Enhanced cyber security posture

The Australian Cyber Security Centre’s (ACSC) most recent alert² points to an increasing threat of deployment of destructive malware, triggered by events in Ukraine.

While many organisations can implement enhanced measures some are now overwhelmed with the scale of unactionable threat intelligence and third party information requests.

To adopt an “enhanced cyber security posture” you should consider:

• Triaging and assessing threat intelligence so that it is actionable and meaningful.
• Implementing additional measures to boost monitoring, detection and cyber defences.
• Revisiting and validating risk-based decisions and determining if your risk tolerance still holds in a threat environment that is likely to be sustained for longer.
• Giving clear and updated advice and training to all employees – they are your first line of defence.
• Urgently reviewing your risk exposure to third parties (for business continuity and for third parties who may not have active cyber defence capabilities).

Organisations are now being asked to voluntarily comply with proposed amendments currently before Parliament to introduce a requirement to implement a risk management program and enhanced risk measures for systems of national significance.

Voluntary compliance, in the absence of completed industry consultation, puts organisations in a challenging position as the regulatory and industry guidance to ensure compliance is incomplete; yet the ask for you to implement is urgent.

At a minimum you should:

• Migrate from a compliance and maturity based form of cyber assessment to a risk-based assessment.
• Re-assess material risk and identify how threat actors in the current environment can impact your business.
• Understand controls (physical and technical) and re-assess your critical vulnerabilities.
• Assess your third party risk exposure and their role in defending your organisation.
• Be prepared to respond to customers and partners who need to understand your risk profile, as part of their own re-assessment.

Even organisations who are confident about their cyber controls will need to review their preparedness for cyber incidents.

Consider the following:

• Have you implemented lessons learnt from your last cyber simulation exercise? Did your last cyber exercise include worst case scenarios?
• Have you trained delegates to the same standard as primary members of your incident and crisis response teams?
• Are your third party security service providers on high alert and have you clearly articulated expectations, actions and levels of authority in the event they detect a significant breach?
• Have you re-visited your disaster recovery planning and is it realistic?
• Have you tested your response and decision governance (at Board level) in relation to ransomware demands? Do you have a clear legal position on whether you can pay?
• Do you understand the operational constraints of ransomware payments and have you considered the potential reputational and ethical, as well as regulatory and legal issues?
• Do you have the appropriate resources and advisors on call and know how and when you would notify regulators and authorities?