Security & Risk - IBRS Intelligent Business Research Services Pty Ltd (IBRS) is an Australian company that provides research and advice specific to IT and Business Managers in Australian and New Zealand organisations. Our experienced team of Analysts and Advisors have worked at the highest level within the Research and IT Industries or have themselves been CIOs. https://ibrs.com.au/security-risk 2017-11-23T05:39:22+11:00 IBRS nbowman@ibrs.com.au Applying The Five Knows of Cyber Security (Video) 2016-08-15T12:39:16+10:00 2016-08-15T12:39:16+10:00 https://ibrs.com.au/security-risk/8302-download-the-five-knows-of-cyber-security James Turner jturner@ibrs.com.au <p>With the recent issues that the ABS has experienced trying to execute an online census, IBRS is sharing an Advisory Paper by James Turner which reviews a practical framework that helps organisations make better decisions with their information assets and service providers.</p> <p><span style="color: #222222; font-family: tahoma, sans-serif; font-size: 12.8px;"><em><strong>Applying the</strong> <strong>Five Knows of Cyber Security</strong></em></span> is a must read for organisations that may be exposing themselves to risks through their supply chain.</p> <p>With the recent issues that the ABS has experienced trying to execute an online census, IBRS is sharing an Advisory Paper by James Turner which reviews a practical framework that helps organisations make better decisions with their information assets and service providers.</p> <p><span style="color: #222222; font-family: tahoma, sans-serif; font-size: 12.8px;"><em><strong>Applying the</strong> <strong>Five Knows of Cyber Security</strong></em></span> is a must read for organisations that may be exposing themselves to risks through their supply chain.</p> Sometimes good security does not mention security 2016-05-05T10:04:00+10:00 2016-05-05T10:04:00+10:00 https://ibrs.com.au/security-risk/8162-sometimes-good-security-does-not-mention-security James Turner jturner@ibrs.com.au <p style=""><strong class="blue">Conclusion:</strong>&nbsp;Cyber security can be perceived by outsiders as an occult domain. Psychologically, people can respond in many ways to something they do not understand with responses ranging from denial to fear. Consequently, a frequent challenge to better security maturity is inertia, rooted in ignorance. It is imperative that security practitioners break down this barrier by communicating with decision makers in a way that empowers the decision maker. Consequently, valuable conversations about risk and threats can be grounded in conversations about reliability, resilience, safety, assurance and reputation. Security may not need to be mentioned and, in many cases, even raising the label of security can undermine initiatives that had security as an objective.</p> <p style=""><strong class="blue">Conclusion:</strong>&nbsp;Cyber security can be perceived by outsiders as an occult domain. Psychologically, people can respond in many ways to something they do not understand with responses ranging from denial to fear. Consequently, a frequent challenge to better security maturity is inertia, rooted in ignorance. It is imperative that security practitioners break down this barrier by communicating with decision makers in a way that empowers the decision maker. Consequently, valuable conversations about risk and threats can be grounded in conversations about reliability, resilience, safety, assurance and reputation. Security may not need to be mentioned and, in many cases, even raising the label of security can undermine initiatives that had security as an objective.</p> Rethinking the delivery of information security 2015-11-02T14:03:30+11:00 2015-11-02T14:03:30+11:00 https://ibrs.com.au/security-risk/8058-rethinking-the-delivery-of-information-security James Turner jturner@ibrs.com.au <p><strong class="blue">Conclusion:</strong> The IT industry has hit a breaking point where the artificial grouping of information security and IT has left many organisations vulnerable. Business units have viewed information security as an IT problem, and IT has abdicated responsibility for many aspects of operations that should be viewed as basic hygiene. It is time for organisations that want to establish a reputation of trust with their stakeholders, to view information security very differently. This will require IT to take on more responsibility for security hygiene issues, and for many security practitioners to make the mental shift from technical do-ers to risk communicators. All organisations must know who, internally, is ultimately accountable for cyber-security and that this person is adequately informed, and empowered to execute on this accountability.</p> <p><strong class="blue">Conclusion:</strong> The IT industry has hit a breaking point where the artificial grouping of information security and IT has left many organisations vulnerable. Business units have viewed information security as an IT problem, and IT has abdicated responsibility for many aspects of operations that should be viewed as basic hygiene. It is time for organisations that want to establish a reputation of trust with their stakeholders, to view information security very differently. This will require IT to take on more responsibility for security hygiene issues, and for many security practitioners to make the mental shift from technical do-ers to risk communicators. All organisations must know who, internally, is ultimately accountable for cyber-security and that this person is adequately informed, and empowered to execute on this accountability.</p> IT security considerations in the supply chain 2015-08-12T15:01:49+10:00 2015-08-12T15:01:49+10:00 https://ibrs.com.au/security-risk/8016-it-security-considerations-in-the-supply-chain James Turner jturner@ibrs.com.au <p>This paper explores why IT security in supply chains is an important topic and sets out a model for&nbsp;organisations to review their exposure and then communicate these issues internally, and with suppliers.</p> <p>The IT dependencies that organisations now have are largely invisible and can be easily taken for granted,&nbsp;much like the infrastructure involved to have electricity or water be provided to a home.&nbsp;And just like electricity and water, when there is an incident in the IT supply chain, the impact can be considerable on&nbsp;the end consumer.</p> <p>&nbsp;Security in the supply chain can seem like an overwhelmingly technical topic, and it is a large topic, but&nbsp;it is not insurmountable. An increasing number of security leaders are looking at the supply chain as the&nbsp;ecosystem that their organisations operate in, and are starting to work on securing the resilience of every&nbsp;link in the chain – and this will take time, effort, and collaboration.</p> <p>This paper explores why IT security in supply chains is an important topic and sets out a model for&nbsp;organisations to review their exposure and then communicate these issues internally, and with suppliers.</p> <p>The IT dependencies that organisations now have are largely invisible and can be easily taken for granted,&nbsp;much like the infrastructure involved to have electricity or water be provided to a home.&nbsp;And just like electricity and water, when there is an incident in the IT supply chain, the impact can be considerable on&nbsp;the end consumer.</p> <p>&nbsp;Security in the supply chain can seem like an overwhelmingly technical topic, and it is a large topic, but&nbsp;it is not insurmountable. An increasing number of security leaders are looking at the supply chain as the&nbsp;ecosystem that their organisations operate in, and are starting to work on securing the resilience of every&nbsp;link in the chain – and this will take time, effort, and collaboration.</p> Applying the Five Knows of Cyber Security 2015-08-01T10:32:04+10:00 2015-08-01T10:32:04+10:00 https://ibrs.com.au/security-risk/8004-applying-the-five-knows-of-cyber-security James Turner jturner@ibrs.com.au <p><strong class="blue">Conclusion:</strong> It is undeniable that Cloud services will only become <strong>more</strong> important to organisations. However, executives must bear in mind that as increasing Cloud adoption meets an onslaught of cyber-attacks, regulators and courts will be looking for evidence that organisations exercised due care in vendor selection and support of information security initiatives. The great challenge is in communicating to non-technical people what are often thought of as merely technical issues. In this shifting market, an approach such as the “Five Knows of Cyber Security” can prove invaluable in shifting a technical conversation to a governance conversation.</p> <p><strong class="blue">Conclusion:</strong> It is undeniable that Cloud services will only become <strong>more</strong> important to organisations. However, executives must bear in mind that as increasing Cloud adoption meets an onslaught of cyber-attacks, regulators and courts will be looking for evidence that organisations exercised due care in vendor selection and support of information security initiatives. The great challenge is in communicating to non-technical people what are often thought of as merely technical issues. In this shifting market, an approach such as the “Five Knows of Cyber Security” can prove invaluable in shifting a technical conversation to a governance conversation.</p> Should organisations use the Lockheed Martin Cyber Kill Chain framework? 2015-05-02T01:31:15+10:00 2015-05-02T01:31:15+10:00 https://ibrs.com.au/security-risk/7964-should-organisations-use-the-lockheed-martin-cyber-kill-chain-framework James Turner jturner@ibrs.com.au <p><strong class="blue">Conclusion:</strong> Lockheed Martin’s Cyber Kill Chain framework is a potentially valuable perspective for highly risk averse and highly targeted organisations. Its language is militaristic and technical, which means that it is most suitable for people already inclined to that way of thinking, but in contrast, it may be inappropriate and ineffective with other audiences. Due to its militaristic language, the policy intentions of this framework may be (and have been) reinterpreted by stakeholders, resulting in a misalignment of effort in managing risks.</p> <p><strong class="blue">Conclusion:</strong> Lockheed Martin’s Cyber Kill Chain framework is a potentially valuable perspective for highly risk averse and highly targeted organisations. Its language is militaristic and technical, which means that it is most suitable for people already inclined to that way of thinking, but in contrast, it may be inappropriate and ineffective with other audiences. Due to its militaristic language, the policy intentions of this framework may be (and have been) reinterpreted by stakeholders, resulting in a misalignment of effort in managing risks.</p> Securing IT for Executives travelling to high risk countries 2015-04-01T11:30:00+11:00 2015-04-01T11:30:00+11:00 https://ibrs.com.au/security-risk/7955-securing-it-for-executives-travelling-to-high-risk-countries James Turner jturner@ibrs.com.au <p><strong class="blue">Conclusion:</strong> travelling executives must be under no illusion that if corporate information on, or accessible via, their electronic devices is of interest to the economic wellbeing of a foreign country, they will be targeted for electronic intrusion. The potential value of the information to a third party will be directly proportional to the effort they may expend in getting it. The more an organisation has at stake, the more important it is that this is a risk-driven conversation, not a technology one, because the technology does not matter if an executive’s behaviour does not alter to match the risk.</p> <p><strong class="blue">Conclusion:</strong> travelling executives must be under no illusion that if corporate information on, or accessible via, their electronic devices is of interest to the economic wellbeing of a foreign country, they will be targeted for electronic intrusion. The potential value of the information to a third party will be directly proportional to the effort they may expend in getting it. The more an organisation has at stake, the more important it is that this is a risk-driven conversation, not a technology one, because the technology does not matter if an executive’s behaviour does not alter to match the risk.</p> AWS Backup and Recovery 2015-04-01T11:12:01+11:00 2015-04-01T11:12:01+11:00 https://ibrs.com.au/security-risk/7951-aws-backup-and-recovery Kevin McIsaac kmcisaac@ibrs.com.au <p><strong class="blue">Conclusion:</strong> organisations moving traditional enterprise applications into production on AWS will find backup and recovery functional but immature compared to their existing on-premises Enterprise Backup and Recovery (EBR) tools.</p> <p>Storage administrators need to understand the native backup and recovery methods in AWS and determine how these can be used to meet the business’ recovery objectives. The optimal AWS solution may require adopting new tools and rethinking long-held assumptions.</p> <p><strong class="blue">Conclusion:</strong> organisations moving traditional enterprise applications into production on AWS will find backup and recovery functional but immature compared to their existing on-premises Enterprise Backup and Recovery (EBR) tools.</p> <p>Storage administrators need to understand the native backup and recovery methods in AWS and determine how these can be used to meet the business’ recovery objectives. The optimal AWS solution may require adopting new tools and rethinking long-held assumptions.</p> Security skills and the Cloud: Damned if you do and doubly damned if you don’t 2015-03-01T20:03:20+11:00 2015-03-01T20:03:20+11:00 https://ibrs.com.au/security-risk/7933-security-skills-and-the-cloud-damned-if-you-do-and-doubly-damned-if-you-don-t James Turner jturner@ibrs.com.au <p><strong class="blue">Conclusion:</strong> as cyber-security becomes a board-level topic, organisations in the A/NZ region are feeling the pinch of the security skills shortage. In this environment, moving IT services to the Cloud has the potential to streamline and/or automate some basic IT security practices. Cloud services are not an IT security silver bullet, but for many organisations, the scale and maturity of some Cloud vendors will be an improvement over their current IT operations.</p> <p><strong class="blue">Conclusion:</strong> as cyber-security becomes a board-level topic, organisations in the A/NZ region are feeling the pinch of the security skills shortage. In this environment, moving IT services to the Cloud has the potential to streamline and/or automate some basic IT security practices. Cloud services are not an IT security silver bullet, but for many organisations, the scale and maturity of some Cloud vendors will be an improvement over their current IT operations.</p> Security awareness campaigns – Engagement is the magic sauce 2015-01-30T06:42:03+11:00 2015-01-30T06:42:03+11:00 https://ibrs.com.au/security-risk/7919-security-awareness-campaigns-engagement-is-the-magic-sauce James Turner jturner@ibrs.com.au <p><strong class="blue">Conclusion:</strong> Awareness of risks and threats, by itself, is not enough to protect an organisation. Security awareness campaigns are a sustained attempt at behaviour modification. But behaviour modification works best when an individual is not resisting the change. This means that the first step for any security awareness campaign must be to assess employee engagement. If employee engagement is low, this must be addressed before a security awareness campaign can be effective.</p> <p><strong class="blue">Conclusion:</strong> Awareness of risks and threats, by itself, is not enough to protect an organisation. Security awareness campaigns are a sustained attempt at behaviour modification. But behaviour modification works best when an individual is not resisting the change. This means that the first step for any security awareness campaign must be to assess employee engagement. If employee engagement is low, this must be addressed before a security awareness campaign can be effective.</p>