Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.
The pressure for leaders – with and without a specific information technology or security reference in their job title – is to manage the increasing accountability that leadership roles have with regards to cyber-risk oversight of department data, systems, and assets from both internal and external cyber-attack.
This summary aims to equip your leadership roles – especially those without a technology or security title – to stay current with the latest findings, and access short- and long-term solutions to improve cyber governance.
Malicious cyber incidents grew by 50% in 2022-23. The ASD encourages the sector to report anomalous activities early and not wait until thresholds for mandatory reporting are reached, because the immediacy of reporting is vital to containment and recovery activities.
1. Government departments at all levels, and Critical Infrastructure organisations, face ongoing cyber-attack targeting by state actors (and organised crime)
2. AUKUS is likely to generate added attention from those seeking to disrupt capabilities or steal sensitive information
3. The interconnected nature of critical infrastructure (CI) and government entities means an increased systemic risk of attack
Alongside malicious threat actors, sits the localised risk that threatens your cyber security – human error. It is being constantly tested by increasingly genuine looking phishing emails as well as the problem of staying aware. Culture building and cyber awareness programs need continuous revitalisation and reinforcement with teams. While training and education programmes are essential within an organisation, they are far from being the fail-safe defence. Humans can make mistakes, maybe in your department or one of your supply chain partners. In either circumstance, a “portfolio” of defence-in-depth mitigation strategies is the best way forward.
2023 alone, has seen health, justice, telecommunications, and education data breaches4, amongst others, that have impacted many in the community, and indirectly the government as well. The Office of the Australian Information Commissioner (OAIC) has been important in facilitating compliance and early reporting of breaches for organisations covered under the Privacy Act 1988.5
The legislation helps keep organisations accountable and ensures that individuals, whose information has been disclosed, are informed of their risks and remedial options as soon as possible. Beyond protecting stakeholder information, leaders in government agencies can equally be directly and indirectly responsible for:
At a recent cyber security conference in Sydney, the Chairman of the Australian Securities and Investment Commission (ASIC) warned that “if boards do not give cybersecurity and cyber resilience sufficient priority, [it will] create(s) a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence”
Ensuring cyber risk visibility for your risk management and leadership teams
Building cyber resilience, especially within government agencies and critical infrastructure, is vital. For some, positive cyber security obligations already exist. As the cornerstone of our economy – and because so many of our vital digital assets are held within those entities – Government entities and CI providers are pivotal in driving cyber posture improvements and operational resilience across the broader economy. Especially as leaders need to ensure they remain informed, ideally with clear visibility of cyber security and other non-financial risks, that will inform their decisions and the performance of their duties.6
Data-driven cyber-risk information
If you are not aware of the extent to which data-driven collection and analysis of empirical cyber security information can assist the timeliness and reliability of your decision making, now is the time to ask. Without an understanding of the sources and accuracy of the information that underpins your cyber reporting, you are at risk of making uninformed decisions.
Whether for risk management or strategic purposes, risk leaders, executive, and even board level, need to have confidence in the information that forms the basis of their decision-making. Clear evidence-based information that systematically captures the metrics relevant to your reporting and oversight obligations, will help ensure that your agency is not left exposed by an incomplete or inconsistent governance efforts.
In their efforts to simplify the translation of technical information into business or management reporting, IT teams can sometimes resort to abridged and even anecdotal reporting. In a strengthening legislative environment where senior executives and directors need evidence-based reporting that balances clarity and context, this is no longer acceptable. The security information needs to be in a clear and consistent format that enables decision makers to understand and meet their management and statutory responsibilities.
Effective cyber security is all about managing the detail within all the noise. Systems are complex, skilled staff are hard to attract and retain, data volumes are growing and you’re looking to protect every last potential point of unauthorised access. Gaps are a problem, and current cyber security practices are not a guarantee of your ongoing cyber resilience – especially if they are built on subjective judgments or imprecise standards.
Blog: Gaps are evident in Australia’s cyber security readiness
Automated cyber risk summaries for monthly review
If there is one trend for sure, it is that the cyber threat environment is continuing to become more dangerous. So, as you seek better evidence to support your decision making; it’s important to remember the dark side is not standing still either. You should be asking how your SOC or IT teams are managing to collate and analyse enough relevant security data in such a rapidly changing environment. Especially on top of their business-as-usual cyber monitoring and response activities. How accurate and reliable is the data?
Collecting and analysing the appropriate and relevant data to assess the state of the dynamic threat environment is absolutely challenging. With its randomness, it is important to shrink the measurement intervals to limit the range and variability of the data being captured – measure more frequently.
This turns out to be consistent with the latest recommendations of security agencies. More frequent collection of evidence-based observations, reduces the quantum and unpredictability of events and so dials down the uncertainty. Complexity too, whether it’s the multiplicity of potential threat vectors at the threat surface or simply the complication and scale of current network architecture, will be reduced with more frequent measurement.7
At this point in any department or agency’s digital journey, there should be a move toward automation of cyber-risk data. This is a problem happening at machine-speed and security teams can’t keep up, yet security agencies are asking for more frequent risk assessments. To support your staff and enable them to focus on higher value activities, automated identification, assessment, and reporting can get them on top of your cyber resilience efforts – without every team member needing to be a cyber security specialist. And it shouldn’t be an enormous overhead or multi-year project – you should be able to access this information by your next board meeting, and easily within your delegation limits.
The ease of using the ACSC’s Essential Eight Framework
The Australia Cyber Security Centre (ACSC) and Australian Signals Directorate (ASD) Essential Eight Framework is a baseline for cyber security that is used across local government, State departments, and Federal agencies in Australia.
Utilising eight mitigation and cyber-risk management strategies, the Essential Eight Framework prioritises protection, containment, and recovery controls to protect your systems against adversaries and cyber theat.
Your department or agency can reduce your attack surface by securing systems with the Essential Eight Framework or using one of the other alternate frameworks recommended in the CIRMP Rules8 to maintain an asset registry, protect sensitive data and employ security by design.
Although operational activities may sit with others, your role still has an expectation of oversight of cyber risk. As you navigate digital transformation, and face upcoming cyber reporting and legislative requirements, consider Huntsman Security’s Essential 8 Auditor or Essential 8 Scorecard applications.
Huntsman Security’s Essential 8 Auditor and Essential 8 Scorecard boost your cyber risk management and corporate governance oversight with automated and data-driven cyber security measurement and maturity level reporting – giving you daily, weekly or monthly visibility of your cyber controls and their performance against the Essential Eight.
The effectiveness of each security control is measured to inform both your security and management teams of any mitigations necessary in the operation of the key security controls. In parallel, the measured score reliably provides clear visibility to the executive, board, and risk managers, of the state of your current security posture to inform risk management oversight and regulatory reporting.
Benchmarked against the ACSC Essential Eight, the Essential 8 Auditor and Essential 8 Scorecard equip you and your organisation with a recognised evidence-based framework to identify and mitigate cyber security hazards – and support compliance with CIRMP review and reporting requirements utilising the ACSC Essential Eight Maturity Model.
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.