Insight
Cyber resilience – a good place to start
October 2019
The growing recognition that cyber-attacks and data breaches are on the rise puts the onus on all businesses and organisations, in both the public and private sectors, to protect their data and their systems from malicious intrusion. You don’t have to be a prominent government agency to be of interest to tech-criminals.
Cyber resilience is the ability to identify, protect, detect, respond to and recover from a cyber-attack. It covers governance, information security, systems security, and incident response and notification.
It can and will happen to you
“Why would anyone want to hack our systems?” It is a fair and reasonable question. Your organisation might have data on a lot of clients or maybe not much at all. You may not even have a lot of intellectual property of significance, but whatever you do have is important to you. At the very least, a hacked computer may represent an inconvenience but often sensitive information is involved and this is a risk to you or your business if outsiders have access to it.
We live in a day and age where emails can contain highly sophisticated software (or links to such systems) enabling hackers to infiltrate your device. A malicious email could be disguised as an innocent email that you regularly expect to receive. By the time you have clicked through and realised that it is a fake, it is too late, the damage has already been done.
Why do hackers want access to your device?
Two attack scenarios are common:
1. Ransomware – you get locked out of your computer and a message says that for just $500, ‘they’ will release it for you. Never give your payment details to these criminals. Why would you trust them? It is now too late; you must rebuild your computer from scratch.
2. Your device is used as a proxy by hackers – to prevent themselves from being tracked, hackers like to use other people’s computers to do their dirty work for them. This may be perpetrated using software, possibly introduced through innocent web-ads of which you are completely unaware, that connects your computer to others across the internet and does who knows what. The malicious programs that allow hackers to do this are referred to as ‘trojans’.
It is only a matter of time before your devices and systems become a target and you may be totally unaware of this.
The question that every organisation needs to ask is, ‘Are we confident that our systems have not been compromised?’
Government intervention
Many jurisdictions have begun to legislate to improve cyber security and you need to be aware of any regulation that exists in your own country. Here in Australia, for example, the Commonwealth Government’s Protective Security Policy Framework (PSPF) provides policy and guidance on protective security best practice across corporate and noncorporate Commonwealth entities. It also serves as a blueprint to guide state governments in developing their own security policies. Broadly, the framework contains 36 mandatory requirements across the following:
• Governance
• Personnel security
• Information security
• Physical security
In Europe, the General Data Protection Regulation imposes obligations in relation to data collection, data retention and data breaches and readers in Europe should consider the specific requirements applicable to them.
Regardless of whether there are regulations that are applicable in your jurisdiction, protection of private information and your own computer devices is imperative for all businesses and a risk that should be deliberately managed.
Mandatory breach reporting
The Australian Government has also passed mandatory data breach laws that came into effect in February 2018. Organisations bound by the Privacy Act are required to report to the Privacy Commissioner if they suspect a breach, and to carry out specific steps to manage this process. In the event of an actual breach, it is mandatory for the Commissioner and affected clients to be notified immediately.
Where to start with information security
Certainly, there is crossover between protective security domains and the requirements are very broad. However, the following steps will set any organisation on the right path towards information security management.
Define a clear direction
Start by defining a clear direction on information security by developing and implementing an information security framework (ISF) covering people, policies, processes, and controls.
Answering these questions will help you shape your framework:
• Where is information stored?
• Is information stored in the same manner and location both for internally and externally generated information?
• Who has access to your information?
• Who are your responsible persons managing information internally and externally?
• Do your IT consultants actively monitor unauthorised access?
• Do you have controls that can detect information breaches?
• What are your breach response procedures?
• Do you know what your reporting channels are?
• What are your recovery and continuous improvement procedures?
Keep it relevant to you
Organisations come in all shapes and sizes. With untold amounts of information flowing into and out of your organisation, it is important to understand:
• The legislation, if any, that governs your information
• The information your organisation is permitted to retain
• The difference between personal, sensitive, and confidential information, and whether you need to hold this information legally.
Document and implement procedures
To ensure that information, human processes, systems and network tasks are managed securely and consistently, make sure they are clear and known. Things that could be considered include:
• Planning information security awareness workshops
• Producing data breach escalation procedures
• Producing data breach notification procedures
• Ensuring third party service agreements reflect current privacy and data security requirements
• Identifying external data breach response agencies and contact points.
Make the importance of cyber security well known in your organisation
Having frequent conversations and regular updates within your organisation about data security will keep this at the front of mind. Even encouraging staff to regularly change their passwords and keeping their passwords hard to guess, would go a long way to prevent IT security breaches. Remember that every person with access to a device connected to your systems is a point of vulnerability.
Seek external advice and opinions
By going through these steps you will be in a position to assess your current processes and their suitability. You may find that while your IT people are keen to be involved, this may not be their area of expertise. These issues are complicated, and they are often outside the sphere of knowledge of people within the organisation. It may be that you require an independent opinion or guidance on what could be an extensive review. In our organisation we employed an expert to undertake penetration testing to confirm that our firewalls were strong and to report on points of vulnerability that we could improve.
About the author
Steven Ling
Melbourne, Australia
Steven is a special projects manager at Saward Dawson, the Melbourne member of Russell Bedford International. He joined the firm in 2012 having previously worked for a large accounting software provider. He has found a niche in getting the maximum from accounting software and making it work for his clients.
Steven enjoys developing his understanding of business processes and then improving them with the help of technology – his mission is to automate whatever can be automated. Through the combination of his expertise in tax, accounting software and his passion for Excel modelling, he thrives on assisting clients while developing and implementing practical solutions to business problems.
Steven.Ling@sawarddawson.com.au