The IT security landscape has dramatically evolved over in recent years. There’s been a significant increase in the frequency and complexity of cyberattacks against businesses.
Breaches of large organisations are becoming more common, more public and more damaging. Security is now being discussed at the senior leader and board level to understand the business risk and the resources necessary to manage it.
Boards now finally realise the damage breaches can do to their organisations. Theft of personal data not only affects them financially but it has the potential to destroy their organisation’s reputation in the marketplace.
And there have been a few recent, very high profile examples. The ongoing fallout from the Census DDos attack is a perfect case study of how a cyber security incident can harm the reputation of not just one but several organisations.
So much so that the prime minister’s special cyber security advisor, Alistair MacGibbon, said the Census debacle will have a lasting impact on trust in government services.
IT leaders gathered in Melbourne recently for a roundtable luncheon to discuss why cyber security is now considered a key business priority. The event was sponsored by Mimecast.
Nick Lennon, country manager at Mimecast, says for many years, Australian organisations have underinvested in email security and it had become the easiest entry point for cybercriminals.
“Meanwhile, there has been a large movement of primary email services to the cloud such as Office 365,” says Lennon. “Security concerns used to be the barrier to the cloud. Now, organisations need the cloud for effective security,” he says.
Mimecast is dealing with advanced spear-phishing or ‘impersonation’ attacks that directly target personal and confidential data, says Lennon. As more than 90 per cent of cyberattacks start with email, real-time link scanning and sandbox detonation of attachments is absolutely critical, he says.
Because of the connected nature of ‘pretty much everything’, IT security is ever evolving and has moved into a craft into its own right, says Christopher Topp, director of IT at Luther College.
“Hiring and consuming security services is a growing area and will continue to grow over time,” says Topp. “We are dealing with a substantial number of attempts on a daily basis.
“We are rolling out SDN (software-defined networking) technologies to assist us in identifying and proactively stopping these at the source as well as leveraging some pretty advanced threat detection technology.”
Dr Iqbal Gondal, director ICSL, University Engagement at Defence Science Institute, adds that cyberattacks are becoming more sophisticated and harder to detect.
“Rather than playing a catch up game, there is a need to develop strategic research capabilities to anticipate and mitigate future attacks,” he says.
Chris Rathborne, group technology manager at Insurance House, adds that his organisation is approaching IT security on the basis that the landscape is constantly evolving with new threats emerging every day.
The forefront of any defence needs to be one of continual education both internally and externally as much as monitoring and reaction, he says.
“In recent years, security was often the domain of one (or two) people within a team that would try to cover the entire organisation. Now, cyber security is something that everyone needs to be vigilant about and actively seek out opportunities to increase security and reduce threats.
“While the accountability of cyber security now rests with the C-suite, there are more evangelists working across the organisation to improve things,” he says.
The Australian Health Practitioner Regulation Agency (AHPRA) has always taken a proactive approach to security with a strategy and 3-year roadmap for an information security program of works, says Vijay Naran, information security manager, AHPRA.
“We have implemented an information security program in the past 3 years and that has lifted the maturity level. The program is aimed at continual improvement, addressing new threats and preparing the organisation for improved and upcoming regulatory requirements (data breach notifications),” he says.
A cyber resilience health check
Conducting regular cyber resilience ‘health checks’ – which involve more than just preventing or responding to an attack – is an ongoing challenge, says Luther College’s Topp.
“Health checks really shouldn’t be scheduled, they should be part of the ongoing culture of security that is needed in a modern technological environment,” he says.
Insurance House is doing regular health checks on all its platforms at the application and infrastructure levels, says Rathborne.
“Our testing is done from internal and external positions to get as much data about potential vulnerabilities as possible and this would also include a regular program of patching our applications and software,” he says.
“For us it does not stop there – the program must include remediation of anything that is found and that too must be done on a regular basis. Education is part of that health check and this would occur at both the board level and with those outside of traditional IT functions,” he says.
Preparing for mandatory data retention
In August, the federal government indicated it would push ahead with legislation to create a mandatory data breach notification scheme.
Defence Science Institute’s Dr Gondal says mandatory reporting could worry some industry sectors as their businesses could be very sensitive to market disclosures. But many organisations simply want to prevent attacks and are not necessarily worried about law enforcement, he says.
“Mandatory reporting could also give the government enough data to formulate cyber security policies more accurately,” he says.
AHPRA already regularly and transparently reports any privacy incidents to the National Health Practitioner Ombudsman and Privacy Commissioner so it is quite prepared, says AHPRA’s Naran.
Luther College’s Topp says the organisation already has systems in place to deal with data breaches and these seem to work well albeit in isolation from any government initiative at this stage.
“It [mandatory reporting] probably won’t affect us a great deal but to have a centralised repository of [certain] types of breaches could hold some value for directing future funds,” he says.
Mimecast’s Lennon advises that the first step towards preparing for data breach notification laws is to reduce the risk of breaches in the first place.
“Data loss prevention and encrypted secure messaging technologies can limit the risk of malicious or accidental data leaks via email,” he says. “Email systems should also be integrated into SIEM (security information and event management) systems to help correlating attacks with user behaviour – identifying breaches early, ideally before any data is lost,” he says.