Katherine Ziesing | Canberra
Cyber security is one of those things that many people don’t like to think too much about; unless they’re in IT. ICT systems are there to be used as a tool, and for many humble users, the basic assumption is that when you turn on your computer it just works.
Defence does not have that luxury. And it hasn’t had that luxury for some time now as the Internet of Things expands and holes become increasingly obvious. Holes that can cost Defence a strategic edge or cost industry time and money.
Cyber security is no longer just a “tech” issue for companies. It’s not even just for top management. Today, the problem sits firmly on the laps of the company’s board. Among other things, investors and regulators want board members to provide more transparency about major data breaches and their impact on the company’s business.
A White Paper from KPMG Cyber Security: It’s not just about Technology looks at the five most common mistakes that organisations make in their cyber fight.
Mistake One: We have to be 100 per cent cyber secure.
Reality: It’s just not feasible nor appropriate.
Mistake Two: When we invest in best-of-class technical tools, we are safe.
Reality: Effective cyber security is less dependent on technology than you think.
Mistake Three: Our weapons have to be better than those of the hackers.
Reality: The security policy should primarily be determined by your goals, not those of your attackers.
Mistake Four: Cyber security compliance is all about effective monitoring.
Reality: The ability to learn is just as important as the ability to monitor.
Mistake Five: We need to recruit the best professionals to defend ourselves from cyber crime.
Reality: Cyber security is not a department, but an attitude.
It’s that last mistake that we hear the most about. Cyber awareness in every person will be key in forming a secure workplace and personal life as well. The reality is that everything that is connected to the web is vulnerable, is public, and is accessible by a determined hacker.
PWC’s latest Global State of Information Security Survey 2017 reiterates this theme of people.
“We understand cyber security is not a technology issue – it is about people, it is about information and it is about coordination. In Australia, we need to increase the cyber security awareness in both the public and private sector with the view to establishing a layered approach for sharing information among different industries,” according to Steve Ingram, PWC’s Asia-Pacific Cyber Lead.
It also hosts some interesting statistics, based on responses from 10,000 companies around the world. The cloud now delivers almost half of all IT services globally. Australia is ahead in using threat management software in the cloud with 77 per cent of respondents using such technologies compared to the global average of 62 per cent. However, Australia is well below global standards when it comes to access and identity management and collaborative sharing of threat information.
Collaboration is not easy and usually happens behind closed doors in this space. As John Hilvert writes on p.42, Australia’s cyber security strategy has now been in place for a year but it lacks resources and details in numerous areas, statistics being one of them.
Consider this quote from the Australian Cyber Security Centre’s 2016 threat report:
“Between July 2015 and June 2016, CERT Australia responded to 14,804 cyber security incidents affecting Australian businesses, 418 of which involved systems of national interest (SNI) and critical infrastructure (CI).
“CERT Australia relies heavily on the voluntary self-reporting of cyber security incidents from a wide variety of sources throughout Australia and internationally and therefore does not have a complete view of incidents impacting Australian industry.”
As the saying goes, if you can’t measure it, you can’t improve it. Voluntary reporting is all well and good but why would a company disclose a data breach if it didn’t have to? This culture of secrecy is changing but it’s at a pace to rival that of your average garden snail.
This will increasingly become an issue with new Privacy Amendment legislation coming into effect from February 2018 on mandatory reporting of data breaches when it comes to privacy related information. How long will it take for such mandatory reporting requirements to reach Defence?