Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
The Australian Parliament hack, dubbed Australia’s “first national cyber crisis” by the Australian Signals Directorate, shows us all too clearly the risks associated with a targeted cyber breach. When valuable information is accessed the damage can be irreversible. This is particularly true for any country’s critical infrastructure sector. The enduring question remains, realistically what can organisations do to fend off the advances from sophisticated, targeted attacks?
In a previous blog, we wrote about the state of security in Australia’s Victorian healthcare organisations after several hospitals were hit by a ransomware attack. That denial of service attack caused important administrative systems to be shut down to prevent the spread of infection (kind of ironic in a healthcare organisation). For these healthcare providers, Victoria’s auditor-general had already assessed their cyber hygiene as poor, and “We found staff user accounts at all audited agencies with weak passwords, which were accessible using basic hacking tools.”
Critical infrastructure organisations provide the services that the country relies on for every aspect of life, such as the supply of food, energy, water, transport, communications, health and finance (including banking). A major attack on any one of these aspects of our national infrastructure would be incredibly disruptive, to the point where it could spark a national crisis. However, the underpinning ICT systems keeping these services operational seem increasingly at risk from the kinds of targeted cyber-attacks that are becoming more prevalent.
Australia’s Trusted Information Sharing Network (TISN) for Critical Infrastructure Resilience coordinates sharing of information and encourages cooperation across industry sectors to address the kinds of cyber security threats and business continuity challenges we are now facing from nation states and cybercriminals. The TISN makes a point of referencing cyber security as a major risk and has many publications that explain how cyber risk management and governance, along with technical security controls should be incorporated into resilience strategies.
What we know is that a reasonable proportion of critical infrastructure organisations operate as self-insurers, where no third-party insurance cover is funded, rather they cover liabilities and wear the risks themselves. Most modern insurers include aspects of cyber risk management in their assessments of their clients’ premiums, and in some cases won’t issue cover if there are inadequate security controls in place to defend against attack (or only issue cover at a high premium). Yet critical infrastructure organisations electing to self-insure have no such obligation since they are choosing to wear the risk themselves; our most crucial national infrastructure could be less well-protected than many mid-sized businesses, who have to introduce cyber security controls to get the third-party insurance they need.
The Australian Government’s Essential Eight cyber security framework’s is one of the most effective and practical pieces of advice that any organisation can follow to get started in building cyber resiliency, even if no other security programme or countermeasures are in place.
By implementing just three of these eight controls – patching applications, patching operating systems and using multi-factor authentication – many targeted cyber attacks would be prevented. Victoria’s auditor-general reported that the healthcare organisations it audited, “had weaknesses in aspects of their ICT security. Common weaknesses include inconsistent patching practices, ineffective user access controls and incomplete knowledge of ICT assets.”
Consistent patching is vital to cyber health, as are verified backups and uplifting security awareness (albeit security awareness is not covered in the Essential Eight). Following a cyber incident, organisations will launch a dedicated project to patch their systems and applications and uplift their security posture. Yet ongoing maintenance of their security posture is often lacking, since there is no transition to business as usual operations for that new patching approach. Within a few months, things are back to as they were, as more vulnerabilities are discovered in the complex ICT systems they use.
Without doubt, critical infrastructure providers should take the Essential Eight as the goal of a cyber security review and implement the controls as widely as possible to lift their security posture.
Our recommendation is that organisations, even those that self-insure, implement the Essential Eight controls in such a way that is sustainable and continually assessed.
Huntsman Security’s Essential 8 Scorecard allows organisations to report on their security posture through these eight vital security controls, allowing service management teams to prioritise remediation work when necessary rather than security being something that requires long-winded projects to discover the vulnerabilities. If the organisation falls behind on its patching or the backups are not working properly, it’s flagged with the appropriate management teams on the dashboard and the work can be prioritised.
Essential 8 Scorecard – Operational Dashboard
The scorecard automatically gathers relevant security and compliance data from operational systems and highlights when the status of those systems has changed to reduce the security posture. Each control is monitored in real-time, so as soon as a system becomes non-compliant the relevant management team will know.
Essential 8 Scorecard – Trend Reporting
The Essential 8 Scorecard helps business risk management teams properly understand their liability, especially as self-insurers, and ensure critical infrastructure providers are better placed to mitigate the risks relating to well-funded, sophisticated cyber threat actors.
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.