Main
Log in

Security Leadership

 

 

Conclusion: The probability of an inside attack is hard to gauge and depends entirely on the inner state of the attacker, but the impact can range from inconsequential to disproportionately vast. CIOs must assess the risk of a malicious insider in the context of their organisation’s information assets and risk management priorities. Astute CIOs will know that technology alone will not mitigate this risk, and that an ongoing

Conclusion:Accusations against Huawei of spying for the Chinese Government are destabilising confidence in this vendor in the local market. Consequently, the key challenge for Huawei in the enterprise IT space will be a growing reticence by people to be trained in a technology that is being positioned by the intelligence community as a political pariah. This will create a shortage of people trained in Huawei enterprise network equipment and will lead to a sellers’ market for these skills. This will add considerably to the ongoing costs of opting for a cheaper vendor.

Conclusion: As physical and digital supply chains become more integrated across organisational, regional, and national boundaries, the potential impact of an emergency or crisis can be far reaching. A proactive approach to crisis management requires an awareness of all the high-impact crisis and emergency events that could affect an organisation, and requires appropriate tools for risk assessment and active hazard management.

Conclusion: In engaging with an external incident response provider, it’s vital that they are not walking blind into your environment. Equally, you need to know exactly who they are, what they are capable of, and what the agreed outcomes of the engagement will be. If you have been attacked, or are still under attack, your organisation’s information assets are potentially at their most vulnerable, so the trust in your incident response provider needs to have been established prior to the attack. This places higher than normal importance on your vendor selection process, and in engaging with the incident response provider as early as possible.

Conclusion: CIOs must avoid being swept up by the hype concerning SaaS (Software as a Service) and approach each business case on its merits. While the immediate net benefits may be appealing, it is important to evaluate whether the long-term benefits are sustainable and the risks manageable before entering into a service contract.

Conclusion: Predictably, Apple’s lead with its Touch ID biometric reader will be followed by the smartphone industry, and we will see a flood of biometrics options for consumers. Many of these biometric deployments will not be well executed, and the failures of these systems will impact the feasibility of biometrics as a means of authentication. Reliance on biometrics, which are used across multiple systems, yet cannot be revoked, will make fingerprints an obsolete authentication credential which will need continual bypass options. Within the next two years, fingerprint authentication in the enterprise will be rendered obsolete.

Conclusion: Engaging with an incident response service provider is a process that needs careful research and planning. It’s valuable for your incident responders to know a considerable amount about your business operations so that they can help support the business in an incident, and not just stamp out technical fires, potentially doing further business damage. It is equally important that you know your incident response service provider; how they prefer to engage, what their capabilities are, their reference clients and, what their employment policies are.

Conclusion: Recent exposure of US intelligence community actions, to monitor data of non-US entities, has highlighted the tenuous control organisations have over maintaining the confidentiality of their data. Whether US intelligence explicitly, or informally, assists US commercial interests, non-US organisations have been served with a clear warning as to how they should see this new world.

Organisations should review what information assets they are entrusting to US cloud vendors, and what the impact on the organisation would be if the confidentiality of these assets were to be compromised without the organisation’s knowledge.

Conclusion: Application whitelisting is a highly effective mechanism to minimise the impact of malware, and even ensure software licensing limits are enforced, but it is not a simple project and the technology to enforce a whitelist is still maturing. CIOs of Australian government agencies required to comply with the Protective Security Policy Framework and Information Security Manual (ISM) should have a clear plan to present to their Ministers on how this project will be delivered over the next 18-24 months.

Conclusion: In this era of targeted, self-obfuscating, and successful cyber-attacks, organisations must do three things. First, recognise that the organisation cannot prevent a dedicated attack. Second, understand what the organisation’s information assets are, and where they are. This is because we cannot always anticipate how the attacker may get in, but it is imperative to know what they are likely coming for. Third, increase your focus on detection and incident response, because you must be able to deal with a breach when it happens.

In the News

The Future of Work: The Role of People - Adobe - 31 Jan 2018

The Future of Work: The Role of People Foreword by Joseph Sweeney, IBRS Advisor For the past 30 years, organisations have applied technology to people to make the workplace more productive. But...
Read More...

Businesses unprepared for new data breach notification laws - AFR - 29th January 2018

Thousands of Australian small businesses remain woefully unprepared for the introduction of new laws that will require them to publicly disclose if their customers' data is breached by hackers or...
Read More...

Intel chip meltdown flaw shows new vulnerability - AFR - Jan 5th 2018

Cyber security experts have warned the long-term implications of chip vulnerabilities nicknamed Spectre and Meltdown discovered by researchers this week are still unknown, despite it appearing that...
Read More...

Business experience should help parents keep kids safe online - AFR - 28th Nov 2017

The adults in the lives of young people need to know more about security and safety in an online world and they could be learning this at work The Office of the eSafety Commissioner deals with some...
Read More...

CBA faces heat over cyber security cuts and confirms outsourcing plans - AFR - 27th Sep 2017

Commonwealth Bank of Australia has admitted it is culling the number of technology partners it works with as part of a cost cutting drive that has some industry observers concerned it is stepping...
Read More...

Subscribe to IBRS Updates

Invalid Input
Invalid Input
Please enter a valid email address
Please enter your mobile phone number
Invalid Input

Get in-context advice from our experts about your most pressing issues or areas of interest

Make an Inquiry

Sitemap

Already a subscriber?

Login to read your premium content.