How quickly time flies – I really can’t believe three months have passed since our last quarterly update. And what an eventful quarter it has been for us all.
In the UK, Boris Johnson was forced by his own party to resign, and the UK subsequently appointed their 56th Prime Minister – Liz Truss.
We witnessed the passing of Her Majesty the Queen, together with the historic global media coverage of her funeral. This passing saw a fundamental change in the monarchy, with the Prince of Wales becoming King Charles III. It’s timely to remember that threat actors (criminals) are highly opportunistic, as evidenced by the recent phishing exploitation targeting mourners in order to steal their Microsoft credentials.
In sport, Geelong became our 2022 AFL champions; the Panthers became NRL champions – and unfortunately, the Wallabies lost the Bledisloe Cup to the ABs (again!)
And, in late September, Australia suffered its most significant data breach in history, with Optus failing to secure customer data resulting in nearly half of our population being personally affected. Unbelievably, this enormous breach was followed in quick succession by breaches at Telstra, Woolworths, Medibank and others however, the Optus breach is still dominating the news. No doubt we will continue to witness the monumental fallout from these breaches for weeks and months to come.
I don’t want the highly publicised breaches of Optus, Telstra, Woolworths or Medibank (etc. etc. etc.) to dominate this update; however, I do want to provide some salient guidance and advice that I hope will assist you, your families, and of course, your businesses and stakeholders.
These breaches highlight the importance of ensuring that your company has a tried, tested, and continually enhanced data breach incident response plan. Responding to any incident can be challenging; however, ensuring that your board, executives, and other departments are trained and aware of their roles and responsibilities in such an event is vital to your company’s future.
Some of the most important aspects of responding to a data breach include timely, open, honest, and transparent communications with your stakeholders, underpinned by relevant guidance and support to all those affected. These aspects are paramount towards mitigating potential serious harm to those affected whilst also mitigating potential damage to your company’s brand reputation.
There has never been more consumer or media attention on cyber security in Australian history than there is right now. We are witnessing a very strong and definitive stance from the Government following these breaches, with Minister for Cyber Security Clare O’Neil calling out the affected companies, particularly Optus and their senior management for lack of cooperation, transparency, and customer support.
The Government and other regulatory agencies have put Australian businesses on notice to take cyber security more seriously. Companies need to demonstrate that they have taken all reasonable steps in the circumstances to ensure that the people, processes, and technologies they employ to protect the security of information are robust and fit for purpose.
Australian businesses must educate themselves on the significant differences between IT security and cyber security whilst reducing their overconfidence in basic IT security solutions. ASIC has stated, “managing cyber security risks falls within the realm of general directors’ duties. Directors can no longer take their cyber security responsibilities lightly and without appropriate controls and mechanisms firmly in place, the likelihood of a cyber incident is almost inevitable, thereby exposing them personally to legal liability.”
If you’d like further guidance on the above, or if you’d like to review any potential areas of exposure within your business, please get in touch with me.
Protecting You and Your Family
Like many others, I was personally affected by the Optus data breach. I’ve had to take multiple, sometimes arduous, steps to mitigate the risk to myself and my family. CAT recently put together some guidance on some of the basic ‘personal’ proactive measures that will mitigate your risk of exposure, and not just if you’ve been a victim of a data breach. This included password management, multi-factor authentication, dealing with various scams, together with links to various support agencies offering additional protection advice and services. If you would like a copy of these key recommendations or require any further information or assistance, please get in touch with me.
Protecting Your Business
If your business hasn’t yet implemented a robust cyber security maturity program that encompasses an independent cyber resilience assessment (not an IT audit) with a supported roadmap, ongoing staff training, real-time managed detection and response (MDR), IT security hardening services and penetration/vulnerability testing, then now should be the time to reconsider your company’s position.
Cyber security is not an IT or technology issue; it’s a whole of business risk – like health and safety, which falls under Governance, Risk Management and Compliance (GRC). Adopting a ‘top down’ approach and understanding, underpinned by independent specialist support (funded separately from IT’s budget), will greatly enhance your company’s maturity posture.
For businesses that use external IT-managed services providers (MSPs), very few MSPs have dedicated specialist security professionals on staff, nor do their contracts include or address specific IT security or cyber security controls or mechanisms. Companies must evaluate the resources they have in place to ensure cyber security is given the attention it deserves – whether internally or externally.
Cyber Security Awareness Month
Ironically, October is also cyber security awareness month! This year’s theme is “Have you been hacked?” – not my favourite topic, I must admit! I personally think that prevention is much more effective than a cure, and yes, nearly all breaches (around 96% or more) can be prevented.
I’m often asked what businesses can do to better protect themselves, and my answer is always the same – take the ubiquitous risks more seriously. If your board hasn’t yet put the “C” (cybersecurity) into ESG (Environmental, Social, and Corporate Governance) you may be exposing yourself to personal liability. Unfortunately, too many Australian businesses only take cyber security seriously when they suffer a breach or are otherwise negatively impacted.
Many boards, senior executives and business owners still view cyber security as an IT or technology issue, unwittingly exposing their businesses further by delegating this responsibility to their internal or external IT departments. The risk and associated responsibility for protecting the business and its stakeholders is not transferrable and cannot be delegated or outsourced.
I’ve outlined below some proactive steps that businesses could adopt to drastically mitigate their exposure of being breached.
Assess – consider conducting a whole of business cyber resilience assessment. Using a recognised framework such as ISO 27001 will provide tangible risk areas relating to people, processes, information, and technology. With the resulting roadmap, the board, directors, and other departments can identify the areas of risk they wish to enhance based on their risk appetite and budget.
Train – quality ongoing cyber security training encompasses vastly more than just advising staff not to click on links within emails or getting them to watch outdated videos. Staff who are genuinely engaged and fully understand the role they can play in protecting the business whilst being armed with knowledge and mechanisms to protect themselves and their families can become your company’s human firewall. It’s also vital to be able to report on the various measurable aspects of the training, including benchmarking and staff susceptibility to phishing & social engineering.
Strengthen – for companies that have implemented various IT security solutions, migrated to Microsoft 365 or other Cloud platforms; we find so many areas that have not been configured correctly, hardened, or even secured. These platforms and their configurations are notoriously complex, and businesses are often unaware that internal and external IT providers rarely address the specific security hardening requirements. Engaging an independent IT security specialist will complement your internal/external IT whilst identifying and rectifying these areas of risk.
Monitor – according to the latest IBM/Ponemon report, the average time for a company (without real-time monitoring) to detect a data breach is 207 days! It doesn’t matter how good your IT team is or what security you have; if no one is continually and proactively monitoring your company’s entire digital environment, then you’re exposed.
Fully managed Extended Detection and Response (XDR), proactively managed by an independent Managed Security Services Provider (MSSP), will provide your company with early detection of indicators of compromise whilst enabling the team of security specialists to take affirmative action to stop either internal or external threat actors in their tracks.
CAT NewsWith the expansion of our customer base, together with the growing needs of our clients and their requested additional services, CAT is continuing to expand our highly skilled and dedicated team. I am delighted to introduce you to the newest member of our team – Brendan Sak.
Brendan recently joined our team as a Senior Analyst within our Security Operation Centre (SOC) and brings with him almost a decade of cyber security and information technology/networking experience. Brendan honed his impressive cyber security expertise at companies such as Youi Insurance, Macquarie Telecom, and the Australian Navy in their Defence SOC. Brendan is gradually being integrated into daily client engagements, and we look forward to learning more about Brendan in our ‘Staff Focus’ very soon. In the interim, please continue to use the firstname.lastname@example.org distribution list for all day-to-day SOC interactions.
ConclusionThat’s it for an historic quarter!
For those customers affected by the recent breaches, please stay hyper-vigilant and remember not to engage with or divulge any information in any unsolicited communications (emails, texts, calls, social media etc.).
I hope that you’ve found this quarter’s issue of ‘Cyber Bytes’ useful. As always, if you have any questions or feedback, please get in touch with me, Alex, or the rest of the team, and we’ll be happy to assist!
Stay cyber safe!
Managing Director Cyber Audit Team