Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
The new Australian Cyber Security Strategy 2020 lays down some interesting plans for the coming years relating to how the Federal Government will enhance its own cyber capability, while introducing legislation that affects all companies.
The government commits to spending $1.67 billion over the next 10 years, which includes improvements in the defences of critical infrastructure, based on a set of obligations to be imposed on owners and operators. The majority of the government’s investment will bolster the cyber resources in the Australian Cyber Security Centre (ACSC), with additional staff to be hired in the Australian Federal Police, the Australian Signals Directorate and a strengthening of the capabilities at each of the Joint Cyber Security Centres (JCSCs).
New powers will also be introduced through legislative changes, affording new ways for law enforcement to investigate and shut down cybercrime – including ways of tacking encrypted network services, such as those making up the infrastructure the dark web runs on (like TOR).
The Australian Government has made it clear that its investment is inwardly focused, while businesses will be expected to pick up the tab for meeting new legislation that requires them to embed adequate security in products and services. This approach will certainly lead to a new focus on cyber security controls within organisations, especially where they operate in the context of critical infrastructure and systems of national significance.
The strategy document itself does not define ‘systems of national significance’; the consultation paper published shortly after the strategy details the extent of the anticipated legislation changes. Even the definition of critical infrastructure may come as a surprise to some vendors and service providers. Protecting Critical Infrastructure and Systems of National Significance (published in August 2020) labels the following sectors as Critical Infrastructure: banking and finance, communications, data and cloud, defence industry, education, research & innovation, energy, food and grocery, health, space, transport, water.
Critical Infrastructure sectors as defined in the Australian Cyber Security Strategy 2020
Clearly the consultation paper is the beginning of this process and the legislation changes may be some way off, so organisations have time to prepare to meet these new obligations when the laws comes into effect. It’s time to prioritise cyber security as a core tenet of doing business, whether as an owner or operator of critical infrastructure, or as a vendor or service provider working in that sector. Security now needs to be considered in every aspect of your business, both within your organisation itself and within the products and services supplied to customers. Even if your organisation is not directly working in Critical Infrastructure, if you are somewhere in the supply chain you may fall under the new legislation, so it’s worth planning to uplift your cyber security to meet these new demands.
For businesses not working in Critical Infrastructure, the government expects businesses to adhere to their voluntary Code of Practice: Securing the Internet of Things for Consumers, which contains 13 principles that manufacturers should adopt in their production of goods and services.
If adoption of this voluntary Code of Practice isn’t as widespread as the government hopes then, as the strategy states:
If voluntary advice and guidance like the Code of Practice is not enough to drive change, then additional steps may need to be considered.
This means, if we don’t, as a complete economy, step up and start taking cyber security seriously, harsher legislative changes may force organisations rather than encourage them to include security in their products and services.
Introducing rigour in cyber security, especially if it’s not something your organisation has considered before, can be daunting. To assist organisations, the ACSC has released guidance aimed at helping to improve cyber security posture through the introduction of eight relatively straightforward technical controls. This guidance is known as the Essential Eight: Strategies to Mitigate Cyber Security Incidents and offers a prioritised list of security controls that help protect against a broad range of cyberattacks.
Each of these controls (shown in Figure 1) can be customised to fit in with your specific risk profile, and implementation can be tailored based on protecting your most valuable systems and data.
Figure 1 Eight simple controls organisations can adopt to boost their security posture
One of the most common issues faced by organisations when first adopting the Essential Eight comes about twelve months after the implementation project completes. A recommendation, when adopting any compliance framework, is that it is periodically reviewed to ensure it remains effective.
Unlike process assurance such as under the ISO 9001 standard for quality management, security controls can quickly be rendered ineffective through changing technical components within your organisation or vulnerabilities that are undiscovered by your technical support team.
Huntsman Security encountered this issue when working with government customers trying to develop cyber maturity against the Essential Eight. In response to this, two products were created to provide real-time Essential Eight compliance measurement (no more waiting for the annual audit to show a weakness) – the Essential 8 Scorecard and Essential 8 Auditor.
The Essential 8 Scorecard enables vendors and service providers to continuously measure security control efficacy. The product provides an objective, ongoing, quantitative measure of security control performance, which means that security managers and IT support teams can quickly detect and respond to issues adversely affecting their security posture.
The Essential 8 Auditor offers an immediate, point-in-time, way of assessing security control effectiveness against the Essential Eight, with the added bonus that it doesn’t need to be deployed into your environment, rather it works to extract the evidence needed for the audit and exports results for remote analysis.
The Essential 8 Auditor’s Security Control Performance Summary is shown in Figure 2.
Figure 2 Essential 8 Auditor – Dashboard showing Security Control Performance Summary
The Australian Government’s Cyber Security Strategy 2020 poses a number of questions that remain unanswered. However, one thing is clear, the Government intends to spend a large sum of money on itself, while reforms within our legislative framework will require businesses to uplift their security posture and bolster the cyber security controls built into their products and services.
Changes are coming; our recommendation is that you get ahead of the game by planning and investing in building a security roadmap that helps you comply with legislation when it is enforced.
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
The ongoing protection of Critical Infrastructure from cyber-attacks has implications for us all – whether it’s supporting our health, well-being or simply our way of life, there is good reason to reflect on the effectiveness your cyber security. Cyber security risks are nothing new and the vulnerability of critical infrastructure to them (and the heightened […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.