The Australian Prudential Regulation Authority (APRA) has published its most recent findings, identifying three substantial security weaknesses across the financial services industry. These results are concerning, particularly in light of the escalating cyber threat levels. However, the positive news is that these vulnerabilities can all be effectively addressed.
First, let’s unpack what APRA found in its latest letter—Additional insights on common cyber resilience weaknesses—which focused on the security performance of regulated entities in banking, superannuation, and insurance.
Key takeaways from APRA’s latest findings:
The Australian Prudential Regulation Authority (APRA) outlined the common cyber weaknesses observed in the financial sector.
It reported on three primary weakness areas:
Inconsistent configuration management practices
In a sector with aging core legacy platforms and old code mixed with modern apps and software, it’s not surprising that many assets lack an adequate baseline level of security configuration—and are not reassessed when new vulnerabilities emerge. In some cases, legacy vendors no longer support and patch outdated systems.
A lack of visibility, tooling, and structured maintenance processes leaves gaps in identifying and remedying vulnerable assets, leading to insecurities and significant risk exposure.
Unstructured and entitled access control
While it’s relatively straightforward to address, leaving the door unlocked to mission-critical platforms is far too familiar. Whether it’s ex-staff, contractors, customers, suppliers, or partners, APRA found gaps in the access and credentials lifecycle management with a lack of accurate inventory and controls for user and system accounts.
Structured processes, regular audits, secure credentials storage, and automated workflows and approvals can mitigate these risks by ensuring that only verified and current people can access data and systems when needed and that breaches can be identified and rectified.
Security testing: Hit-and-miss approach and subsequent actions
APRA reported inadequate testing coverage of assets across financial entities and insufficient management and oversight of test findings and follow-up actions. Regular and thorough testing of security controls is essential for maintaining a robust security posture.
5 Strategies for evaluating and strengthening your security posture:
At Nexon, we provide comprehensive security solutions and assessments to help our customers stay on top of their security posture, especially in the cloud.
Here are five ways we can help:
Cloud security posture management (CSPM)
Our services review your cloud environments to ensure they’re secure and compliant with industry standards and security protocols, including ongoing monitoring for potential vulnerabilities and implementing automated fixes to promptly address any identified issues, ensuring the integrity and compliance of your cloud infrastructure.
Vulnerability assessments and penetration testing
Through proactive testing of your systems, our team can uncover and resolve potential vulnerabilities before hackers can exploit them. This proactive approach effectively minimises risks, safeguarding your business from potential harm.
Identity and access management (IAM)
We enforce stringent access controls to safeguard critical resources, granting access solely to authorised individuals. Our security measures encompass multi-factor authentication, role-based access privileges, and regular audits to protect sensitive data and systems.
Security awareness
To build resilience, staying informed is paramount. We arm your team with knowledge about the latest cyber threats and proven best practices, equipping them as the frontline defence against potential attacks.
Incident response planning
With our expert consultants, you can craft and enhance your incident response plans, ensuring prompt measures during security breaches. Frequent drills and updates guarantee your plan’s effectiveness against evolving threats, empowering you to tackle challenges promptly and efficiently.
Essentials to protect your people, data, and organisation
APRA’s findings emphasise the importance of consistent security self-assessments for organisations. To mitigate risks effectively, APRA suggests adopting proven frameworks like the Essential 8, developed by the Australian Cyber Security Centre (ACSC). Nexon offers a comprehensive explanation of the Essential 8 and a complimentary security checklist and assessment service.
Our team of experts stands ready to provide tailored guidance on how APRA’s findings might impact your organisation. Additionally, we can collaborate to develop strategies that bolster your cyber resilience, ensuring you remain secure in today’s digital landscape.
Melvin Vielman is a Principal Consultant (Cloud Technology and DevOps) at Nexon Asia Pacific. For more information, contact Nexon today.
Melvin is responsible for aligning and delivering cloud strategies to organisations. Nexon’s teams are dedicated to providing consulting services that empower clients to navigate the cloud landscape effectively. Our services enable you to adapt, optimise, and manage your cloud services, ensuring successful transitions and ongoing optimisation.
1 APRA, Additional insights on common cyber resilience weaknesses, 15 August 2024