Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
Security teams face a number of challenges. The growing extent and complexity of the technology environment that businesses utilise, the limitations of human capabilities to choose good passwords or avoid clicking on links, the increasing sophistication of attacks and attackers and the burgeoning regulations under which they operate.
As a result of all of these highly fluid factors, the key issue is how your business gets visibility of the risks that it faces:
The internal and external audit functions clearly play a role in this – ensuring that controls are in place, working effectively and that exceptions are being identified and handled.
Essential 8 Auditor – video overview
Getting answers to the question “Where and how bad are my risks?” has never been harder. Audit teams are reliant on IT functions to operate the environment and also provide performance and control/risk data regarding it. There can be a deficit in knowledge and understanding between these two areas.
This post is not about GDPR, however GDPR compliance programmes often faced early challenges of the same magnitude to those that we listed above pertaining to security:
None of these are (or were) trivial to answer. As a result, many businesses embarked on a “Data Discovery” exercise, often under the guidance of their newly appointed Data Protection Officers who, like their colleagues in Audit today, lacked direct management responsibility for the IT networks and systems that held the data.
These data discovery exercises aimed to locate the files, databases, documents and repositories of personal data, and hence the associated risks, vulnerabilities, weaknesses in processes and compliance issues, i.e. they aimed to identify risks in networks and systems that the risk owner needed to be knowledgeable about.
There is little point repeating a data discovery exercise for personal data itself (yes, it is important for GDPR, but that isn’t the be-all-and-end-all for security) in isolation and purely for security purposes. However, if security teams – or auditors – want to know where security risks lay the same type of process can be applied.
We need to look at sources of information that shine a light on security risks so they can be quantified for the business. Good examples are records of patches that have been applied to systems and their corresponding patch levels, version information etc.
This dataset provides a clear and direct way to understand the points in the network that could be attacked because known exploits could be used against them. Hence, they represent quantifiable points of risk in terms of number, location or sensitivity.
Another example might be the systems that have had recent successful backups (and those that haven’t where failures have occurred). These highlight areas of data integrity or availability risk – from deliberate attacks such as ransomware or insider misuse, as well as accidental threats such as hard drive failures or damaged laptops.
A last example might be the configuration of administrative accounts. Gathering the configuration of admin accounts and the contents of groups will flag process failings in the way higher-level access is granted and managed. It will also indicate whether or not users that hold them are putting the organisation at risk by using them routinely (instead of just for administrative work) or have them configured with wider powers than they need so that any changes or attacks using them are more serious and less contained.
The challenge with this sort of data discovery exercise for security risk vulnerabilities, compliance issues and mis-configurations is that unlike with the personal data discovery exercises that GDPR spawned or financial audits and investigations, the state of the network and the threats affecting it change all the time.
Doing this kind of research as part of a one-off audit gives a useful “point in time” view, but this soon becomes out of date even if the control failures that were identified were subsequently addressed.
Security management is a constant and ongoing process, so the auditing of effectiveness and the measurement of risks must be likewise.
Auditors and compliance teams are increasingly seeking to have a continuously updated picture of risks that doesn’t require a standalone activity and doesn’t depend on seeking ad hoc information from the IT function every time it is necessary to update the risk dashboard that senior managers are provided with.
This means greater automation in the data gathering, analysis and reporting in order to enable security metrics and control effectiveness reports to be generated from performance data gathered directly and automatically from the environment itself.
In the current climate, when disruption has become normal and travel and site visits are difficult, the need for flexibility and remote, continuous understanding of security risks has never been more important for auditors and consultants.
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.