Friday, 2nd June 2017
Organisations of all shapes and sizes would be well advised to develop and implement an Information Security Policy.
The growing recognition that cyber-attacks and data breaches are on the rise puts the onus on all businesses and organisations, in both the public and private sectors, to protect their data and their systems from malicious intrusion. You don’t have to be a prominent government agency to be of interest to tech-criminals.
Cyber resilience is the ability to identify, protect, detect, respond to and recover from a cyber-attack. It covers governance, information security, systems security, and incident response and notification.
It can and will happen to you
“Why would anyone want to hack our systems?” It is a fair and reasonable question. Your organisation might have data on a lot of clients or maybe not much at all. You may not even have a lot of intellectual property of significance, but whatever you do have is important to you. Why? Because information is power.
It is only a matter of time before you receive an email containing highly sophisticated software that enables hackers to infiltrate your computer. Imagine you are waiting for a parcel to be delivered by a carrier service and up pops an e-mail that looks like the one you are expecting. It usually happens when you are off-guard. By the time you have clicked through to find out it is a fake, the damage has already been done.
Why they want your computer
Two attack scenarios are common:
Ransomware – You get locked out of your computer and a message says that for just $500 ‘they’ will release it for you. As a note, NEVER give your payment details to these criminals. Would you trust them? It is now too late, you must rebuild your computer from scratch.
Use by hackers – To prevent being tracked, hackers like to use other people’s computers to do their dirty work for them. This may be perpetrated via software, possibly introduced through ‘innocent web-ads’, that you are completely unaware of, which connects your computer to others via the internet and does who knows what.
So regardless of what your computer does, it is only a matter of time before it is a target.
The question that every organisation needs to ask is, “Can we confidently attest that there are no ‘lurkers’ within our systems?”
Guidelines for your organisation
In Australia, the Commonwealth Government’s Protective Security Policy Framework (PSPF) provides policy, guidance over Protective Security best practice across corporate and non-corporate Commonwealth entities. It also serves as a blueprint to guide state governments in developing their own security policies. Broadly, the framework contains 36 mandatory requirements across the following:
Mandatory breach reporting
The Australian Government recently passed mandatory data breach laws that will come into effect by February 2018. Organisations bound by the Privacy Act are required to report to the Privacy Commissioner if they suspect a breach occurred and carry out specific steps to manage this process. In an event of an actual breach, it is mandatory for the Commissioner and affected clients to be notified immediately.
Where to start with Information Security
Certainly there is crossover between Protective Security domains and the requirements are very broad. However it is clear that the following steps, derived from the PSPF mandatory requirements, will set any organisation on the right path towards information security management.
1. Define a clear direction
Start with defining a clear direction on Information Security through the development and implementation of an IS Framework (ISF), covering people, policies, processes, and controls involved.
Some relevant starting questions that will help to shape your framework are:
2. Keep it relevant to you
Organisations come in all shapes and sizes. With untold amounts of information flowing into and out of your organisation, it is important to understand the following:
3. Document and implement procedures
To ensure that information, human processes, systems and network tasks are managed securely and consistently, make sure they are clear and known. In many cases, this includes:
4. Seek external advice and opinions
By going through these steps you will naturally assess your current processes and their suitability. You may find that while your IT people are keen to be involved, this may not be their area of expertise. These issues are complicated and they are often outside the natural knowledge of people within the organisation. It may be that you require an independent opinion or guidance on what could be an extensive review.
The views expressed in the articles in this website are those of the authors and do not necessarily reflect the opinions or policies of Russell Bedford International or its member firms. The information contained in this website is provided for general purposes only and does not constitute professional accounting, tax, business or legal advice. It may not be applicable to specific circumstances. Laws and regulations change rapidly, so information contained herein may not be complete or up-to-date. Please contact your professional adviser before taking any action based on this information.