Experts share cyber-resilience action plan at November summit
Next month’s flagship Cyber-Resilience and Security Summit spotlight 25+ presentations representing the government, healthcare, utilities, insurance, defence, aerospace, and higher education sectors.
This virtual summit, being held 24-26 November goes behind the news with independent insights from experts examining the outlook for cyber-threats, and why organisations are investing more actively in cyber-security.
The summit explores the Australian Government’s $1.67 billion cyber-resilience action plan over the next 10 years. Across government and industry, moves are underway to protect critical infrastructure and information assets.
According to Angela Donohoe, the on-line payment platform BPay’s chief information officer, data protection is a critical element for security planning. This includes protecting data from un-authorised access, malicious or otherwise, or data loss from system failure and poor backups.
Risk management strategies
“Reviewing our risk management approach is to understand where to focus our future efforts,” notes Donohoe. “This is to ensure the key items for the business are protected.”
BPay’s security planning incorporates monitoring ‘events’ involving an attack, together with ‘uplifting and maturing’ the cyber incident response planning and training effort.
BPay supports more than 150 financial institutions, and its platform is used to pay more than 45,000 bills.
In the fast-changing cyber-space, organisations also benefit from compliance with domestic or international regulation, Donohoe observes.
This compliance incorporates protecting PI systems that gather data from disparate sources and offer a ‘safe harbor’ for the real-time and historical information exchange.
This exchange is between the IT and OT networks that support infrastructure, including those within manufacturing, utilities, or defence.
Ownership and collaboration
“We don’t believe cyber-resilience awareness is enough,” adds Donohoe. “We invest in strengthening our cyberculture. This approach shifts the focus from education to ownership and collaboration.”
BPay collaborates with the business at all levels. “Keeping the conversations open about security and how it affects all parts of the business engrains security into the thinking of our business.
“The security team is not a monitoring or policing style team, but a support function of the business.”
More recently, there was a massive growth in the size and importance of data for business. “Before, the data focus was on storage and lifecycle management,” says Donohoe.
“But advances in analytics and machine learning, and demand for real-time access and performance present new challenges. “The costs and obligations associated with data management and security are areas of focus.”
Beyond the blame game
The aged-care service provider, Silver Chain’s chief information security officer, Jo Stewart-Rattray, cautions it may be easy to blame someone else for the inadequacies, among these refrains such as “government isn’t doing enough.”
University courses may be outdated or graduates not quite work-ready. “But it’s up to each organisation to do their bit in protecting the environment,” observes Stewart-Rattray.
Higher education, government agencies, or industry bodies can share best-practice guidelines. “But it still comes back to each organisation that has a duty of care with its security planning.
“Security needs to be front of mind for everyone from the Board through the organisation’s structure.”
This awareness incorporates communication and education, starting from staff induction through to the career journey within an organisation.
Citing Silver Chain’s experience, Stewart-Rattray says using “friendly phishing” and social engineering campaigns help, together with well-crafted bulletins about new scams or threats.
The Silver Chain network is supported by 3000 staff and 400 volunteers.
Poorly managed cyber incidents significantly impact organisations’ reputation or business processes, observes Megan Motto, CEO of the 7,600-member Governance Institute of Australia.
The uptick in working from home, among other remote collaboration arrangements underscore the ongoing dangers of cyberattacks.
“Home set-ups are typically less secure, employees may be using several devices that can complicate security measures, and there is more data shared over the internet.”
The planning around cyber-resilience protects business and reins in the costs. The robust and tested cyber incident responses help restore operations swiftly.
“Without this, any organisation being attacked could be paralysed for days or weeks,” adds Motto.
Quirks of human behaviour
Simon Carabetta, the WA AustCyber Innovation Hub’s cyber-awareness lead, says organisations need a clearer understanding of why cybersecurity is important and taken seriously.
“Gaining that C-Suite buy-in is the vital step,” he observes. “However, this goes further beyond into human behaviour and a better understanding of why people do the things they do.”
“Cyber-security underpins almost everything we do, no matter who we are,” notes Carabetta.
“This is critical across the spectrum of society – from individuals and families to government, small businesses, and multinational corporations.”
For too long, cybersecurity was the ‘soft’ vector of attack for those seeking information, bringing organisations down, or going after money.
Target on our backs
“It is vital people understand we all have a target on our backs, regardless of our role in society, adds Carabetta. “What we need at this point is more cohesion and partnership between government, industry, and academia.”
With a domino-effect, organisations cannot take a siloed approach to cybersecurity. “It is unmistakably clear that one targeted cyberattack impacts everyone else within the chain.”
Many of the threats facing organisations are similar, according to the University of NSW’s chief data officer, Kate Carruthers. “But the big one nowadays is ransomware. Organisations need to be ready to deal with this. This was prevalent in the US and UK and is coming our way.
Being cyber-savvy involves directors acknowledging their obligations, including the involving privacy legislation, the duty of care, and diligence.
Cyber resilience, data management, and data governance are inextricably linked. “In essence, they are all ways to manage organisational risk,” adds Carruthers.
Register for the Cyber-Resilience and Security Summit by visiting the event site.