When Australian’s Cyber Security Strategy was launched over a year ago, it set out a bold vision for strengthening cyber defences in order to build trust and enable innovation, growth and prosperity.
More than one year on, we’re pleased to say that the first annual update has reaffirmed this vision. In particular, it has placed new emphasis on improving prevention strategies to build the strongest possible cyber defences.
This is very timely, because as we have seen over recent months, the world’s networks and systems are vulnerable to attacks like WannaCry, Adylkuzz and Petya. This really is only the tip of the iceberg. Ransomware already costs the Australian economy $1 billion annually, and there are many and more sophisticated attacks to come in the next few months and years.
In this post, we review what the update includes to counter these threats. We also look at some of the ways you can help your own organisation manage potential software vulnerabilities and make your own cyber defenses as strong as possible.
What is the Australian Government’s Focus?
Principally, this first annual update stresses the need to continue the focus on building resilience within organisations and industries to withstand and recover from cybersecurity incidents. As such, it advocates more direct and deeper conversations between government and businesses to prevent attacks happening in the first place.
In addition, the update tells us that the Australian Signals Directorate (ASD) has provided a new set of guidelines named the Essential Eight that has put forward a contemporary global cyber security standard, with practical steps organisations can implement to make their networks and data more secure.
There are many more examples within the report of such measures and how they have developed in the last 12 months – if you want the full version, you can download it here.
What Actions Should You Consider Within Your Own Organisation to Play Your Part?
The fact is, every year thousands of software vulnerabilities are discovered and are increasing in thousands of products that leave organisations vulnerable. The exploitation of these vulnerabilities through malicious attacks causes extensive damage to organisations of all sizes, public or private, regardless of industry.
It is absolutely the responsibility of all business leaders that they address this now (i.e. on their own, individual level) and don’t just rely on government to solve the problem for them. As the Cyber Security Strategy states, what Australia needs to do is build an economy that is founded on resilience and trust. Any business that fails to support that vision will not be contributing to the cause.
There are a number of things that businesses should be doing to make this happen. For example, they could follow the top 4 mitigation strategies for targeted cyber intrusions, which have been mandatory for Australian Government organisations since April 2013. They should also follow the advice of the Australian Signals Directorate, which has developed prioritised mitigation strategies to help technical cyber security professionals in all organisations mitigate cyber security incidents. This guidance addresses targeted cyber intrusions, ransomware and external adversaries with destructive intent, malicious insiders, ‘business email compromise’ and industrial control systems.
Widening the Responsibility for Security
However, as the Cyber Security Strategy recognises, prevention these days is not just about catching and stopping the attackers alone. It also means having a systematic approach for reducing the attack surface and responding accordingly to threats that may present themselves.
As experts in vulnerability management, we couldn’t agree more. However, we also believe this will require something of a change in mindset for many organisations.
This is because such an approach means many organisations will need to take a fresh look into how cybersecurity is perceived and how roles and responsibilities across the business are determined. These days, you can’t just leave risk reduction and attack response to IT or security teams. Security must become an organisational discipline – where all stakeholders have a role to play.
For example: Unfortunately, it’s still very common that organisations treat vulnerability management as just finding the vulnerabilities rather than thinking about what needs to be done across the business to effectively reduce the number of neglected, unpatched vulnerabilities. In fact, a Gartner report recently stated that its clients, “find the coordination and orchestration of vulnerability remediation efforts a perennial point of operational failure for vulnerability management projects”. The consequence of such operational failure is that we continue to see successful attacks – undetected by intrusion detection and other security technologies – exploiting old, well-known vulnerabilities.
To avoid this, it’s vital that organisations work together as a whole to reduce the number of vulnerabilities. This starts with operational tasks which have a strong impact on security posture such as asset management, application packaging and deployment and vulnerability and patch management.
As the Australian Cyber Security Strategy points, essential operational tasks have a great positive impact on security posture and risk reduction. The ASD provides guidance on priorities and actions that have greater impact. They are all relatively simple to implement. What is difficult is to take a different view on old bad habits and general neglection. Changes can be achieved by being inspired by this great initiative to align people, processes and technology with the common objective to make businesses more secure.