Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the Australian Information Commissioner, for the 6-month period from January to June 2023, a significant 70% of sources of data breaches were from malicious or criminal attacks.
Cyber incident breaches from external threats, and human error sources, combine to present a daunting prospect for organisations when it comes to cyber risk mitigation efforts. That’s why the ability to automatically measure your controls is vital to internal assessment.
The reality of malicious attacks is one part of the reason why quantitative — rather than self-assessment-based reporting — is so important for organisations reporting on the health of their cyber security posture. Cyber security controls will obviously assist in pre-emptively limiting the likelihood of a breach; but how will you know when gaps in those controls appear, exposing your systems to risk of attack? That’s where quantitative, data-driven scoring assists, by providing an objective and relative measure of the scale of the risk. Changes in qualitative measurement, particularly small ones, can sometimes be difficult to discern but objective measurement, when based on verifiable data, reflects any relative change in performance over time. It’s no different measuring the cyber security and the cyber maturity of your organisation.
As we support our clients to manage their risks and controls, we also improve the quality of the information necessary for insurance underwriters to more accurately price risk. This means the best possible insurance renewal terms for an organisation, with underwriters increasingly equipped with a simple report that verifies client statements about their cyber controls and posture.
The reality is that human-nature influences qualitative assessments, making them subjective and often unreliable. Alternately, security controls that are systematically measured against a relevant benchmark, enable your SOC or ICT team to know where to start their mitigation efforts; and your prospective insurer to be more informed about the risk they are being asked to take on.
The Australian Government’s Australian Cyber Security Centre (ACSC), established a framework of mitigation strategies to make it harder for attackers to gain access to your IT assets and systems – the Essential Eight – that incorporates a quantitative benchmark for measurement. The key to mitigation of cyber risks – whether from human error or external breaches – still lies in the detection of the correct implementation of your cyber risk controls and the demonstrable measurement that shows your current posture, on an ongoing basis.
The UK Government’s National Cyber Security Centre provides similar guidance for both public and private sector organisations looking to protect themselves from malware and ransomware attack. The Mitigating malware and ransomware attacks guidance provides advice on the appropriate security controls to limit the:
Prevention, containment and recovery mitigation strategies are universal themes.
As ransomware and cyber risk increase, organisations are encountering the longer lifecycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness. The upside, is that by better managing your security controls, you can better influence the price of risk and the cost of your premiums.
The insurance industry is looking closely at ways to improve the quality of the security risk information they receive. Improved risk information means the better pricing of risk and proven applications, like Huntsman Security’s Essential 8 Auditor or SmartCheck to measure and verify an organisation’s cyber security posture, and:
1. On-demand cyber security maturity rating, measured against the ACSC Essential Eight framework or NCSC & NIST guidance for malware and ransomware mitigation – Whether you review your cyber risk weekly, monthly, or quarterly, you should have access to a quantitative number that gives you a score and maturity rating – across each of the prevention, containment and recovery safeguards.
2. Data-driven reporting and analysis – Quantitative-based analysis and reporting is the most accurate way of measuring compliance. Data-driven reports provide certainty and allow your organisation to confidently use the results as a measure of performance in your official attestation of your cyber security assessment.
3. Benchmarks for security improvement and a roadmap to remediate gaps – Automatic identification and classification of each security issue found should be something your SOC or ICT teams have access to. An actionable report will support the remediation and the re-run of your maturity assessment as part of any uplift effort. These reports then form the basis of your own cyber maturity journey, and are a useful aide memoire for attestation to your internal cyber risk management activities.
The World Economic Forum published recommendations and considerations for boards to follow, in their publication: Principles for Board Governance of Cyber Risk.
Principle 2.2 encourages boards and leadership to continually examine comparative measurements and metrics for cyber risk. The paper states: “Industry-accepted frameworks and reporting can guide data-driven decisions, aligning risk appetite with organizational goals and strategy.”
Cyber risks can change overnight, with new external threats emerging or simply through new connections, devices, staff and systems. Organisations need to have visibility of those changes for ongoing risk awareness and mitigation, and at insurance renewal time – they are an important validation of their cyber risk management efforts.
Talk to your Broker today, about starting the Preliminary Stage of your Cyber Insurance Renewal process, and build more confidence in your cyber risk management by using risk-based measurement to improve the process now and into the future.
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
The ongoing protection of Critical Infrastructure from cyber-attacks has implications for us all – whether it’s supporting our health, well-being or simply our way of life, there is good reason to reflect on the effectiveness your cyber security. Cyber security risks are nothing new and the vulnerability of critical infrastructure to them (and the heightened […]Read more
There are bottlenecks throughout the cyber security risk management process. UK Government surveys suggest that directors are invariably unclear about the business implications of the cyber security reports they receive. Conversely, despite the challenges associated with the massive volumes of ever-changing security data, security teams believe their communications to the business are clear. In many […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.