Eight ways to get started on cyber strategy

It’s never too late to step up your efforts around cybersecurity. It is time to start the conversation – to escalate or re-invigorate. Now is the time to adopt an enhanced cyber security posture. We’ve got 8 tips to get you started. Talk to us for advice and support

Another signal to get started on cyber strategy

Another breach, another day Australian consumers are exposed as the result of a ransomware attack. Public and private sector businesses have been warned by the ACSC – Australian Cyber Security Centre (@CyberGovAU) to adopt an enhanced cyber security posture.

And as if we needed another reminder on establishing at least the basic standards for all organisations, and defence-levels of protection for publicly listed and local and federal government entities, this week has already seen another handful of known cyber attacks and no doubt a raft of others flying under the radar.

It’s never too late to step up your efforts around cybersecurity

Importantly, cyber security isn’t an out of the box quick fix. It’s a strategic priority that needs to be championed at Board level, and discussed as part of the overall Risk Management framework. Start the conversation today.

Establishing the basic standards in cyber security and educating your team are the first two strongest lines of defence. Then employing or engaging a team of dedicated resources and a variety of technology to automate threat detection and prioritise remediation activities for the highest and fastest impact.

And if you haven’t already prioritised protecting your information assets and infrastructure, start today with these 8 key areas for review:

Number 1

Start with the basics – The Essential Eight

The ACSC has provided a set of eight mitigation strategies as the basic standard in cyber security. By implementing these standards as your baseline, it will be harder for adversaries to compromise systems.

The strategies provided cover potential exposures across four key areas; targeted cyber intrusions for external adversaries stealing data; ransomware attackers seeking monetary gain or shutting down networks; malicious insiders stealing data and Intellectual Property; and malicious insiders destroying data and shutting down networks.

Tips
  • Talk to us to see how we can help you to run a security maturity audit to identify any gaps.
  • Consider a phased approach to Essential Eight implementation based on the audit results.
Tip number 1
Number 2

Understand that cyber risk is business risk

A breach has the potential to derail and expose your organisation at every level, yet it’s so often forgotten as a business risk in Business Continuity Plans (BCP).

  • Where is your BCP?
  • When was the last time you reviewed and refined it?
  • Does it include an action plan in the event of cyber-attack or security breach?
  • Do you have a team of Cyber Custodians ready to act?
  • Does everybody know their role in the plan?
  • Have you tested and validated the process?
Tips
  • Update your Business Continuity Plan.
  • Nominate and advise your team of Cyber custodians, test the process and be ready to execute.
Tip number 2
Number 3

Review and understand the threat landscape

The threat landscape is evolving faster than ever before with the top three major cybersecurity threats faced last year as ransomware, vulnerabilities, and supply chain attacks. Understanding trends and risks for your sector and type of business is an imperative part of protecting your organisations.

Conversations with cyber professionals and industry peers is a good first step to understanding more, while industry sources such as the ACSC website, ScamWatch and OAIC can help to stay alerted to risks on home turf and overseas.

Tips
  • Focus team efforts on addressing the highest risk threats
  • Implement external detection and controls to mitigate the identified threats.
Tip number 3
Number 4

Your first line of protection is your people

It’s easy to forget that the majority of breaches result from poor process and diligence inside the organisation with team members (insiders) as the easiest target for hackers.

From clicking links with dubious websites and unwittingly granting hackers access to their email and systems, to forwarding or downloading attachments with malware, human error leaves organisations at risk.

With so many remote workers and devices with access to sensitive information about your business, it’s time to identify and address potential exposure sites, find the gaps and remediate.

Tips
  • Provide organisation-wide training on phishing and physical security.
  • Activate scenario-based exercises for your incident response team to ensure readiness.
Tip number 4
Number 5

Review external entities interacting with your organisation

While we’re all mindful of hackers and the evolving landscape of external threats, have you considered the threats on your doorstep? How many other independent entities interact with your assets? How many service providers, consultants, contractors and suppliers have you considered in the risk evaluation during the creation of your cyber strategy? What happens in the case of a third-party compromise?

Tips
  • Complete security focused due diligence on every supplier and service provider
  • Use Multi-factor authentication
  • Restrict user accounts to the least privilege on each asset or service
Tip number 5
Number 5

Patches and Passwords

It’s the simple things that can make a difference – and these two are high impact.

Patches – As soon as a security vulnerability is exposed, adversaries are working to find a way in. Keep systems and technologies up-to-date, monitor Vendor patch releases (or find a provider who offers this as part of their service), and apply as quickly as you can. This is a fast and easy way to stop them.

Passwords – How many times have you added a new number onto the same password used across multiple applications? Change default passwords, enforce complex passwords and use Multi Factor Authentication tied into a Privileged Access Management methodology to protect your business and its people from unnecessary exposure to risk.

Tips
  • Implement Multi-Factor Authentication as a standard in your business
  • Use a password generator or Password Manager to create strong and random passwords
Tip number 6
Number 5

Adopt a 360-degree view of your assets and their vulnerabilities

Be aware of and actively manage infrastructure and software assets across your organisation.

A good Vulnerability Management program, incorporating a range of technologies, tools and resources can help to understand where you’re exposed. Combining a range of vulnerability scanning results based on criticality and asset attributes, enables fast and prioritised remediation recommendations through risk scores assigned to each asset.

Tip

Talk to your IT provider about a comprehensive Vulnerability Management Program to pro-actively identify attack vectors and vulnerabilities and protect the integrity of applications, assets and data.

Tip number 7
Number 5

Understand your legal obligations as part of your Incident Response Plan

The Notifiable Data Breaches Scheme requires any organisation covered by the Privacy Act 1998, to notify individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to an individual whose information has been lost or subjected to unauthorised access or disclosure.

The pressure on an organisation during a breach is unimaginable. Focusing on the detail of regulatory demands when you could be taking action to remediate is a no brainer. Get on the front foot and know when and how to act.

Tips
  • Visit the OAIC Notable Data Breaches advice to understand what you need to disclose and to whom in the event of a breach.
  • Ensure response processes to data breaches and accountabilities are included in your Incident Response Plan and stakeholders advised.
Tip number 8

Finally, the balancing act of acquiring, managing, upskilling resources and managing a suite of technologies to protect your business can often be overwhelming. The right service provider will review what you have and augment rather than starting afresh. For some organisations, a managed security offering provides the 24 x 7, on-shore (Australian based) assurance they need.

Knowing how and where to start is often as simple as finding the right partner to kick off a security maturity evaluation. An independent evaluation of your current assets and team capability can provide the insights you need to plan and budget your security scale-up program.

It’s also worth reviewing and updating your Incident Response Plan to cover all potential issues including:

  • Data/privacy breach
  • Ransomware
  • Business email compromise (BEC)
  • Denial of service
  • Phishing
  • Malware
  • Supply chain compromise
  • Microsoft Office 365 Vulnerability

Would you like to know more? Talk to us for more support or guidance.