Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
Cyber security visibility, assurance and audit has never been more important – a perfect storm of increased risk and hampered delivery are weighing heavily on security audit teams.
At the time of writing the global pandemic seems far from over. US cases are still stubbornly increasing – with various states either returning to lockdown, mandating masks and/or putting a hold on the opening of schools. In the UK, the number of daily cases is now creeping back up following the easing of lockdown; the hope is that this is down to the identification of localised clusters and increased testing, but it is too early to say. Various parts of Europe are dealing with resurgences and Australia, seemingly out of the woods having fared the initial coronavirus wave well, is having to contend with an increase in cases and quarantines between states.
Despite this, in many businesses, operations are returning to normality, or a semblance of normality, with people coming off furlough schemes and returning to work – trying to pick up where they left off.
No one really knows how things will pan out and what kind of “normal” businesses will return to. So, it is worth considering some of the changes and the effects they might have on the security audit and assurance processes that apply within businesses and out into supply chains.
While this transition happens, regulators are going through the same processes, resuming their previous operational levels around enforcement; data is still being handled by businesses, consumers still have expectations around security and privacy of information and laws such as GDPR still apply. A lack of regulatory attention or increased leniency during the pandemic will not last for ever. And the cyber risks, which have increased, will not go away. See https://www.cisa.gov/news/2020/04/08/uk-and-us-security-agencies-issue-covid-19-cyber-threat-update.
So what are the current and future challenges?
It seems likely that there will be a continuance of the rise in home working. Having been forced to “make this work” during the lockdowns, there are now whole departments and operations that once occupied valuable office space that no longer need to.
Home working has a number of implications for security assurance and security audit teams. For one thing it means users are in locations where there is less control over IT, printed output, and shared access to computer systems. For security teams and information security managers, it also means they aren’t in a location where security audits or reviews can be easily conducted. Records of control operations, copies of access requests, and the ability for site inspections and audits are all significantly curtailed. This is likely to be the case for a sustained period, longer than any lockdown restrictions.
Even technical processes like network scans or vulnerability assessments might be impossible to conduct through external connections and VPNs, because done remotely they have to pass by network gateways that obstruct them and mask the results they provide.
Conducting meetings by video conferencing is now firmly established. Where once it was used only where face-to-face sessions were impossible, it is now widely accepted as the default for meetings.
This affects the way that meetings and interviews are conducted as part of security reviews and audits. In some ways, there is less personal contact with the loss of an actual, physical meeting. But the logistical time and travel costs of moving to this new way of working may mean that more “visits” and interviews and meetings to discuss security across diverse sites are possible.
People who spent (lost) a lot of time travelling or who didn’t have video conferencing facilities have been forced to adapt their own approaches in recent months.
The reduction in travel, both domestically and internationally, as lock-down affects nations and prevents flying and crossing borders, has a number of implications. On the positive side, the wider adoption of working from home and video conferences should enable more in the way of security assessments to be undertaken more cheaply and with much simpler logistical planning. No need to arrange flights, hotels and travel connections for a half day meeting – now the norm would be a call or video conference.
This is particularly beneficial where there are a large number of security audits, meetings or assessments to conduct – for example in the ever-complex discipline of supply chain risk or third-party due diligence. Even a modest company can have a hundred or more suppliers. Conducting face-to-face security audits across a portfolio of companies was always a challenge.
However, the restrictions on travel makes anything “hands on” much harder: inspecting records, examining the configuration of systems, seeing the operational processes first-hand – all difficult when you can’t go and visit a site.
Luckily technology is available that fills in this particular blank. One of the areas that has seen advances in the use of automation is the provision of remotely generated audit case files data and evidence for central inspection, analysis and reporting.
Essential 8 Auditor – Application Control Maturity Summary screen
This kind of technology allows the generation of direct audit outputs and security control effectiveness assurance in a way that would previously have needed a person to visit a site and manually examine the configuration of the security settings.
The trend towards the adoption of the cloud has continued to accelerate, and the pandemic has given it new impetus. The perceived security issues of taking servers and applications out of a “secure” office or data centre and moving them to the cloud were based on the fact that having direct control meant you could administer and secure them more easily. However, when it is difficult or impossible to get into office locations (and hence everything has to be done remotely) and all the users are in different places, rather than being in the same building (and hence are accessing all the platforms remotely anyway) the attraction of cloud is immense; no heating, light, rent, space charges – and wider access and utility pricing models.
This will mean that companies that have not yet fully refined their cloud security provisions and approaches, and the associated assurance and audit mechanisms, will have to elevate their capabilities in this space. It might mean they are simply catching up with more progressive businesses – but irrespective of this, the changes brought about by the pandemic mean this is no longer a choice, it is an imperative.
The final areas where we see change are almost a result of the other effects that we’ve described above. In the past, audit programmes were constrained by logistics and so would operate on a schedule, typically annually or perhaps quarterly, as that was (a) sufficient and (b) manageable.
However, with increased levels of cyber risk arising from the revisions to business ways of working and the growth of approaches that enable more automated and less hands-on assessments, we have seen a move to augment point-in-time assessments to a more continuous model.
This recognises that a security issue may not need to persist for long to be discovered and used in an attack. Operating in a dynamic environment means that within a matter of days after an annual audit the configuration of systems, controls, accounts and the application of patches can be compromised. Having ongoing visibility not only eases the annual audit burden as data is automatically available continuously, but it also means that control failures can be picked up and resolved more quickly, and in an ongoing manner.
Essential 8 Scorecard – Security Control Performance trend report
The pandemic and associated disruption for businesses may be waning, but the changes to security operations and audit are longer lasting. The good news is that many of these changes are positive and, having been driven by an external factor and the compelling event of covid-19, the delivery of security, and the oversight of it, can move into a new, more flexible, trustworthy, automated and effective phase.
Enterprises looking at their own cyber risk, and that of their supply chains, will benefit from these improvements in risk management.
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.