Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
There’s a lot of discussion about Australian cyber security right now, AustCyber has just released the Australian Digital Trust Report 2020, the Australian Cyber Security Industry Advisory Panel report will shortly hand down its recommendations to Government. This will be followed, very shortly, by the release of the much-anticipated Australian Cyber Security Strategy 2020. For the vast majority of Australian companies, all they want to know is what does this mean for me, and how can I measure and improve my cyber resilience?
There is no doubt that Australia’s cyber resilience has been found lacking, with evidence to show that there has been little improvement since 2016. Suggestions of industry based resilience levels and more frameworks and standards have been thrown into the mix……. everyone has an opinion and an agenda. The fact of the matter is, Australia already has a cyber security framework complete with a maturity model that tells you what good looks like and what your current cyber resilience level is.
The ACSC Essential Eight framework was published in 2017, detailing eight critical security controls that prevent, limit the extent of and aid recovery from cyber-attacks. The Australian Signals Directorate’s (ASD) own findings show that effective implementation of the eight mitigation strategies provide cyber resilience against 85% of targeted cyber-attacks.
Commonly known as ‘The Essential Eight’, the framework is acknowledged internationally. It’s easy to articulate and understand and incorporates the key cyber hygiene activities that are globally recognised as the cornerstone of an effective cyber security regime. The ASD considers the Essential Eight to be the most effective cyber resilience ‘baseline’ for all organisations with Government Departments mandated to meet at least the Top 4. So, if Australia’s ‘Go To’ strategy is not driving cyber resilience, this begs the question “Why not?”.
According to the ANAO, despite recommendations about the benefits of the Essential Eight framework, the lack of improved cyber resilience by Australian Government departments over the last few years may be down to a lack of the enforcement of controls; if there is no consequence for poor performance what is the driving force for improvement?
There is little doubt that the Prime Minister’s announcement on 19th June got everyone’s attention, “Australia is under attack”. It was very clear. In the Advisory 2020-008, the ASD counselled improved resilience and the use of Essential Eight, particularly two of the most fundamental controls…. patching and multi-factor authentication (MFA).
The goal to achieve resilience through Essential Eight compliance hasn’t changed but now the magnitude of the clear and present danger of non-compliance has been starkly revealed to all. So, the question remains …. what can be done to encourage or enforce the effective implementation of the Essential Eight framework? Other economies, such as the US and the UK are in the midst of establishing accreditation programs to do exactly this for their CMMC and Cyber Essentials initiatives.
Setting aside the obvious introduction of penalties, personal accountabilities or the public humiliation of naming and shaming any under-performing entities, what other factors could affect Australia’s ability to improve cyber resilience.
If you have ever been tasked with the operational management of security controls you will know it is a huge responsibility. Trying to keep on top of a dynamic environment requires skilled resources and plenty of them. The reality is that many organisations have just a handful of IT staff trying their best to manage an overwhelming workload. Can we improve the workflow and efficiencies of some of these workloads? Where do these businesses start on their road to achieving Essential Eight compliance?
Measuring security control implementation takes time, whether you are the operational security team owner or an external auditor. The task is fraught with judgements, inconsistencies and human error…..and to top it all, once you’ve gone to the bother of undertaking all the work, the results may not representative of the current status. As we said earlier, cyber security operates in a dynamic environment, what was robust yesterday may be compromised today. Entities and auditors need Essential Eight audit solutions that are easily installed, that can systematically assess an environment, either at a point-in-time or continuously.
There is no shortage of consultancy services working hard to support entities everywhere in their pursuit of improved cyber resilience. However, these resources can be costly, so not accessible for many companies. The process can also be disruptive and time consuming. Finding a solution, an Essential Eight audit tool, that can give you a quick and easy way to measure your cyber resilience will enable these businesses to quantify their position, create a plan and begin to move forward with confidence.
The COVID19 pandemic been a costly journey so far for many of us. Our risk management capabilities have been tested and our resilience is still in question. The insurance industry talks about it being a 1 in 100 year event we are living through. What have we learned?
We’ve learned that while there were contingency plans in place we overestimated our preparedness and probably our resilience too. It’s now clear that significant events like COVID19 can seriously damage our social fabric and economic infrastructure. Vulnerable to dysfunctional global supply chains and over reliant on imported goods and services; we’ve largely done it on our own. With other nations distracted with their own issues, we have managed to sustain the operation of our economy and society with local skills, resources and capabilities; and in any other sort of catastrophe we need to be able to do it again.
Australia has a tried and tested cyber security framework in the ACSC Essential Eight, which is supported by the Essential Eight Maturity Model. The model provides advice on how to implement the Essential Eight in a phased approach. It also assists organisations in self-assessing the maturity of their environment and implementing a resilience improvement program.
Our recommendation for Australia, in relation to Australian cyber security, is to stay strong and stay focused on the Essential Eight and the durability it will bring to our economy. It is one of the most straightforward and achievable strategies available. If cyber resilience remains an ambition for Australia, …. we have our goal, now we just need to focus on how to make it happen.
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
The ongoing protection of Critical Infrastructure from cyber-attacks has implications for us all – whether it’s supporting our health, well-being or simply our way of life, there is good reason to reflect on the effectiveness your cyber security. Cyber security risks are nothing new and the vulnerability of critical infrastructure to them (and the heightened […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.