Timing is everything in business. And when it comes to cybersecurity, that time is getting shorter.
In the modern era - as many in the Australian corporate community have seen recently - businesses have hours, and sometimes only minutes, to address what can be devastating attacks on their organisations.
Those attacks can come with real reputational and financial consequences. The University of New South Wales estimates cybercrime costs the economy in Australia $A42 billion a year.
The best form of attack against these threats is defence. Indeed, the defence in depth principle is the approach used at ANZ.
This principle is based on the view cybersecurity isn’t about a single function or component working within a business in isolation. Instead, security considerations are required across all areas of an organisation - from technology, to processes, and people.
Ultimately, multiple layers of security measures, or controls, can significantly improve an organisation’s defence.
Resilience against cyberattacks is something organisations can build in many ways. At ANZ we often get asked by our customers ‘what can my company do to better protect ourselves?’
The answer can feel quite complex, but cybersecurity frameworks have some simple pillars which can be put in place to support a strong defence.
This is an edited excerpt of a presentation given to ANZ customers in Melbourne on November 10.
The first is to identify the risks within your organisation, and form a comprehensive understanding of your business’ services, systems, assets, data and capabilities.
For many large, modern organisations with huge volumes of data and numerous critical business services - often supported by a large number of third parties - developing this understanding involves effort. But being cybersecure means knowing what to protect – and what to protect first - when a new threat, vulnerability or incident is discovered.
This requires engagement at all levels across an organisation – protecting both the perimeter of an organisation to ensure bad guys can’t get in, and deploying appropriate controls within an organisation to ensure, in the event of an incident, that damage is minimal.
Organisations should be concerned not just about protecting the confidentiality of data, but also about ensuring the integrity and availability of data and services if a cyberattack occurs. This is often referred to as the CIA of cybersecurity. Resilience of this type requires vigilance from everyone in an organisation, and across its partnerships - as well as technical capability to ensure secure operation of services.
It is critical to focus on identifying and protecting key services and data. And it is equally important to implement processes to support the timely detection of suspicious activity – in addition to capabilities that help respond to and recover from cyber incidents. Automated monitoring capabilities can play a role in helping to respond quickly and focus on the most critical events.
You can't assume your systems are safe from a cyberattack. Businesses should assume their systems can be breached or compromised. As Robert S. Mueller, a former Director of the United States FBI said: “There are only two types of companies: those that have been hacked, and those that will be hacked”.
To prepare for this world, detailed incident response plans which include the business are required. These plans need to include an approach for recovering services and data impacted as a result of an incident.
Ensuring an effective response also means practising response at scale. How would your organisation react if it was attacked? If critical or sensitive data was compromised or damaged or services disrupted?
While no two incidents will ever be exactly the same, cyberattack ‘fire drills’ can help prepare a business in the event of an attack. And the more times this is done, the more likely the muscle memory of an organisation will kick in through the response. That way it feels familiar when you have to do it in reality.
Plans should anticipate what could go wrong, and provide detailed processes covering from how to detect suspicious messages through to responding to a major security incident, including communicating with stakeholders.
Even if you are not a cybersecurity expert, you've probably been reading about cyber incidents recently because of high-profile activity in Australia. It can seem daunting to know where to begin to put in place appropriate protections.
The good news for organisations is there are many cybersecurity frameworks already out there, to help them choose an appropriate strategy depending on the type of business and the types of threat they face.
A comprehensive framework from the United States National Institute of Standards and Technology, known as the NIST Cyber Security Framework, is in use around the world. This can help organisations put in place a plan to operate across the five pillars of cybersecurity - identify, protect, detect, respond and recover.
The Australian Signals Directorate (ASD) Strategies to Mitigate Cyber Security Incidents is another framework that aims to help organisations protect themselves. It offers a series of simple, actionable steps for improving cybersecurity, particularly in Microsoft Windows-based internet connected networks.
The most effective of the ASD strategies is the ‘Essential Eight Maturity Model’.
The model encourages the use of multifactor authentication. This helps ensure users can only access systems if they use two ways to authenticate themselves – such as something they know (like a password), something they have (like a phone), or something they are (including the use of things such as fingerprints).
This goes hand in hand with restricting access to sensitive information and systems. Businesses should ensure staff only have access to the information and systems they should have.
Running regular backups of critical systems is another key ASD recommendation, allowing businesses to recover data if stolen or destroyed.
In addition, keeping your organisation’s operating systems and software up to date to mitigate security vulnerabilities is very important. The Essential Eight encourages regular patching and updating of systems and software across all workstations and systems in an organisation.
It’s exciting to see the opportunities available to people and organisations today – opportunities made possible by technology, data and connectivity that makes work and life in general easier, faster, more accessible and more flexible.
But taking advantage of all modern technology offers can carry risks as its core benefits of speed and reach also appeal to those with ill intent. It is little wonder cybersecurity has become such a vital part of business opportunity.
Creating a sense of shared responsibility in an organisation, facilitated through clear communication across security, technology teams, the business and key partners can help empower leaders to make informed decisions about balancing operational benefits and risk implications.
Cybersecurity is ultimately a business issue and requires focus from everyone in an organisation. Educating teams on the risks and their roles can significantly improve an organisations’ cybersecurity capability.
Comprehensive cybersecurity may seem overwhelming, but the task can be broken down into a set of cybersecurity capabilities that work together to improve resilience, enabling organisations to protect against and respond quickly to cyberattacks.
And timing is everything. And with cybersecurity, the best time to start improving capability is now.
Lynwen Connick is Global Chief Information Security Officer at ANZ
This publication is published by Australia and New Zealand Banking Group Limited ABN 11 005 357 522 (“ANZBGL”) in Australia. This publication is intended as thought-leadership material. It is not published with the intention of providing any direct or indirect recommendations relating to any financial product, asset class or trading strategy. The information in this publication is not intended to influence any person to make a decision in relation to a financial product or class of financial products. It is general in nature and does not take account of the circumstances of any individual or class of individuals. Nothing in this publication constitutes a recommendation, solicitation or offer by ANZBGL or its branches or subsidiaries (collectively “ANZ”) to you to acquire a product or service, or an offer by ANZ to provide you with other products or services. All information contained in this publication is based on information available at the time of publication. While this publication has been prepared in good faith, no representation, warranty, assurance or undertaking is or will be made, and no responsibility or liability is or will be accepted by ANZ in relation to the accuracy or completeness of this publication or the use of information contained in this publication. ANZ does not provide any financial, investment, legal or taxation advice in connection with this publication.