Three steps to optimal cybersecurity
By Neil Lappage, Security Advisor, ITC Secure and member of ISACA Emerging Trends Working Group
Wednesday, 01 November, 2023
In Australia over the next 12 months, more than 68% of companies expect the same or an increased level of cyber attacks, according to ISACA’s latest research report: State of Cybersecurity 2023, Global Update on Workforce Efforts, Resources and Cyberoperations.
Furthermore, respondents report low confidence in their organisation’s ability to detect and respond to cyberthreats, with only 36% being completely or very confident. While this is extremely troubling, it is not surprising.
New advancements and developments in technology, including machine learning and artificial intelligence, are changing our digital world and providing new opportunities for malicious attacks. Compounding this are high levels of understaffing, reported by 65% of respondents, and somewhat or significantly underfunded cybersecurity budgets, as reported by 61% of respondents.
The Australian Government recently announced it is stepping up cybersecurity efforts with a plan to protect our nation via six cyber shields by 2030. This is extremely encouraging, and the effectiveness of these shields will be measured over time by decreasing reports of cyber attacks.
For me, the first shield is key. It proposes, “education of citizens and businesses to understand those actions they can take to protect themselves, and have proper supports in place so that when they are the victim of a cyber attack they’re able to get back up off the mat very quickly”.
On the frontline, dealing with cyberthreats and breaches daily, I see a concerning number of organisations that rely solely on prevention measures. They’ve outsourced the cybersecurity role or bought a Microsoft solution that remains ‘partially in the box’ and believe their work is done.
No doubt prevention is essential, but what sets companies apart when it comes to optimal cybersecurity management is realism and forward thinking.
The government’s first cyber shield encompasses this — a holistic approach that moves beyond purely prevention, pointing to the benefits of recovery and having an incident response plan in place.
Those organisations that recognise we live in a world where cyberthreats are relentless and ever-changing, executed by threat actors who are becoming increasingly more sophisticated in how they attack and invade organisations, are the ones most prepared to withstand a breach. They are in the driver’s seat, actively reviewing and updating their strategy, assessing the cyber landscape and altering their approach — no matter the prevention steps in place.
We don’t just put a new timber fence around our house and think we’re completely safe. We still need to treat and maintain the wood regularly, we still need to lock the door and windows, and we still need to activate the alarm. Even despite these prevention measures, there is a possibility people can jump that fence, break a window and deactivate the alarm.
In line with the government’s first recommended Cyber Shield, an optimal security strategy has three key components:
No amount of outsourcing or prevention measures should lead to passivity. The organisation must be in the driver’s seat, actively instigating improvements from inside the company.
While this involves robust security measures including intrusion detection systems, regular system updates and firewalls, it also means creating an organisational culture of cybersecurity awareness. Educating and training staff about good cyber habits can help avoid many common threats.
And this is true for small to medium-sized companies (SMEs), just as much as larger enterprises. In fact, business email compromise is an increasing concern for SMEs, with hackers skimming lesser amounts of $10,000 to $20,000 off multiple companies at any one time, as opposed to multimillion-dollar ransom threats. This is done by hijacking emails and requesting the accounts team to update bank details for future invoices. It is only when the actual supplier queries unpaid invoices that the alarm is raised.
Monitoring and visibility is an essential part of a prevention plan to restrict the amount of time threat actors remain undetected in an environment, reducing the level of damage.
2. Incident response plan
Interestingly, only 37% of ANZ respondents in ISACA’s 2023 State of Cybersecurity report say their organisation conducts an annual cyber-risk assessment.
This is worrying, as it suggests many organisations lack an incident response plan, which is crucial to ensuring a thought-through, organised approach to mitigating the damaging effects of a breach and data loss. Furthermore, an effective plan must be treated as a living document, regularly pressure-tested and reviewed.
It should outline:
- Team roles and responsibilities during an incident to ensure collaboration.
- Legal and regulatory reporting requirements.
- Communication messaging and processes with various stakeholders.
- Processes for post-breach analysis to ensure learnings, identify vulnerabilities and address these to prevent future occurrences.
- Timelines for regular drills and cyber-risk assessments.
In the event of a cyber breach, a well-defined recovery plan is paramount. While recovery sits within the incident response plan, it should include steps to isolate affected systems, identify the breach’s scope and restore compromised data and services to get the organisation back up and running.
Thanks to preventative monitoring systems in place, we can generally understand how the hacked information was accessed.
But the million-dollar question in a recovery effort is “Who was affected?” and “Who do we need to tell?”.
If it’s a database that has been affected, as was the case with the Optus breach, the data is structured, making it somewhat easier to identify affected individuals. But emails are unstructured data, so without an e-discovery tool — and someone who is trained to use it — the process to identify affected customers is wrought with complexity.
Unfortunately, most organisations are 10 steps away from having an e-discovery tool in place, including a licence to use it and a trained technician able to identify compromised personal data and the associated individuals. Rather, they rely on data mining companies — which charge anywhere from $20,000 to $150,000 — to provide a report with contact details of customers and stakeholders affected by a breach.
Ultimately, the way an organisation handles recovery is critical to ensuring business continuity and ongoing customer trust and loyalty. A swift and well-prepared recovery plan will reduce the impact of cyber incidents on both individuals and organisations.
Cyber-professionals today are operating in one of the most complex environments, predicted to become even more challenging. It is understandable that organisations feel comfortable when solid prevention measures are in place, but I encourage all organisations to move to the next level and consider what your incident response plan looks like. What would you do right now if a customer calls to question an email that you didn’t send? Or a supplier calls to request payment of an invoice you have already paid?
Moving from ‘prevention land’ to ‘recovery island’ is critical.
The need for mental health support within the cybersecurity profession has been evident for quite...
Collaborating with industry stakeholders to devise a ransomware reporting obligation is a key...
With the ever-increasing speed and sophistication of cyber attacks, we need speed, scale and...