Cyber resilience - A good place to start

June 2017

The growing recognition that cyber-attacks and data breaches are on the rise puts the onus on all businesses and organisations, in both the public and private sectors, to protect their data and their systems from malicious intrusion. You don't have to be a prominent government agency to be of interest to tech-criminals.

Cyber resilience is the ability to identify, protect, detect, respond to and recover from a cyber-attack. It covers governance, information security, systems security, and incident response and notification.

It can and will happen to you

"Why would anyone want to hack our systems?" It is a fair and reasonable question. Your organisation might have data on a lot of clients or maybe not much at all. You may not even have a lot of intellectual property of significance, but whatever you do have is important to you. Why? Because information is power.

It is only a matter of time before you receive an email containing highly sophisticated software that enables hackers to infiltrate your computer. Imagine you are waiting for a parcel to be delivered by a carrier service and up pops an e-mail that looks like the one you are expecting. It usually happens when you are off-guard. By the time you have clicked through to find out it is a fake, the damage has already been done.

Why they want your computer

Two attack scenarios are common:

Ransomware - You get locked out of your computer and a message says that for just $500 'they' will release it for you. As a note, NEVER give your payment details to these criminals. Would you trust them? It is now too late, you must rebuild your computer from scratch.

Use by hackers - To prevent being tracked, hackers like to use other people's computers to do their dirty work for them. This may be perpetrated via software, possibly introduced through 'innocent web-ads', that you are completely unaware of, which connects your computer to others via the internet and does who knows what.

So regardless of what your computer does, it is only a matter of time before it is a target.

The question that every organisation needs to ask is, "Can we confidently attest that there are no 'lurkers' within our systems?"

Guidelines for your organisation

In Australia, the Commonwealth Government's Protective Security Policy Framework (PSPF) provides policy, guidance over Protective Security best practice across corporate and non-corporate Commonwealth entities. It also serves as a blueprint to guide state governments in developing their own security policies. Broadly, the framework contains 36 mandatory requirements across the following:

  • Governance
  • Personnel security
  • Information security
  • Physical security

Mandatory breach reporting

The Australian Government recently passed mandatory data breach laws that will come into effect by February 2018. Organisations bound by the Privacy Act are required to report to the Privacy Commissioner if they suspect a breach occurred and carry out specific steps to manage this process. In an event of an actual breach, it is mandatory for the Commissioner and affected clients to be notified immediately.

Where to start with Information Security

Certainly there is crossover between Protective Security domains and the requirements are very broad. However it is clear that the following steps, derived from the PSPF mandatory requirements, will set any organisation on the right path towards information security management.

1. Define a clear direction

Start with defining a clear direction on Information Security through the development and implementation of an IS Framework (ISF), covering people, policies, processes, and controls involved.

Some relevant starting questions that will help to shape your framework are:

  • Where is information stored?
  • Is information stored in the same manner and location both for internally and externally generated information?
  • Who has access to your information?
  • Who are your responsible persons managing information internally and externally?
  • Do your IT consultants actively monitor unauthorised access?
  • Do you have controls that are capable of detecting information breaches?
  • What are your breach response procedures?
  • Do you know who your reporting channels are?
  • What are your recovery and continuous improvement procedures?

2. Keep it relevant to you

Organisations come in all shapes and sizes. With untold amounts of information flowing into and out of your organisation, it is important to understand the following:

  • What legislation, if any, relates to your information?
  • What information is permitted to be retained by your organisation?
  • The difference between personal, sensitive, and confidential information, and whether you need to hold this information legally

3. Document and implement procedures

To ensure that information, human processes, systems and network tasks are managed securely and consistently, make sure they are clear and known. In many cases, this includes:

  • Planning information security awareness workshops
  • Producing data breach escalation procedures
  • Producing data breach notification procedures
  • Ensuring third party service agreements reflect current privacy/data security requirements
  • Identifying external data breach response agencies and contact points

4. Seek external advice and opinions

By going through these steps you will naturally assess your current processes and their suitability. You may find that while your IT people are keen to be involved, this may not be their area of expertise. These issues are complicated and they are often outside the natural knowledge of people within the organisation. It may be that you require an independent opinion or guidance on what could be an extensive review.