Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
There’s a lot of discussion about Australian cyber security right now, AustCyber has just released the Australian Digital Trust Report 2020, the Australian Cyber Security Industry Advisory Panel report will shortly hand down its recommendations to Government. This will be followed, very shortly, by the release of the much-anticipated Australian Cyber Security Strategy 2020. For the vast majority of Australian companies, all they want to know is what does this mean for me, and how can I measure and improve my cyber resilience?
There is no doubt that Australia’s cyber resilience has been found lacking, with evidence to show that there has been little improvement since 2016. Suggestions of industry based resilience levels and more frameworks and standards have been thrown into the mix……. everyone has an opinion and an agenda. The fact of the matter is, Australia already has a cyber security framework complete with a maturity model that tells you what good looks like and what your current cyber resilience level is.
The ACSC Essential Eight framework was published in 2017, detailing eight critical security controls that prevent, limit the extent of and aid recovery from cyber-attacks. The Australian Signals Directorate’s (ASD) own findings show that effective implementation of the eight mitigation strategies provide cyber resilience against 85% of targeted cyber-attacks.
Commonly known as ‘The Essential Eight’, the framework is acknowledged internationally. It’s easy to articulate and understand and incorporates the key cyber hygiene activities that are globally recognised as the cornerstone of an effective cyber security regime. The ASD considers the Essential Eight to be the most effective cyber resilience ‘baseline’ for all organisations with Government Departments mandated to meet at least the Top 4. So, if Australia’s ‘Go To’ strategy is not driving cyber resilience, this begs the question “Why not?”.
According to the ANAO, despite recommendations about the benefits of the Essential Eight framework, the lack of improved cyber resilience by Australian Government departments over the last few years may be down to a lack of the enforcement of controls; if there is no consequence for poor performance what is the driving force for improvement?
There is little doubt that the Prime Minister’s announcement on 19th June got everyone’s attention, “Australia is under attack”. It was very clear. In the Advisory 2020-008, the ASD counselled improved resilience and the use of Essential Eight, particularly two of the most fundamental controls…. patching and multi-factor authentication (MFA).
The goal to achieve resilience through Essential Eight compliance hasn’t changed but now the magnitude of the clear and present danger of non-compliance has been starkly revealed to all. So, the question remains …. what can be done to encourage or enforce the effective implementation of the Essential Eight framework? Other economies, such as the US and the UK are in the midst of establishing accreditation programs to do exactly this for their CMMC and Cyber Essentials initiatives.
Setting aside the obvious introduction of penalties, personal accountabilities or the public humiliation of naming and shaming any under-performing entities, what other factors could affect Australia’s ability to improve cyber resilience.
If you have ever been tasked with the operational management of security controls you will know it is a huge responsibility. Trying to keep on top of a dynamic environment requires skilled resources and plenty of them. The reality is that many organisations have just a handful of IT staff trying their best to manage an overwhelming workload. Can we improve the workflow and efficiencies of some of these workloads? Where do these businesses start on their road to achieving Essential Eight compliance?
Measuring security control implementation takes time, whether you are the operational security team owner or an external auditor. The task is fraught with judgements, inconsistencies and human error…..and to top it all, once you’ve gone to the bother of undertaking all the work, the results may not representative of the current status. As we said earlier, cyber security operates in a dynamic environment, what was robust yesterday may be compromised today. Entities and auditors need Essential Eight audit solutions that are easily installed, that can systematically assess an environment, either at a point-in-time or continuously.
There is no shortage of consultancy services working hard to support entities everywhere in their pursuit of improved cyber resilience. However, these resources can be costly, so not accessible for many companies. The process can also be disruptive and time consuming. Finding a solution, an Essential Eight audit tool, that can give you a quick and easy way to measure your cyber resilience will enable these businesses to quantify their position, create a plan and begin to move forward with confidence.
The COVID19 pandemic been a costly journey so far for many of us. Our risk management capabilities have been tested and our resilience is still in question. The insurance industry talks about it being a 1 in 100 year event we are living through. What have we learned?
We’ve learned that while there were contingency plans in place we overestimated our preparedness and probably our resilience too. It’s now clear that significant events like COVID19 can seriously damage our social fabric and economic infrastructure. Vulnerable to dysfunctional global supply chains and over reliant on imported goods and services; we’ve largely done it on our own. With other nations distracted with their own issues, we have managed to sustain the operation of our economy and society with local skills, resources and capabilities; and in any other sort of catastrophe we need to be able to do it again.
Australia has a tried and tested cyber security framework in the ACSC Essential Eight, which is supported by the Essential Eight Maturity Model. The model provides advice on how to implement the Essential Eight in a phased approach. It also assists organisations in self-assessing the maturity of their environment and implementing a resilience improvement program.
Our recommendation for Australia, in relation to Australian cyber security, is to stay strong and stay focused on the Essential Eight and the durability it will bring to our economy. It is one of the most straightforward and achievable strategies available. If cyber resilience remains an ambition for Australia, …. we have our goal, now we just need to focus on how to make it happen.
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.