By Jason Trampevski, Field Chief Technology Officer, Sekuro
The latest annual report from ACSC found a 13% increase in cybercrime incidents representing yearly losses totalling AU$33 billion. Some headline-making recent attacks on larger Australian organisations actually occurred during Cyber Security Awareness Month in October, a timely reminder that we all need to remain vigilant.
Mere compliance with basic data security guidelines isn’t enough in the current climate. It’s clear that we need to take action against threats at an organisation-wide level.
To properly protect our online ecosystems, we need to act urgently on the four pillars of cyber security preparedness: • Threat Modelling, • Human Vulnerabilities, • Incident Response Planning, & • Technology Strategy.
Threat Modelling Is The Foundation Of Cyber Security
Information security experts can analyse an organisation and determine from past experience what kinds of attacks are most likely and the vectors that display the greatest vulnerability.
Cyber-attacks take many forms and come from a wide range of different sources. Understanding what specific threats your organisation is most likely to face means you can take a strategic approach to defence, rather than just throwing resources into a generalised defence and crossing your fingers. Threat modelling is the process involved in establishing these key defensive priorities.
Ultimately, effective cyber security demands a comprehensive, multi-layered approach. However, using threat modelling, we can make good tactical choices about which vulnerabilities we address first, and how we allocate resources to have the greatest positive effect.
Human Vulnerabilities In Your Organisation Can Be Catastrophic
Not everyone in your organisation is cyber security savvy. Most people assume that if they have basic “virus protection” software installed on their computer, then they’re beyond the reach of cyber-attacks. Unfortunately, the reality is very different. People are often the unwitting vectors for destructive cyber incursions. It was the simple mistake of clicking a link in a malicious email that landed the Clinton election campaign boss, John Podesta, in hot water in 2016. From that one simple human error erupted a major cybercrime attack and a damaging political scandal.
Thinking defensively about protecting the people in your office from phishing and hacking attacks can make a crucial difference, but it means making positive changes in your organisational culture as well as your technology. We need to start addressing cyber security as a whole-ofbusiness challenge, rather than just relegating the problem to the IT department.
Communication, planning and active cyber security training are essential first steps. Do your team members know what to look for to identify suspect emails? Are they in the habit of thinking twice before clicking on links? These are the sort of basic educational outcomes to strive for.
Of course, having a rigorous backup system and response plan is still essential. Cyber-attacks do happen, no matter how careful we are, so having failsafe measures in place is vital.
Practice Your Incident Response Plan
Drafting a comprehensive cyber security response plan is an essential basic step, but like any plan, it’s only as good as the amount of time you spend educating your team about it and practising. That’s why we do fire drills; putting a memo up on the wall doesn’t mean much when the building is burning down around you. Everyone needs to understand what they need to do in an emergency, and practice so that they feel confident it will work.
To make a cyber security response plan work, we need to conduct regular reviews so that it doesn’t get out of date. Make sure you do regular training activities, too. Over time teams change, and anyway, people are more likely to remember what they need to do if their training is fresh in their minds.
It can’t be emphasised enough how important it is to educate your team about the cybercrime threats the organisation faces, as well as their role in defence. The magnitude and severity of cybercrime consequences are surprising for most people outside the security industry. If people understand that the very survival of the company they work for can depend on their online behaviour, they are much more likely to take the threat seriously. Encourage your team members to feel empowered as well as responsible, and make sure there are established communication channels for incident reporting so that vital intel finds its way to the security team before it’s too late.
Technology Strategy: Think Before You Buy
There’s a widely held misconception that the answer to all cyber security challenges is more and better technology. There are thousands of software companies building their business model on promoting this idea, so it’s no wonder many people seem to think that throwing money at the problem is a real solution.
Before you invest in a new cyber security platform, tool or service, make sure it can really address the specific problems faced by your organisation. Do you need it? Or can you simply use the tools you already have to better effect?
Does your technology portfolio integrate properly to give a complete umbrella of protection? Is that defensive perimeter multi-layered, or are you hanging all your hopes on a single product? These are the sort of questions that anyone responsible for cybersecurity decisions should be asking themselves. Technology can give a false sense of security. Putting a shiny software package in place, and ticking boxes on a compliance sheet will feel satisfying, but without continuous maintenance and review, no security measures will stay effective for long.
Digital Trust: What Is It & Why Is It So Important?
All our efforts as cyber security-conscious people are directed toward the ultimate goal of digital trust. This concept – digital trust – is a culture of reliability and resilience that acts as a cohesive productive force within an organisation and then extends outward to embrace all our users, customers & partners.
As Forbes recently reminded us, consumers and people, in general, are “more worried than ever about the privacy of their sensitive data.” We only need to look at the disastrous hacking events that have hit highprofile Australian businesses in recent weeks to see what happens when digital trust is broken. There’s nothing in the world we live in today that can hurt an organisation like the perception that it can’t be trusted with people’s sensitive data. When cybercrime hits an organisation it’s an irrevocable blow to reputation, business value and future earnings alike; not to mention the adverse effects on the broader economy and consumer confidence.