting information assets is more likely to be successful through ensuring all threats are managed under the same set of policies and principles. Managing threats to organisations can no longer be separated between departments or siloed out to service providers. With data in the Cloud and people on the ground in new geographies, the need to evolve the relationship between logical and physical controls has increased. The key to holistic security is to bring all aspects of security under one umbrella to ensure all bases are covered.

Conclusion: Throughout the year, most businesses invite in a third party to conduct an information security risk assessment – as per best practice. Often this is a compliance exercise, other times it is just good housekeeping. Assessors are paid to find gaps in security controls based on the threat landscape and risk profile and provide recommendations for how to better secure the organisation with appropriate controls. With a thud-worthy report in hand, those charged with remediation must prioritise the recommended tasks to best use their resources to appropriately protect the organisation.

Conclusion: Relying on third parties to succeed in business has become the norm. Cost limitations and workforce requirements mean that businesses need to find efficient ways to achieve their goals. This regularly includes creating an ecosystem of organisations that offer technology, consulting and support services that can be leveraged when required for a fraction of the cost of employing a person or service in-house to the same end. This is great from a business perspective; however, engaging with third parties brings significant risk. Businesses are effectively opening their door to a perfect stranger and inviting them into their organisation to look around, share some data and stay a while. Managing the risk of having a third party connected to an organisation is important. An organisation’s security controls become meaningless once data is transferred to a third party. At the end of the day, if a cyber-attack occurs via a third party, there will be more than one reputation on the line in the eyes of current and future business partners, customers and clients. 

While the impact of a third-party data breach cannot be completely prevented, the key to resilience, detection and management of connections is awareness, being upfront about the security expectations and educating the workforce.

Related Articles:

"2FA is a no-brainer" IBRS, 2018-11-02 11:06:25

"When it comes to security, when is enough... enough?" IBRS, 2018-10-04 11:56:31

Conclusion: CIOs should consider the environments for their PROTECTED information, both when building new capability and/or when renewing older infrastructure and services. The need to have cost-effective infrastructure services (in-house or IaaS), accredited security of services and responsiveness for clients using the service are three key deliverables for any CIO.

The Australian Government has identified PROTECTED ratings be applied where systems and data are at risk and where the systems or data are critical to ensuring national interest, business continuity and integrity of an individual’s data. Critical business functions are a combination of the IT systems they run on and the data they consume.

Defining what should be afforded a PROTECTED rating and therefore adequately protected is an ongoing challenge. The Australian Government’s Information Security Manual (ISM) and recent legislation “Security of Critical Infrastructure Act 2018” detail the requirements and framework for reporting, on government-run IT systems and critical infrastructure. Using this framework as a base, organisations should assess whether the data or IT environments that support critical business functions should be treated as PROTECTED.

Related Articles:

"Canberra-based Azure is about much more than security" IBRS, 2018-04-14 13:43:57

"On-Premises Cloud: Real flexibility or just a finance plan?" IBRS, 2017-05-06 06:37:20

"Running IT-as-a-Service Part 33: How to transition to hybrid Cloud" IBRS, 2017-08-02 02:32:44

In the News

How Do You Choose The Best Application Environment For Your Business? - WHICH-50 - 8th October 2019

According to a new IBRS study, spend on enterprise solutions is set to increase in 2019-2020. Both IT and line of business buyers need to consider how they manage procurement of these new solutions...
Read More...

The pros and cons of shadow IT In today’s business world - WHICH-50 - 23 July 2019

Shadow IT sounds like a covert — quite possibly dark — force. And to some people it may well be. But the truth is both far simpler and more complex. According to Cisco, Shadow IT is the use of...
Read More...

Busting The Three Big Cloud Myths - WHICH-50 - 11 June 2019

Organisations that are resisting the shift to cloud computing are often basing their decisions on common misconceptions around security, price and integration. That’s a key finding in a recent...
Read More...

ANZ business users calling the shots in ICT decisions

Conducted by Australia’s Intelligent Business Research Services (IBRS) and commissioned by TechnologyOne, the survey of 261 business leaders in ANZ has shown that business functions are having more...
Read More...

Managed security: a big gamble for Aussie IT providers - CRN - 02 August 2018

TechSci Research estimates the Australian managed security services (MSS) market will grow at a CAGR of more than 15 percent from 2018-23 as a result of the increased uptake of cloud computing and...
Read More...

Subscribe to IBRS Updates

Invalid Input
Invalid Input
Please enter a valid email address
Please enter your mobile phone number
Invalid Input

Get in-context advice from our experts about your most pressing issues or areas of interest

Make an Inquiry

Sitemap