We are living in an always-on world using different communications devices, systems and networks. As privacy and protecting one’s identity is becoming increasingly important, the task of protecting these devices, systems and networks from cyber attack is no longer an option, it is a necessity.
Generative AI for Technical Writer or Information Developers
Whitepaper | Cyber resilience in the age of digital transformation
1. CYBER-RESILIENCE IN
THE AGE OF DIGITAL
TRANSFORMATION
For organisations pursuing business growth and success, innovative technologies
offer plentiful opportunities. Since success also depends on trust from consumers and
customers, the credibility of an organisation becomes essential. As society becomes
hyper-connected with machines “talking” to one another to generate a bigger
digital footprint, and customers sharing more data and information, the need for
assurance that all critical data and information are protected becomes paramount.
We are living in an always-on world using different communications devices,
systems and networks. As privacy and protecting one’s identity is becoming
increasingly important, the task of protecting these devices, systems and
networks from cyber attack is no longer an option, it is a necessity.
There are many possible motives for anyone to launch a cyber attack, but what matters
to an organisation are the likely consequences it has or does not have to bear after
the attack. Organisations should aim to reduce security risk and vulnerability and
facilitate faster, more effective response plans. But they also must understand how cyber
attacks could have other impacts, including the reduction or loss of credibility and
brand equity, disruption of critical operational processes and financial implications.
WHAT DOES IT MEAN TO BE CYBER-RESILIENT?
HOW CAN ORGANISATIONS PROTECT THEMSELVES
IN A DYNAMIC THREAT ENVIRONMENT?
WHITEPAPER
2. 2
IMPACT OF CYBER ATTACKS
The evolution of the security landscape is fast and complicated.
Many studies carried out on cyber attacks over the years have
noted the accelerated proliferation, increased level of sophistication
and the change in targeting of attacks.
According to the Australian Cyber Security Centre (ACSC)
Threat Report1
, the Australian Signals Directorate (part of ACSC)
responded to 1,095 cyber security incidents on government
systems, “considered serious enough to warrant operation
responses”, within just an 18-month period from January 2015 to
June 2016.
CERT Australia reported that, in Australia, the highest number of
systems that were compromised were found in the sectors of energy
and communications; the highest incident of Distributed Denial of
Service (DDoS) activity was found in banking and financial services
and the communications sector; and the most malicious emails
were received by the energy sector and the mining and resources
sector. But, this does not mean that other sectors are spared.
In May 2017, a ransom attack demanding payment in Bitcoin
was executed by cyber hackers who launched the WannaCry
cryptoworm which encoded a target’s data. This was shortly
followed by the Petya cyber attack that distributed a ransomware
virus targeting computer servers across the globe. While these
incidents received prominent news coverage in different media
outlets, many more sophisticated, successful but unheard of attacks
are still taking place every second of every day.
The consequences of cyber attacks can be devastating to
businesses and organisations to which consumers and customers
have entrusted their personal data and information with – but also
to the individuals affected.
For businesses, enormous costs could be incurred as a
consequence of a cyber attack, from business interruptions and
the diversion of staff and resources, remediating and recovering
systems and data, and the need to pay for public relations and
media management. But they should also factor in the possible
fines, and damage to reputation and consumer loyalty. The
resources used to respond to a breach as a result of a cyber attack
may far outweigh the investment required to implement suitable
security controls.
According to the 2016 ACSC Cyber Security Survey2
, the most
common consequence of an attempt or successful breach resulted
in loss of time either spent resolving the issue or the inability of
staff to continue to work. Of those surveyed in the report, 39%
of organisations also felt the financial impacts mainly derived
from the further investment needed to prevent future incidents or
the costs associated with external repair and recovery.
In Australia, despite the Privacy Act 1988 3
that regulates
how individuals’ information is being handled, consumers
and customers are getting increasingly concerned about the
storage of their private information which if stolen, could be
leveraged to commit fraud, identity theft or wreak financial
havoc through, for example, false credit card charges or more.
In fact, cyber attacks can affect an entire country. As ASIC4
points out, they can ‘undermine businesses, destabilise fair,
orderly and transparent markets and erode investor and
financial consumer trust and confidence in the financial system.’
White paper: Cyber-resilience in the age of digital transformation
1
ACSC, 2016 Threat Report, https://www.acsc.gov.au/publications/ACSC_Threat_Report_2016.pdf.
2
ACSC, 2016 Cyber Security Survey, https://www.acsc.gov.au/publications/ACSC_Cyber_Security_Survey_2016.pdf.
3
Australian Government, Office of the Australian Information Commissioner, https://www.oaic.gov.au/privacy-law/.
4
ASIC, Building Resilience: The Challenge of Cyber Risk, http://download.asic.gov.au/media/4120903/speech-medcraft-acci-dec-2016-1.pdf
of organisations
surveyed have a
process in place to
identify critical
systems and data.
43%
46%
of these organisations
regularly review and
exercise these plans.
of the organisations surveyed indicated
they tend not to identify cyber security
threats or vulnerabilities until after they
have manifested into a compromise.
%71
2016 ACSC
CYBER SECURITY
SURVEY2
3. 3
White paper: Cyber-resilience in the age of digital transformation
5
ACSC, 2016 Cyber Security Survey.
6
McAfee, Achieve Resilient Cyber-Readiness Guide, https://www.mcafee.com/au/resources/solution-briefs/sb-achieve-resilient-cyber-readiness.pdf.
POINTS OF VULNERABILITY
The need for organisations to be cyber-resilient arises not only
because of the evolving and proliferating external threats, but also
the way our workplaces have changed over the years. While
connectivity and the Internet bring huge benefits to our workplace
(and lives), they represent a viable target for malicious actors.
Shifts in the way people work and enjoy leisure, as well as the need
to always stay connected through technologies have increased
points of vulnerability. Every single connection between a network
and an Internet-enabled device, system or network can represent a
potential security threat.
Our devices have become smaller, more powerful, and more
connected through the use of applications. For example, an
employee is more likely to send an email, communicate and
collaborate through the use of their mobile phone, tablet or laptop
while on the move than waiting to be back at their desk to perform
the same tasks.
There is also an unprecedented number of conversations and
discussions about how organisations can use data and analytics
to improve their bottom line. This means integrating systems and
networks to facilitate data collection and amalgamation.
All these represent potential points of vulnerability.
When organisations are not protecting their critical infrastructure,
data and information through the use of a proper plan, they would
be exposed to risk. Accordingly to the ACSC 2016 Cyber Security
Survey5
, ‘only 56% of organisations surveyed have a process
in place to identify critical systems and data’ and ‘of the 71%
of organisations with a response plan in place, fewer than half
(46%) regularly review and exercise these plans’. Meanwhile, ‘a
high proportion (43%) of organisations indicated they tend not to
identify cyber security threats or vulnerabilities until after they have
manifested into a compromise.’
All of this means that a new form of security and protection
is needed to address this evolving landscape. It is no longer
sufficient to simply be cyber-ready to prepare for security incidents.
Organisations need to be cyber-resilient.
BE CYBER-RESILIENT
In this new age of digital transformation and disruption, old ways of
looking at security deserve examination.
While being cyber-ready means having the ability to detect, prevent
and respond to cyber threats, cyber-resilience is about taking a step
The foundation for cyber-resilience is the
protected environment. So organisations
need a clear definition of what are critical
systems or assets, and how they should
be protected. The value of the critical
system or asset must be known. Details
surrounding that system or asset, such as
vulnerabilities and security controls that are
protecting it, are required in order to have
a comprehensive understanding of what
needs to be done.
MCAFEE6
further with a holistic view to understand how organisations can
protect themselves from the many ways that cyber attackers could
target them – and arm themselves with a strategy over a cycle of
preparation, response and recovery to not only detect, withstand
and recuperate after an attack, but continue to operate.
How to be cyber-resilient? Cyber-resilient organisations identify
their important assets and implement a framework to protect
them. They identify critical assets that need to be protected in
order to withstand security breaches that affect the integrity and
confidentiality of data, or the availability and operation of critical
online services or infrastructure. They continue to operate their
business securely while addressing any security issues that may
arise.
There is no one single point technology or solution that can control
the risks all cyber attacks pose. So cyber-resilience is about
reducing risk to a level acceptable by key stakeholders, addressing
incidents effectively, and then learning from them. It is about
operating in a state of continuous learning and improvement, to
learn from past incidents and adapt to the evolving landscape.
Cyber-resilience is a combination of the big picture: leadership,
framework, policies and procedures, while operationalising
better security. It’s about using a risk-based approach that does
not only hold IT accountable but spreads responsibility throughout
the organisation. It’s making sure companies have the will and
motivation, and then following through by allocating effort and
resources to better their cyber security by implementing technical
controls.
4. 4
White paper: Cyber-resilience in the age of digital transformation
STEPS TO CYBER-RESILIENCE
Cyber-resilience is a continuous process of continual awareness: understanding what is
on the network, who is on the network, and what is happening inside and outside the
network. The steps to cyber-resilience involve the preparation of a planned response
for cyber attacks, what to do in the case of cyber attacks, and what to do afterwards.
++ How can you monitor your environment?
++ What processes do you have in place if an attack
happens?
++ Who is responsible to respond in your company?
++ Who are your critical stakeholders (including legal
and communications)?
++ What are your critical systems?
++ Do you have a risk management plan? Standard
operating procedures? System security plans? Are they
up to date?
++ What kind of agreements do you have with your IT
service providers in the case of a cyber attack? How
will they respond? What kind of support can they give
you?
++ How can you design and build a system so that it is
cyber-resilient?
++ Who in your organisation needs to be activated to
respond to a cyber attack?
++ How quickly and easily can they be marshalled?
++ Can you identify and isolate servers, workstations or
devices that are infected or affected?
++ Who do you need to contact and how if the attack
takes place outside of business hours?
++ Are all your cyber-resilience solutions up to date, so
that you are not trying to respond to an attack in real
time, based on information that is out-of-date?
++ Are you basing your response on actionable
information, based on empirical data, that is as
relevant as possible to achieve rapid incident
response?
++ After cyber attacks have occurred, how do you
improve and measure the risk management of your
network?
++ Are you aware of and can comply with the NDB
scheme ?
++ Which stakeholders do you need to report to? Have
you got clear policies in place to do this?
++ Will you report the incident to the ACSC to help them
to contain the threat and prevent similar attacks on
other organisations?
PLAN A
RESPONSE
RESPONDING
TO A CYBER
ATTACK
AFTER A CYBER
ATTACK
STEPS TO CYBER RESILIENCE 7
Multiple domains of information and an enterprise
framework that supports machine-to-machine data collection
must be bridged for a cyber-resilient data strategy.
A security operations centre framework must be built with
scalable data collection capabilities.
The management platforms must be interoperable, allowing
integration with external intelligence and computerised
decision support systems.
A centralised management console is needed for discovery,
prevention, detection, response, and audit, enriched with
threat intelligence feeds.
++ Maintains a strong awareness of the changing landscape of
security
++ Proactively identifies risks before they manifest
++ Creates and facilitates a strong security culture and
awareness across the business
++ Recognises that everyone across the business has a role
to play in the overall security and security posture of the
organisation
++ Has clear response plans and procedures
++ Includes cyber-security in governance and reporting
WHAT DOES A CYBER-RESILIENT ORGANISATION LOOK LIKE?8
7
Adapted from McAfee, Achieve Resilient Cyber-Readiness and the ACSC, 2016 Threat Report.
8
Adapted from ACSC, 2016 Cyber Security Survey.
5. 5
White paper: Cyber-resilience in the age of digital transformation
MANAGED SECURITY
A multitude of malicious cyber attacks are happening all the time
and from all directions, attempting to attack multiple endpoints
simultaneously to breach corporate networks or systems. It is
clear that the magnitude of cyber security problems requires
cyber security to be managed well. Individual, piecemeal and
uncoordinated responses to incidents as they occur will be a
challenge to assets protection.
Therefore, a comprehensive framework is needed: one that
identifies the risks that impose on assets and puts controls in place
to ensure the confidentiality, integrity and availability of IT systems.
At the same time, the framework will need to address the people,
processes and technology required to implement the controls.
Organisations have begun to realise the importance of security
and started implementing security frameworks to better protect
themselves. With the fast-evolving nature of cyber threats and
scarce security expertise, managed security services provide the
necessary framework, technology, experience and people to
support organisations’ evolving security posture. Nexon’s managed
security services provide organisations with the capacity to
detect and investigate security incidents, contain them where they
happen, and then restore them to the state they were in before the
incident.
Nexon’s managed security services are automated and simple,
allowing organisations to be ahead of the game instead of
floundering with manual processes. It integrates all security
solutions, whether firewall or antivirus, IPS or gateway, so that they
can be managed at a central location, through a single interface
or through Nexon. Key components of Nexon’s managed security
services include:
++ Managed end-point protection solution to cover anti-virus and
malware, application blocking and control, web filtering and
USB device control to provide protection through any possible
cyber attack vectors.
++ Perimeter management solution, including next generation
firewall with advanced threat prevention, zero-day threat
prevention, edge category-based URL filtering and secure
remote access.
++ Cloud-based email security and continuity to prevent spam and
phishing attacks from reaching users, to protect users from URLs
embedded in emails and to provide emergency inbox access.
NOTIFIABLE DATA BREACHES
(NDB) SCHEME9
The scheme, established in 2017, mandates
organisations covered by the Australian Privacy Act
1988 (Privacy Act) to notify the Office of the Australian
Information Commissioner (OIAC) and the individuals
likely to be at risk of serious harm by a data breach.
OTHER RESPONSIBILITIES INCLUDE:
++ Conduct quick assessments of suspected data
breaches to determine if they are likely to result in
serious harm
++ Recommend steps to minimise any damage from
the data breach
CONSEQUENCES OF NON-COMPLIANCE:
If an organisation does not follow through on notifying
clients in the case of security breaches, it may be
required to either:
++ Pay compensation
++ Issue a public apology
++ Have their customers notified by the Privacy
Commissioner
If the situation is serious or repeated, the organisation
could be fined up to $1.8 million.
9
Australian Government, Office of the Australian Information Commissioner, https://www.oaic.gov.au/.
6. 6
SUMMARY
Today’s landscape of cyber threats is more complex than ever
because of the mobile nature of our workforce and a rapidly
expanding data footprint. Organisations need to put resources
and attention into planning and preparation, instead of a
reactive response.
Transition from a cyber-ready to cyber-resilient organisation
means formulating a plan for detection, protection and response
through an integrated and mature security framework, covering
people, processes and technology.
Being cyber-resilient today means making governance and
policies, access and identity management, proactive threat
management, infrastructure, and data controls an integral part
of an organisation’s day-to-day security operations. It means
deploying a managed security framework that covers all these
aspects and controlling the risk to the organisation now and in
the future.
SECURITY IS NO LONGER AN OPTION.
IT’S A NECESSARY DISCIPLINE, AND IT’S
NEEDED TO MANAGE ALL ASPECTS OF AN
ORGANISATION’S OPERATIONS, ON A
CONTINUOUS AND ONGOING BASIS.
To find out more about Nexon’s managed security services, call us at 1300 800 000,
email us at enquiries@nexon.com.au or visit nexon.com.au/products/managed-security
CONTACT US TODAY TO DISCUSS YOUR
SECURITY NEEDS AND MOVE CLOSER
TO BECOMING A CYBER-RESILIENT
ORGANISATION.
WHY NEXON?
As an ISO 27001 certified organisation, Nexon’s managed
security services are part of a comprehensive security framework
designed to protect and securely store data and information.
Services include endpoint, perimeter and email security
functions within an integrated platform, enabling the safe use of
applications while maintaining complete visibility and control.
This allows customers and users to confidently pursue new
technology initiatives like cloud and mobility, and to support key
business transformation initiatives, while protecting organisations
from cyber attacks — known and unknown.
Nexon’s services are scalable and flexible and can be tailored
to the size and risk appetite of organisations across various
sectors. Collaborating with leading security providers, Nexon
provides clients access to the expertise and threat intelligence
required in a rapidly evolving regulatory and technology
environment.