The threat of cyberattacks continues to overwhelm many organisations, and it’s simply not a matter of ‘if’ but ‘when’ corporate networks will be breached by hackers.
At this month’s CIO Summit in Melbourne, IT leaders from organisations in many industries gathered for a roundtable luncheon to discuss the measures they are using to minimise the risk of cyber threats with a particular focus on the weakest link in any security strategy – email. The luncheon was sponsored by Mimecast.
Nicholas Lennon, country manager, at Mimecast, said email is the lifeblood of business productivity and a direct route to attack employees, and traditional email gateways no longer provide good enough protection.
“Inbound links and their source domains need to be analysed and checked in real-time. Simple email attachment policies need to be upgraded with a sandbox or transcription service to combat weaponised Office documents and PDF files,” Lennon said.
Lennon added that primary cloud services like Microsoft Office 365 are growing quickly in Australia and present old and new risks to organisations.
“Multiple layers of security are still required, especially as a popular cloud service becomes one giant lock to pick. Email is so critical to the daily operations of banks, hospitals, and governments, that secure backup systems are needed,” he said.
Suzanne Hall, ICT manager at VincentCare Victoria, said to minimise risk of all threats, all emails at the organisation are run through two filters. The ICT team also conducts frequent and ongoing education and training for staff regarding emails, potential for viruses and the consequences of virus attacks.
“To minimise the potential damage of email threats, VincentCare uses a regimented Active Directory security structure to manage user access to applications, data, and network drives.
“In the event of a virus attack, the attack is contained to data, files, and network drives accessible to the user who clicked on the email threat. The security structure limits a viruses’ ability to spread throughout our ICT environment,” Hall said.
“Also since moving to a private cloud in 2014, there has been an increased ability for fast data recovery in the event of a virus attack. Data can be quickly restored from the previous night’s online backups as opposed to having a restore from tape backups, which was a longer process when data was stored on-premise.”
Wendy Pryor, head of digital and emerging technology, at Museum Victoria, said the organisation has introduced Exchange Online Protection in the cloud, which provides anti-spam and anti-virus services.
“Our strategy is multi-faceted and includes maintaining and updating policies and procedures and acting on them, and activating the ‘human firewall’ through ongoing education of staff.
“It’s also about implementing a patch management strategy as well as updating app software to current versions; monitoring and acting on alerts from multiple sources; maintaining a regime for data backups and snapshots; and isolating affected machines in the event of a threat,” Pryor said.
Law firm, Griffith Hack has a full time staff member whose main focus is network and security, said CIO, Andrew Mitchell.
“We do not allow direct downloading of any software from the internet. If there is a business requirement, IT will review, download and test accordingly before installation,” he said.
The need for data classification
Data is more valuable the ever before and organisations need to pay special attention to customer, financial, and intellectual property, said Mimecast’s Lennon.
This makes data classification an important part of any security strategy. VincentCare classifies data into two categories: critical data/apps, and other data/apps.
“We classify data for disaster recovery (DR) purposes rather than for security purposes,” said ICT manager, Suzanne Hall.
“Our critical data is replicated to a secondary data centre for DR to ensure they are fully recoverable within the required timeframes in the event of an IT disaster.
Griffith Hack’s Mitchell said the organisation has not classified its data as every piece of information either received or sent out is captured. However, his company does classify data at a systems level, he said.
“For example, all incoming email is captured and distributed properly to a relevant individual or group. We do monitor due to a business process requirement and we do have security policies for every document created internally,” he said.
Museum Victoria’s Pryor said the company has commenced the process of data classification to inform its storage planning.
“The results of classification will flow into our business continuity plan and cloud strategy because we will be much clearer about our requirements,” said Pryor.
Dealing with the fallout after an attack
How an organisation responds to an attack and communicates with internal staff and external customers can often determine the extent of reputational damage.
The everyday implications of a data breach are now well understood, and there are costs associated with loss of data, breach remediation, PR damage limitation and fines, said Mimecast’s Lennon.
“Worse still, there’s a loss of trust and reputation with customers and employees that has a deep and long-lasting impact,” he said. “If your organisation is hacked, you should expect great scrutiny on your security investments in technology and training,” he said.
“Australia will soon introduce mandatory data breach notification laws and organisations need to ensure they begin planning for these into their disaster scenarios to reduce the risk of future fines.”
In the event of a breach, internal communications would be provided as soon as it was identified – stating the nature of the attack while telling users what to look out for, and asking them what they have received, said Griffith Hack’s Mitchell.
“For external customers, if it is deemed appropriate to communicate, for instance, something potentially impacting them, then communications would be prepared by the business,” he said.
VincentCare Victoria’s Hall said in the event of a security breach, the extent and implications of the attack will be investigated and contained as far as reasonably practicable.
“The details of the breach will be escalated to executive management for an assessment of risk. All notification to individuals or organisations who may be potentially impacted as a result of the breach, would be through the CEO,” Hall said.
Barrie Williams, senior manager, infrastructure advice and delivery group, at the Department of Treasury and Finance in Victoria, believes threats to an organisation’s operational functions should be addressed holistically.
“Executive management must be responsible for establishing a level of risk appetite and the necessary policies, procedures and plans to ensure that a breach would be economically unlikely,” he said.
“And if a breach was to occur, the business has the tools, resources, knowledge, and tested practices to contain, restrain, and terminate the activity. We need to get past the silo mentality of exclusive responsibility. In a working environment, security should be everyone’s responsibility,” he said.