Prepared for anything, or flying by the seat of your pants? Against a backdrop of rising threats, Australian businesses and organisations can ill afford to be careless or complacent, when it comes to cyber security.
Cybercrime was named the most disruptive economic crime of the day by the Australian business leaders polled by PwC for its 2018 Global Economic Crime and Fraud Survey: Australian Report. The CEOs surveyed cited cyber-compromise or attack as the chief threat to their growth prospects.
But, despite spending growing sums on tools, technologies and programs to protect networks and critical systems, it can be difficult for organisations to gauge their own cyber readiness.
The ongoing global Ecosystm Cybersecurity Study rates the cyber security measures and controls in place at participating organisations. It’s a self-assessment exercise but it provides some striking insights into the differences between enterprises whose security practices are mature and those which are still in the “evolving” phase.
Here are some of the common features of organisations that rate themselves as mature and have a grip over their cyber security initiatives.
A whole-of-enterprise approach to risk
Computing and information systems have long ceased to be confined to the back office. Instead, the digital revolution has resulted in information technology becoming embedded in every organisational activity and function. Well-prepared organisations take the same tack when it comes to cyber security. Protection measures are typically entrenched within a broader risk management program, not treated as an add-on measure.
A budget which reflects the complexity of the challenge
Every organisation wants a blue-chip security program which provides robust protection for all of its critical infrastructure and applications – until the time comes to talk turkey. That’s often the point at which C-suite enthusiasm wanes and IT professionals are left struggling to mitigate risks with a budget that can only stretch so far. It doesn’t happen that way in organisations which take a strategic approach to cyber security. Instead, they’re highly cognisant of the financial and reputational risks associated with cyber-attacks and regard their security spend as an essential investment, not a discretionary cost they’re reluctant to incur.
An accountable cyber security leader
Developing a comprehensive cyber security policy is admirable but its chances of being put into practice effectively are low, unless making sure that it happens is someone’s clearly defined responsibility. That’s why mature organisations appoint someone to the role of chief information security officer (CISO). In larger organisations, that’s likely to be a full-time role, while in smaller scale enterprises, the task may be outsourced to an external consultant or “virtual CISO”.
A cautious approach to the cloud
Cloud systems are rapidly becoming ubiquitous across Australia’s public and private sectors. Ecosystm data shows that 55 per cent of Australian enterprises are looking to increase their cloud budget in 2020 – and, in many organisations, there’s an assumption they’re a safer option than the on-premises solutions they replace. Organisations with mature cyber policies and postures know that’s not necessarily so. That’s why they’re more likely to take a hybrid approach; using on-premises systems to store sensitive and valuable data and augmenting public cloud security features with their own event-driven security measures. Typically, these will include encryption and multi-factor authentication; technologies which have been demonstrably shown to reduce the likelihood of cyber-attackers gaining an opportunistic “in”.
Ready to respond when trouble strikes
While a robust cyber security posture will lessen the risk of attack, it can’t eliminate it entirely. That’s why cyber-mature organisations are ready to spring into action, should they be unlucky enough to fall victim to an attack or data breach. Their preparations will typically include the development of a detailed breach notification and response plan which outlines the roles and responsibilities of stakeholders and the actions that will be taken to report and remediate the incident in a timely and compliant way.
Time to act
In 2020, cyber-attacks are no longer anomalous or isolated incidents. In Australia, and elsewhere in the world, they’re happening every day – and all too often there are destructive and devastating consequences, for the organisations in question. Assessing your enterprise-wide security posture with clear eyes will help you to identify commensurate, robust measures that address vulnerabilities and gaps, thereby reducing the material risks faced by your organisation.
Alex Woerndle, principal adviser, cyber security – risk and governance, Ecosystm