Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.
The pressure for leaders – with and without a specific information technology or security reference in their job title – is to manage the increasing accountability that leadership roles have with regards to cyber-risk oversight of department data, systems, and assets from both internal and external cyber-attack.
This summary aims to equip your leadership roles – especially those without a technology or security title – to stay current with the latest findings, and access short- and long-term solutions to improve cyber governance.
Malicious cyber incidents grew by 50% in 2022-23. The ASD encourages the sector to report anomalous activities early and not wait until thresholds for mandatory reporting are reached, because the immediacy of reporting is vital to containment and recovery activities.
Alongside malicious threat actors, sits the localised risk that threatens your cyber security – human error. It is being constantly tested by increasingly genuine looking phishing emails as well as the problem of staying aware. Culture building and cyber awareness programs need continuous revitalisation and reinforcement with teams. While training and education programmes are essential within an organisation, they are far from being the fail-safe defence. Humans can make mistakes, maybe in your department or one of your supply chain partners. In either circumstance, a “portfolio” of defence-in-depth mitigation strategies is the best way forward.
2023 alone, has seen health, justice, telecommunications, and education data breaches4, amongst others, that have impacted many in the community, and indirectly the government as well. The Office of the Australian Information Commissioner (OAIC) has been important in facilitating compliance and early reporting of breaches for organisations covered under the Privacy Act 1988.5
The legislation helps keep organisations accountable and ensures that individuals, whose information has been disclosed, are informed of their risks and remedial options as soon as possible. Beyond protecting stakeholder information, leaders in government agencies can equally be directly and indirectly responsible for:
At a recent cyber security conference in Sydney, the Chairman of the Australian Securities and Investment Commission (ASIC) warned that “if boards do not give cybersecurity and cyber resilience sufficient priority, [it will] create(s) a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence”
Building cyber resilience, especially within government agencies and critical infrastructure, is vital. For some, positive cyber security obligations already exist. As the cornerstone of our economy – and because so many of our vital digital assets are held within those entities – Government entities and CI providers are pivotal in driving cyber posture improvements and operational resilience across the broader economy. Especially as leaders need to ensure they remain informed, ideally with clear visibility of cyber security and other non-financial risks, that will inform their decisions and the performance of their duties.6
If you are not aware of the extent to which data-driven collection and analysis of empirical cyber security information can assist the timeliness and reliability of your decision making, now is the time to ask. Without an understanding of the sources and accuracy of the information that underpins your cyber reporting, you are at risk of making uninformed decisions.
Whether for risk management or strategic purposes, risk leaders, executive, and even board level, need to have confidence in the information that forms the basis of their decision-making. Clear evidence-based information that systematically captures the metrics relevant to your reporting and oversight obligations, will help ensure that your agency is not left exposed by an incomplete or inconsistent governance efforts.
In their efforts to simplify the translation of technical information into business or management reporting, IT teams can sometimes resort to abridged and even anecdotal reporting. In a strengthening legislative environment where senior executives and directors need evidence-based reporting that balances clarity and context, this is no longer acceptable. The security information needs to be in a clear and consistent format that enables decision makers to understand and meet their management and statutory responsibilities.
Effective cyber security is all about managing the detail within all the noise. Systems are complex, skilled staff are hard to attract and retain, data volumes are growing and you’re looking to protect every last potential point of unauthorised access. Gaps are a problem, and current cyber security practices are not a guarantee of your ongoing cyber resilience – especially if they are built on subjective judgments or imprecise standards.
If there is one trend for sure, it is that the cyber threat environment is continuing to become more dangerous. So, as you seek better evidence to support your decision making; it’s important to remember the dark side is not standing still either. You should be asking how your SOC or IT teams are managing to collate and analyse enough relevant security data in such a rapidly changing environment. Especially on top of their business-as-usual cyber monitoring and response activities. How accurate and reliable is the data?
Collecting and analysing the appropriate and relevant data to assess the state of the dynamic threat environment is absolutely challenging. With its randomness, it is important to shrink the measurement intervals to limit the range and variability of the data being captured – measure more frequently.
This turns out to be consistent with the latest recommendations of security agencies. More frequent collection of evidence-based observations, reduces the quantum and unpredictability of events and so dials down the uncertainty. Complexity too, whether it’s the multiplicity of potential threat vectors at the threat surface or simply the complication and scale of current network architecture, will be reduced with more frequent measurement.7
At this point in any department or agency’s digital journey, there should be a move toward automation of cyber-risk data. This is a problem happening at machine-speed and security teams can’t keep up, yet security agencies are asking for more frequent risk assessments. To support your staff and enable them to focus on higher value activities, automated identification, assessment, and reporting can get them on top of your cyber resilience efforts – without every team member needing to be a cyber security specialist. And it shouldn’t be an enormous overhead or multi-year project – you should be able to access this information by your next board meeting, and easily within your delegation limits.
The Australia Cyber Security Centre (ACSC) and Australian Signals Directorate (ASD) Essential Eight Framework is a baseline for cyber security that is used across local government, State departments, and Federal agencies in Australia.
Utilising eight mitigation and cyber-risk management strategies, the Essential Eight Framework prioritises protection, containment, and recovery controls to protect your systems against adversaries and cyber theat.
Your department or agency can reduce your attack surface by securing systems with the Essential Eight Framework or using one of the other alternate frameworks recommended in the CIRMP Rules8 to maintain an asset registry, protect sensitive data and employ security by design.
Although operational activities may sit with others, your role still has an expectation of oversight of cyber risk. As you navigate digital transformation, and face upcoming cyber reporting and legislative requirements, consider Huntsman Security’s Essential 8 Auditor or Essential 8 Scorecard applications.
Huntsman Security’s Essential 8 Auditor and Essential 8 Scorecard boost your cyber risk management and corporate governance oversight with automated and data-driven cyber security measurement and maturity level reporting – giving you daily, weekly or monthly visibility of your cyber controls and their performance against the Essential Eight.
The effectiveness of each security control is measured to inform both your security and management teams of any mitigations necessary in the operation of the key security controls. In parallel, the measured score reliably provides clear visibility to the executive, board, and risk managers, of the state of your current security posture to inform risk management oversight and regulatory reporting.
Benchmarked against the ACSC Essential Eight, the Essential 8 Auditor and Essential 8 Scorecard equip you and your organisation with a recognised evidence-based framework to identify and mitigate cyber security hazards – and support compliance with CIRMP review and reporting requirements utilising the ACSC Essential Eight Maturity Model.
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.