A holistic approach to cyber-security

| November 9, 2017

Three pressing factors are bringing cyber security into sharp focus for mid-sized Australian organisations today. These factors – the move to cloud; the Notifiable Data Breaches scheme; and a growing interest from cyber criminals in smaller targets – are combining to change our attitudes and our approach to protecting our key digital assets and infrastructure.

The Cloud
IT services firm Viatek sees a maturing cloud appetite from its client base of mid-sized government agencies and firms. Most of these organisations, from multiple industries with between 300-500 staff, are now seriously considering cloud transformation for some or all of their key services and applications.

This move to the cloud often involves a leap of faith when it comes to security. It’s not that cloud is less secure – in fact, in most cases it will be more secure than their current IT environment. However, there is a level of comfort (and possibly a false sense of security!) organisations have if they can physically see where their data resides – either on dedicated infrastructure in their own offices or at their data centre provider.

As a result, the move to the cloud is shifting thinking about security. The organisation now sees itself as more porous, more exposed to the outside world. It’s no longer a case of just asking yourself if your servers are running the latest patches, you have the right firewall policies in place or you have updated your anti-virus software.

Now, you need to be considering true vulnerability and risk management which, like the cloud, is independent of the technology. Can you ensure business continuity in case of a cyber attack or disaster, can you identify potential breaches and respond quickly and effectively to prevent them or limit their damage, can you stay ahead of emerging threats and vulnerabilities to protect your organisation?

Notifiable Data Breaches scheme
On 22 February 2018, new Australian Government cyber security legislation comes into force that will apply to businesses, Australian Government agencies, and other organisations that are already required by the Privacy Act to keep information secure. For businesses, that includes any with over $3m in annual turnover.

The Notifiable Data Breach scheme not only requires organisations to immediately notify any individuals likely to be at risk of serious harm by a data breach, they also need to recommend what steps those individuals need to take to respond to prevent or minimise that harm.

That fundamentally changes the approach to cyber security from one that is focused on simple prevention or incident response to a more holistic approach that needs to consider the impact and extent of any breach, notification procedures, a harm mitigation plan, and a process to prevent similar future breaches.

Smaller Targets
Over the past two years, more and more medium-sized organisations have asked for our help after finding themselves at the mercy of cyber criminals from hacking, malware or ransomware attacks. Ransomware like WannaCry and Petya might not have hit as hard in Australia as other countries, but it has highlighted the dangers that organisations face from this type of threat.

Our experience is borne out in the latest findings from the Australian Cyber Security Centre. CERT Australia has seen an 11% increase in incident responses from non-traditional sectors that have not been traditionally targeted, such as the accommodation, automotive and hospitality businesses.

While large enterprise tends to have dedicated InfoSec teams, smaller organisations are increasingly becoming the target of attack from cyber criminals who are being far more opportunistic, scanning for vulnerabilities.

The outcome?
Mid-sized organisations need to adopt an approach to cyber security that is far more holistic, and less about point solutions and technologies. A well-managed or patched environment can still get hacked, and threats can come from within the trusted perimeter.

New disciplines are needed to baseline and track user behaviour, or analyse and trace where an intrusion happened. It’s about having an appropriate incident protection and response capability that isn’t just reacting quickly to breaches; it’s about continually monitoring the environment to identify and correlate millions of events to identify potential risks and prioritise prevention measures accordingly.

It’s also about maintaining awareness and applying the appropriate measures to fix vulnerabilities in the environment from the constantly evolving threat landscape out there.

That’s quite a different proposition to just keeping those servers patched!