Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
Too many boards still lack visibility or understanding of the problems, while internal audit functions can lack the specialist skills to challenge boards and management to plug urgent gaps.
Geoff Summerhayes, APRA Executive Board Member
Australian Prudential Regulator, APRA, has announced its intention to tighten its grip on cyber governance, as part of its newly released Cyber Security Strategy for 2020 to 2024. The financial regulator plans to elevate the importance of good cyber hygiene and board accountability for cyber exposure by, if necessary, formally enforcing adherence for those organisations that don’t meet the new requirements.
Eighteen months ago, APRA released a cyber security standard, CPS 234. Yet as stated in a recent speech, while they directly supervise 680 organisations, there is a broader community of up to 17,000 interconnected entities in the APRA ecosystem that will be affected by the changed requirements.
As a regulator, it’s becoming increasingly important to set the tone for security-related compliance standards and oversight, which is why APRA’s lead is so important. The new strategy lists APRA’s three new primary areas of strategic focus, in its ambitions to “…make a step change in Australia’s financial system cyber resilience.”
APRA’s strategic focus areas are:
Establishing a baseline of foundational controls is key to effective cyber security. APRA’s stance is that these baseline controls are non-negotiable. By improving cyber hygiene through increased monitoring of controls APRA hopes to eliminate careless and unnecessary cyber exposure for organisations.
Board and executive-level oversight compels those in charge of financial institutions to oversee and take accountability for the overall cyber resilience and even risk mitigation within their organisations. APRA promises to enable this by formulating what they call “sound practice guidance” and ensuring greater oversight of those accountable for the implementation of the new requirements.
Anyone in cyber security knows how important, yet challenging, 3rd party or supply chain security is, the third area of strategic focus. Even if a business has vastly improved its own cyber resilience, financial services organisations, like any other sector, exist within a network of suppliers, partners and subcontractors, all of whom can share and process information, or store and transmit customer data. Initiatives like open banking and the high levels of digitalisation in the sector have also added to these risks. APRA acknowledges it’s not the easiest requirement to meet, so they will develop in consultation with suppliers and regulators, a set of third-party assessment criteria and information assurance practices that entities can use to govern their supply chains.
APRA’s push to establish a set of baseline controls is an important one. Their focus on enabling this sort of innovation is crucial to the success of their ambitious plans to strengthen the cyber posture of their market sector. Cyber security is not a set and forget problem. The threat landscape continues to evolve and so sharing information learned from regular security control assessments will help to ensure the efficacy of any prudential framework for cyber security.
The simple decision to benchmark cyber security controls immediately establishes a systematic process and ensures security posture improvement for any organisation. Controls, however, like the mechanics of a car, need maintenance; without proper care and attention they become less effective and even fail.
The Australian Cyber Security Centre’s Essential Eight, for example, is one such security framework which sets out the guidelines for security baselining of Australian Government entities. The Essential 8 is regularly revised and updated to maintain its efficacy against changing cyber vulnerabilities. One control in the framework is that organisations implement application patching (or application control). At its most basic, this means they must patch all applications used by their business. Once the control is implemented and all applications patched, the business is compliant with that control.
As time passes, new applications are implemented and new hardware and peripherals are installed, which can result in reduced levels of patch efficacy. The problem is that this constant requirement is hard to stay on top of, and as a result, your cyber resilience is being continuously diminished. Security risk and executive teams need to be aware of this and find new ways to manage the risk.
You may choose to regularly compare current control performance levels against an original baseline measurement to determine any changes over time. These changes can then be used to inform periodic management decisions or, for more mature organisations, become part of a broader security improvement program.
In some cases, monitoring may be procedural (manual), where an auditor checks compliance once a quarter, or even more frequently. In other cases, such as with the Essential Eight controls, it may be possible to implement a technical solution that monitors security control implementations for any gaps and highlights any shortfalls. With reports that clearly identify current maturity level measurement for each of the security controls, both operational and senior executives (internal auditors and board members) can have clear visibility of the cyber security exposure and any corrective action that is necessary.
Depending on nature of the business and its assessed level of cyber risk some operational or senior executive team members may determine that the organisation should monitor the state of its security controls continuously. This could be through an abundance of caution or more likely because the assessed outcome a successful cyber attack was so costly that an ability to detect and then immediately respond to a cyber hygiene issue was seen as paramount. This may be the case for large financial institutions.
Huntsman Security’s Essential 8 Scorecard (see Figure 1) can quickly identify gaps in implementation and compliance with each of the ACSC’s controls, highlighting the technical issues to security management teams while summarising the overall state of cyber compliance to the board. It’s vitally important that the same information is presented in different ways to different audiences, thus the board level view of the security posture is based on real metrics gathered from running systems.
APRA concludes: “By sharing information and expertise, pooling resources and taking prompt action to plug gaps and fix weak links, we create a community of cyber defenders that is greater than the sum of its parts.” In doing this, APRA believes its members will build resilience across the whole of the financial ecosystem. If they can get the right blend of shared expertise, coupled with consistent processes and well-implemented technical solutions, this future state is achievable.
For more information on how Huntsman Security’s Essential 8 products can help financial services organisations enhance their cyber hygiene, improve their security posture and deliver control back to the board, contact our team.
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
The ongoing protection of Critical Infrastructure from cyber-attacks has implications for us all – whether it’s supporting our health, well-being or simply our way of life, there is good reason to reflect on the effectiveness your cyber security. Cyber security risks are nothing new and the vulnerability of critical infrastructure to them (and the heightened […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.