Security advisory

The recent announcement by the ACSC – Australian Cyber Security Centre (@CyberGovAU) to adopt an enhanced cyber security posture is driving organisations to identify ways to step up their efforts around information security.

Importantly, cyber security isn’t an out of the box quick fix. It’s a strategic priority that needs to be championed at Board level, and discussed as part of the overall Risk Management framework.

Establishing the basic standards in cyber security and educating your team are the first two strongest lines of defence. Then employing or engaging a team of dedicated resources and a variety of technology resources to automate threat detection and prioritise remediation activities for the highest and fastest impact.

And if you haven’t already prioritised protecting your information assets and infrastructure, start today with these 7 key areas for review:

1. Start with the basics – The Essential Eight

The ACSC has provided a set of eight mitigation strategies as the basic standard in cyber security. By implementing these standards as your baseline, it will be harder for adversaries to compromise systems. The strategies provided cover potential exposures across four key areas; targeted cyber intrusions for external adversaries stealing data; ransomware attackers seeking monetary gain or shutting down networks; malicious insiders stealing data and Intellectual Property; and malicious insiders destroying data and shutting down networks.

– Talk to us to see how we can help you to run a security maturity audit to identify any gaps.
– Consider a phased approach to Essential Eight implementation based on the audit results.

2. Understand that cyber risk is business risk

A breach has the potential to derail and expose your business at every level, yet it’s so often
forgotten as a business risk in Business Continuity Plans (BCP).
Where is your BCP? When was the last time you reviewed and refined it? Does it include an action
plan in the event of cyber-attack or security breach? Do you have a team of Cyber Custodians ready
to act? Does everybody know their role in the plan? Have you tested and validated the process?

– Update your Business Continuity Plan.
– Nominate and advise your team of Cyber custodians, test the process and be ready to execute.

3. Review and understand the threat landscape

The threat landscape is evolving faster than ever before with the top three major cybersecurity threats faced last year as ransomware, vulnerabilities, and supply chain attacks. Understanding trends and risks for your sector and type of business is an imperative part of protecting your organisations. Conversations with cyber professionals and industry peers is a good first step to understanding more, while industry sources such as the ACSC website, ScamWatch and OAIC can help to stay alerted to risks on home turf and overseas.

– Focus team efforts on addressing the highest risk threats
– Implement external detection and controls to mitigate the identified threats.

4. Your first line of protection is your people

It’s easy to forget that the majority of breaches result from poor process and diligence inside the organisation with team members (insiders) as the easiest target for hackers. From clicking links with dubious websites and unwittingly granting hackers access to their email and systems, to forwarding or downloading attachments with malware, human error leaves organisations at risk. With so many remote workers and devices with access to sensitive information about your business, it’s time to identify and address potential exposure sites, find the gaps and remediate.

– Provide organisation-wide training on phishing and physical security.
– Activate scenario-based exercises for your incident response team to ensure readiness.

5. Review external entities interacting with your organisation

While we’re all mindful of hackers and the evolving landscape of external threats, have you considered the threats on your doorstep? How many other independent entities interact with your assets? How many service providers, consultants, contractors and suppliers have you considered in the risk evaluation during the creation of your cyber strategy? What happens in the case of a third-party compromise?

– Complete security focused due diligence on every supplier and service provider
– Use Multi-factor authentication
– Restrict user accounts to the least privilege on each asset or service

6. Patches and Passwords

It’s the simple things that can make a difference – and these two are high impact.
Patches – As soon as a security vulnerability is exposed, adversaries are working to find a way in. Keep systems and technologies up-to-date, monitor Vendor patch releases (or find a provider who offers this as part of their service), and apply as quickly as you can. This is a fast and easy way to stop them.
Passwords – How many times have you added a new number onto the same password used across multiple applications? Change default passwords, enforce complex passwords and use Multi Factor Authentication tied into a Privileged Access Management methodology to protect your business and its people from unnecessary exposure to risk.

– Implement Multi-Factor Authentication as a standard in your business
– Use a password generator or Password Manager to create strong and random passwords

7. Adopt a 360-degree view of your assets and their vulnerabilities

Be aware of and actively manage infrastructure and software assets across your organisation. A good Vulnerability Management program, incorporating a range of technologies, tools and resources can help to understand where you’re exposed. Combining a range of vulnerability scanning results based on criticality and asset attributes, enables fast and prioritised remediation recommendations through risk scores assigned to each asset.

TIPS: Talk to your IT provider about a comprehensive Vulnerability Management Program to
pro-actively identify attack vectors and vulnerabilities and protect the integrity of applications, assets and data.

Finally, the balancing act of acquiring, managing, upskilling resources and managing a suite of technologies to protect your business can often be overwhelming. The right service provider will review what you have and augment rather than starting afresh. For some organisations, a managed security offering provides the 24 x 7, on-shore (Australian based) assurance they need.

Knowing how and where to start is often as simple as finding the right partner to kick off a security maturity evaluation. An independent evaluation of your current assets and team capability can provide the insights you need to plan and budget your security scale-up program.

It’s also worth reviewing and updating your Incident Response Plan to cover all potential issues including:
• Data/privacy breach
• Ransomware
• Business email compromise (BEC)
• Denial of service
• Phishing
• Malware
• Supply chain compromise
• Microsoft Office365 Vulnerability

Talk to us for more support or guidance.