Insight

Cyber resilience - A good place to start

November 2016


It can and will happen to you

"Why would anyone want to hack our systems?" It is a fair and reasonable question. Your organisation might have data on a lot of clients or maybe not much at all. You may not even have a lot of Intellectual Property of significance but whatever you do have is important to you.

It is only a matter of time before you receive an email containing highly sophisticated software that enables hackers to infiltrate your computer. Imagine you are waiting for a parcel delivered by Aus Post and up pops an email that looks like the one you are expecting. It usually happens when you are off-guard. By the time you have clicked through to find out it is a fake, the damage has already been done.

Why they want your computer

Two attack scenarios are common:
Ransomware - You get locked out of your computer and a message says that for just $500 "they" will release it for you. As a note, NEVER give your payment details to these criminals. Would you trust them? It is now too late, you must rebuild your computer from scratch.
Use by hackers - To prevent being tracked, hackers like to use other peoples' computers to do their dirty work for them. They try to install software, that you are completely unaware of, which connects your computer to others via the internet and does who knows what?

So regardless of what your computer does, it is only a matter of time before it is a target.

Guidelines for your organisation

The Commonwealth Government recently released their Protective Security Policy Framework (PSPF). It provides policy, guidance, and best practice to foster a positive culture of security across corporate and non-corporate Commonwealth entities. It also serves as a blueprint to guide state governments in developing their own security policies (For Victoria, refer to the VPDSF below). Broadly, the framework contains 36 mandatory requirements across the following:
bulletGovernance
bulletPersonnel security
bulletInformation security
bulletPhysical security.

Where to start with Information Security

Certainly there is crossover between the above domains and the requirements are very broad. However it is clear that the following steps, derived from the PSPF mandatory requirements, or Victorian Protective Data Security Standards (for Victorian agencies) will set any organisation on the right path.

1. Define a clear direction
Start with defining a clear direction on Information Security through the development and implementation of an IS policy.

Some relevant starting questions that will help to shape your policy are:
bulletWhere is information stored?
bulletHow many storage systems are there?
bulletIs information stored in the same manner and location both for internally and externally generated information?
bulletWho has access to the information?
bulletWhat controls are in place to prevent unauthorised access?

2. Keep it relevant to you
Organisations come in all shapes and sizes. With untold amounts of information flowing into and out of your organisation, it is important understand the following:
bulletWhat information is permitted to be retained by your organisation?
bulletThe difference between personal and confidential information
bulletWhat legislation, if any, relates to your information.

3. Document and implement procedures
To ensure that information, systems and network tasks are managed securely and consistently, make sure they are clear and known! In many cases, this will include a breach notification and management plan.

4. Seek external advice and opinions
By going through these steps you will naturally assess your current processes and their suitability. You may find that while your IT people are keen to be involved, this may not be their area of expertise. These issues are complicated and they are often outside the natural knowledge of people within the organisation. It may be that you require an independent opinion or guidance on what could be an extensive review.

We would value the opportunity to assist as you develop your information management security framework.

Author: Brian Kerk