Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive.
It would be wrong to think UK financial organisations, listed entities, utilities or organisations more broadly are more or less secure that those in the US or AsiaPac; the regulatory regimes are just different. That said, we are all facing very much the same threats to our business, the majority using the very same technology platforms. As we recently learned from the joint international security agency list of Top Vulnerabilities, any cyber security issues, like the constant stream of vulnerabilities and skilled staff shortages, are ubiquitous. Undoubtedly there are varying levels of technical and cyber security maturity from country to country and business to business; but that doesn’t mean we can’t accelerate our cyber security maturity by learning from one another.
It took a “tripartite cyber assessment” or formal security control assessment by APRA to identify that a sample of financial organisations in fact had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. These assessments were advertised in advance, so why were there gaps? Where is the failure?
Clearly the common practice of unsubstantiated risk assessment and anecdotal reporting is inadequate and can lead to misplaced confidence by cyber security stakeholders and hidden cyber gaps.
It is concerning if, as the results suggest, some Australian financial organisations are willing to “chance it” when it comes to their cyber security resilience.
In July 2023, APRA published the initial findings of its Information Security Prudential Standard CPS 234 compliance audit of banks, insurers and superannuation trustees. The results are concerning.
Some of these “gaps” go directly to the operation of the cyber security governance process. It’s right that regulators should remind directors about their responsibilities for cyber security and oversight. But these reminders appear to be falling on deaf ears. Given last year’s cyber-annus horribilis in Australia, surely cyber governance is a priority.
Perhaps its timely to ask whether British financial service companies are the subjects of similar security gaps? Can we assume that UK PLCs are better or worse than companies operating south of the equator? The likelihood is that the same mistakes are being made by business in both jurisdictions for the same reasons. The balance of probabilities would suggest that anecdotal cyber risk assessments and cognitive bias are not bound by geography.
In late June 2023, the Australian Bureau of Statistics (ABS) published a report on Characteristics of Australian Business 2021-2022, which alarmingly found that as few as 20% of Finance and Insurance Services businesses had upgraded their cyber security software, standards or protocols in the last year. That, despite 57% of the sector actually experiencing some sort of impact from a cyber incident during the period.
Not dissimilar concerns were raised in the UK Government Cyber Security Breach Survey 2023 when it was observed that across the last three survey periods, some cyber security controls have seen consistent declines among businesses and that cyber security had dropped down the priority list.
It’s entirely likely that the security gaps being observed in the finance sector are due to a lack of investment in cyber security systems and processes, and a lack of appreciation for the dynamic and evolving nature of cyber resilience. This lack of investment in Australia in cyber security software, standards and protocols points to cyber resilience improvement being a long way off.
One reason progress in cyber security is so slow is its complexity. In the UK the National Cyber Security Centre (NCSC) suggested recently that the job is bigger than many organisations think, “data flows have ballooned… and the cyber security landscape has become even more complex.” Effective cyber security now means regularly dealing with complex modern IT systems; with cyber security management practices that are no longer adequate. And the persistent hostile threat environment is making it harder to deliver improved cyber resilience at speed and scale. Cyber security is quickly becoming a data analysis problem.
Cyber risk management practices of many organisations are rightfully based on their own perceived levels of exposure, suitability of controls and risk appetite – that’s the whole idea. The problem, however, is when the absence of suitable and reliable cyber security assessment process means organisations can’t be confident about their security level or that of their potential business partners. Without a recognised system or standard “measure” to confirm an organisation’s relative levels of cyber resilience, it all gets too vague. And in an interconnected world this can quickly translate into systemic risk.
For that reason, organisations need to incorporate current cyber risk management and industry best practices into their cyber governance process.
Whether in Australia, where APRA regulates financial organisations, or anywhere else risk management stakeholders need clear visibility of their digital assets, they need to be able to identify any gaps that emerge in the security controls that protect those assets. In fact, APRA’s Prudential Practice Guide CPG 234 recommends that organisations “actively maintain an information security capability” that addresses “changes in the vulnerability and threats” environment. It continues, they should be guided by “established control frameworks and standards.” Vulnerabilities and the threat environment are clearly exploding; and a principle-based security standard without the inclusion of established control frameworks to instruct and guide the operational management of cyber security, is inadequate in the current risk environment.
The upside of having these security gaps identified by the regulator, is they’re now reported to risk stakeholders and their prognosis for mitigation is good. Without rigorous and systematic risk assessments or evidence-based processes, or a sophisticated assurance program like the one undertaken by APRA in this study, these serious vulnerabilities would have remained like an armada of cyber icebergs. Invisible to the organisations’ customers, their business partners and the regulator itself.
In late 2022, in its annual report to the Australian Government, The Cyber Security Industry Advisory Committee recommended that a systematic empirical, data-driven cyber security maturity measurement system be adopted nationally. Driven by concerns about the reliability and accuracy of widely-used anecdotal assessment methodologies (and the potential for cyber gaps we’ve spoken about), it sought to address the need for better quality evidence-based risk assessment practices.
That sentiment was ultimately supported by the Australian Cyber Security Centre (ACSC) shortly thereafter, when it highlighted the importance of quantitative assessment and evidence-based measurement over subjective interviews, questionnaires and intuition – the very places where invisible gaps can lurk.
The UK’s NCSC too, recently made similar pronouncements when it favourably contrasted the reliability of quantitative data-driven cyber security assessment with less reliable anecdotal or intuition-based methods. Using empirical information to support evidence-based decision making, it argued, will transform cyber security management practices. These data-driven techniques also better address the growing speed and scale requirements of current day cyber security assessment and reporting.
Meanwhile in the US, SEC rules for listed organisations are requiring greater diligence in both incident reporting and providing visibility on the state of their risk management controls. The materiality of these risks is one question, but the ability to quickly assess issues and clearly express their nature and implications to the business and its stakeholders means security and executive teams are on notice. They will need a functional and transparent evidence-based risk management programme to meet these more stringent regulations.
How cyber security gaps are identified is key to how organisations will effectively navigate the threat environment into the future. It took a robust assurance process for APRA to identify the very real threats lurking under the surface in their sample cohort. And now NCSC in the UK and SEC in the US are shifting to the same viewpoint. With these sorts of gaps potentially lurking wherever subjective questionnaires or unsupported anecdotal cyber security assessments are undertaken; organisations need better processes and practices to limit cyber gaps in the future.
Stakeholders at every level are seeking greater confidence in the cyber maturity levels of their supply chain. Zero trust principles – designed to eliminate implicit digital trust – speak very much to the demand for a greater level of confidence in the cyber risk controls that protect our systems and ultimately our core assets. The adoption of accessible systematic and objective cyber resilience measurement is needed to limit the moral hazard created by those employing less diligent cyber security practices.
There’s talk of more informed cyber security assurance processes, ones that examine any evidence for the purpose of providing an independent, and objective assessment of risk. That’s a start of course, but without a systematic scientific process to verify that evidence, “the exchange rate for a cyber risk” is different for each of us. It’s the steps that remove subjectivity and cognitive bias and replace it with systematic process and timely empirical measurement that will deliver a trusted basis for cyber security decision making.
Effective cyber security is all about managing the detail in all the noise. Systems are complex, skilled staff are hard to find, data volumes are growing and you’re looking to protect every last potential point of unauthorised access. Gaps are a problem, and current cyber security practices can’t substantiate your ongoing cyber resilience – especially if they are built on subjective judgments or imprecise standards.
This paper is adapted from a recent blog we published in Australia. Our intention has been to make some observations and comments about what is starting to look and feel more like a cyber-iceberg than just some gaps. Our observations suggest that these issues are not unique to Australia, the UK or anywhere else. If you’re charting a cyber security strategy and want to avoid your own iceberg, please contact us to learn more about our data-driven applications that digitally report your cyber resilience.
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.