CYBER-RESILIENCE IN THE AGE OF DIGITAL TRANSFORMATION

For organisations pursuing business growth and success, innovative technologies offer plentiful opportunities. Since success also depends on trust from consumers and customers, the credibility of an organisation becomes essential. As society becomes hyper-connected with machines “talking” to one another to generate a bigger digital footprint, and customers sharing more data and information, the need for assurance that all critical data and information are protected becomes paramount.

We are living in an always-on world using different communications devices, systems and networks. As privacy and protecting one’s identity is becoming increasingly important, the task of protecting these devices, systems and networks from cyber attack is no longer an option, it is a necessity.

There are many possible motives for anyone to launch a cyber attack, but what matters to an organisation are the likely consequences it has or does not have to bear after the attack. Organisations should aim to reduce security risk and vulnerability and facilitate faster, more effective response plans. But they also must understand how cyber attacks could have other impacts, including the reduction or loss of credibility and brand equity, disruption of critical operational processes and financial implications.

WHAT DOES IT MEAN TO BE CYBER-RESILIENT?HOW CAN ORGANISATIONS PROTECT THEMSELVES IN A DYNAMIC THREAT ENVIRONMENT?

WHITEPAPER

2

IMPACT OF CYBER ATTACKSThe evolution of the security landscape is fast and complicated. Many studies carried out on cyber attacks over the years have noted the accelerated proliferation, increased level of sophistication and the change in targeting of attacks.

According to the Australian Cyber Security Centre (ACSC) Threat Report1, the Australian Signals Directorate (part of ACSC) responded to 1,095 cyber security incidents on government systems, “considered serious enough to warrant operation responses”, within just an 18-month period from January 2015 to June 2016.

CERT Australia reported that, in Australia, the highest number of systems that were compromised were found in the sectors of energy and communications; the highest incident of Distributed Denial of Service (DDoS) activity was found in banking and financial services and the communications sector; and the most malicious emails were received by the energy sector and the mining and resources sector. But, this does not mean that other sectors are spared.

In May 2017, a ransom attack demanding payment in Bitcoin was executed by cyber hackers who launched the WannaCry cryptoworm which encoded a target’s data. This was shortly followed by the Petya cyber attack that distributed a ransomware virus targeting computer servers across the globe. While these incidents received prominent news coverage in different media outlets, many more sophisticated, successful but unheard of attacks are still taking place every second of every day.

The consequences of cyber attacks can be devastating to businesses and organisations to which consumers and customers have entrusted their personal data and information with – but also to the individuals affected.

For businesses, enormous costs could be incurred as a consequence of a cyber attack, from business interruptions and the diversion of staff and resources, remediating and recovering systems and data, and the need to pay for public relations and media management. But they should also factor in the possible fines, and damage to reputation and consumer loyalty. The resources used to respond to a breach as a result of a cyber attack may far outweigh the investment required to implement suitable security controls.

According to the 2016 ACSC Cyber Security Survey2, the most common consequence of an attempt or successful breach resulted

in loss of time either spent resolving the issue or the inability of staff to continue to work. Of those surveyed in the report, 39% of organisations also felt the financial impacts mainly derived from the further investment needed to prevent future incidents or the costs associated with external repair and recovery.

In Australia, despite the Privacy Act 1988 3 that regulates how individuals’ information is being handled, consumers and customers are getting increasingly concerned about the storage of their private information which if stolen, could be leveraged to commit fraud, identity theft or wreak financial havoc through, for example, false credit card charges or more.

In fact, cyber attacks can affect an entire country. As ASIC4 points out, they can ‘undermine businesses, destabilise fair, orderly and transparent markets and erode investor and financial consumer trust and confidence in the financial system.’

White paper: Cyber-resilience in the age of digital transformation

1 ACSC, 2016 Threat Report, https://www.acsc.gov.au/publications/ACSC_Threat_Report_2016.pdf.2 ACSC, 2016 Cyber Security Survey, https://www.acsc.gov.au/publications/ACSC_Cyber_Security_Survey_2016.pdf.3 Australian Government, Office of the Australian Information Commissioner, https://www.oaic.gov.au/privacy-law/.4 ASIC, Building Resilience: The Challenge of Cyber Risk, http://download.asic.gov.au/media/4120903/speech-medcraft-acci-dec-2016-1.pdf

of organisations surveyed have a process in place to identify critical systems and data.

43%

46%of these organisations regularly review and exercise these plans.

of the organisations surveyed indicated they tend not to identify cyber security threats or vulnerabilities until after they have manifested into a compromise.

%71

2016 ACSC CYBER SECURITY SURVEY2

3

White paper: Cyber-resilience in the age of digital transformation

5 ACSC, 2016 Cyber Security Survey.6 McAfee, Achieve Resilient Cyber-Readiness Guide, https://www.mcafee.com/au/resources/solution-briefs/sb-achieve-resilient-cyber-readiness.pdf.

POINTS OF VULNERABILITYThe need for organisations to be cyber-resilient arises not only because of the evolving and proliferating external threats, but also the way our workplaces have changed over the years. While connectivity and the Internet bring huge benefits to our workplace (and lives), they represent a viable target for malicious actors.

Shifts in the way people work and enjoy leisure, as well as the need to always stay connected through technologies have increased points of vulnerability. Every single connection between a network and an Internet-enabled device, system or network can represent a potential security threat.

Our devices have become smaller, more powerful, and more connected through the use of applications. For example, an employee is more likely to send an email, communicate and collaborate through the use of their mobile phone, tablet or laptop while on the move than waiting to be back at their desk to perform the same tasks.

There is also an unprecedented number of conversations and discussions about how organisations can use data and analytics to improve their bottom line. This means integrating systems and networks to facilitate data collection and amalgamation.

All these represent potential points of vulnerability.

When organisations are not protecting their critical infrastructure, data and information through the use of a proper plan, they would be exposed to risk. Accordingly to the ACSC 2016 Cyber Security Survey5, ‘only 56% of organisations surveyed have a process in place to identify critical systems and data’ and ‘of the 71% of organisations with a response plan in place, fewer than half (46%) regularly review and exercise these plans’. Meanwhile, ‘a high proportion (43%) of organisations indicated they tend not to identify cyber security threats or vulnerabilities until after they have manifested into a compromise.’

All of this means that a new form of security and protection is needed to address this evolving landscape. It is no longer sufficient to simply be cyber-ready to prepare for security incidents. Organisations need to be cyber-resilient.

BE CYBER-RESILIENTIn this new age of digital transformation and disruption, old ways of looking at security deserve examination.

While being cyber-ready means having the ability to detect, prevent and respond to cyber threats, cyber-resilience is about taking a step

The foundation for cyber-resilience is the protected environment. So organisations need a clear definition of what are critical systems or assets, and how they should be protected. The value of the critical system or asset must be known. Details surrounding that system or asset, such as vulnerabilities and security controls that are protecting it, are required in order to have a comprehensive understanding of what needs to be done. MCAFEE6

further with a holistic view to understand how organisations can protect themselves from the many ways that cyber attackers could target them – and arm themselves with a strategy over a cycle of preparation, response and recovery to not only detect, withstand and recuperate after an attack, but continue to operate.

How to be cyber-resilient? Cyber-resilient organisations identify their important assets and implement a framework to protect them. They identify critical assets that need to be protected in order to withstand security breaches that affect the integrity and confidentiality of data, or the availability and operation of critical online services or infrastructure. They continue to operate their business securely while addressing any security issues that may arise.

There is no one single point technology or solution that can control the risks all cyber attacks pose. So cyber-resilience is about reducing risk to a level acceptable by key stakeholders, addressing incidents effectively, and then learning from them. It is about operating in a state of continuous learning and improvement, to learn from past incidents and adapt to the evolving landscape.

Cyber-resilience is a combination of the big picture: leadership, framework, policies and procedures, while operationalising better security. It’s about using a risk-based approach that does not only hold IT accountable but spreads responsibility throughout the organisation. It’s making sure companies have the will and motivation, and then following through by allocating effort and resources to better their cyber security by implementing technical controls.

4

White paper: Cyber-resilience in the age of digital transformation

STEPS TO CYBER-RESILIENCECyber-resilience is a continuous process of continual awareness: understanding what is on the network, who is on the network, and what is happening inside and outside the network. The steps to cyber-resilience involve the preparation of a planned response for cyber attacks, what to do in the case of cyber attacks, and what to do afterwards.

+ How can you monitor your environment?

+ What processes do you have in place if an attack happens?

+ Who is responsible to respond in your company?

+ Who are your critical stakeholders (including legal and communications)?

+ What are your critical systems?

+ Do you have a risk management plan? Standard operating procedures? System security plans? Are they up to date?

+ What kind of agreements do you have with your IT service providers in the case of a cyber attack? How will they respond? What kind of support can they give you?

+ How can you design and build a system so that it is cyber-resilient?

+ Who in your organisation needs to be activated to respond to a cyber attack?

+ How quickly and easily can they be marshalled?

+ Can you identify and isolate servers, workstations or devices that are infected or affected?

+ Who do you need to contact and how if the attack takes place outside of business hours?

+ Are all your cyber-resilience solutions up to date, so that you are not trying to respond to an attack in real time, based on information that is out-of-date?

+ Are you basing your response on actionable information, based on empirical data, that is as relevant as possible to achieve rapid incident response?

+ After cyber attacks have occurred, how do you improve and measure the risk management of your network?

+ Are you aware of and can comply with the NDB scheme ?

+ Which stakeholders do you need to report to? Have you got clear policies in place to do this?

+ Will you report the incident to the ACSC to help them to contain the threat and prevent similar attacks on other organisations?

PLAN A RESPONSE

RESPONDING TO A CYBER ATTACK

AFTER A CYBER ATTACK

STEPS TO CYBER RESILIENCE 7

Multiple domains of information and an enterprise framework that supports machine-to-machine data collection must be bridged for a cyber-resilient data strategy.

A security operations centre framework must be built with scalable data collection capabilities.

The management platforms must be interoperable, allowing integration with external intelligence and computerised decision support systems.

A centralised management console is needed for discovery, prevention, detection, response, and audit, enriched with threat intelligence feeds.

+ Maintains a strong awareness of the changing landscape of security

+ Proactively identifies risks before they manifest

+ Creates and facilitates a strong security culture and awareness across the business

+ Recognises that everyone across the business has a role to play in the overall security and security posture of the organisation

+ Has clear response plans and procedures

+ Includes cyber-security in governance and reporting

WHAT DOES A CYBER-RESILIENT ORGANISATION LOOK LIKE? 8

7 Adapted from McAfee, Achieve Resilient Cyber-Readiness and the ACSC, 2016 Threat Report.8 Adapted from ACSC, 2016 Cyber Security Survey.

5

White paper: Cyber-resilience in the age of digital transformation

MANAGED SECURITYA multitude of malicious cyber attacks are happening all the time and from all directions, attempting to attack multiple endpoints simultaneously to breach corporate networks or systems. It is clear that the magnitude of cyber security problems requires cyber security to be managed well. Individual, piecemeal and uncoordinated responses to incidents as they occur will be a challenge to assets protection.

Therefore, a comprehensive framework is needed: one that identifies the risks that impose on assets and puts controls in place to ensure the confidentiality, integrity and availability of IT systems. At the same time, the framework will need to address the people, processes and technology required to implement the controls.

Organisations have begun to realise the importance of security and started implementing security frameworks to better protect themselves. With the fast-evolving nature of cyber threats and scarce security expertise, managed security services provide the necessary framework, technology, experience and people to support organisations’ evolving security posture. Nexon’s managed security services provide organisations with the capacity to detect and investigate security incidents, contain them where they happen, and then restore them to the state they were in before the incident.

Nexon’s managed security services are automated and simple, allowing organisations to be ahead of the game instead of floundering with manual processes. It integrates all security solutions, whether firewall or antivirus, IPS or gateway, so that they can be managed at a central location, through a single interface or through Nexon. Key components of Nexon’s managed security services include:

+ Managed end-point protection solution to cover anti-virus and malware, application blocking and control, web filtering and USB device control to provide protection through any possible cyber attack vectors.

+ Perimeter management solution, including next generation firewall with advanced threat prevention, zero-day threat prevention, edge category-based URL filtering and secure remote access.

+ Cloud-based email security and continuity to prevent spam and phishing attacks from reaching users, to protect users from URLs embedded in emails and to provide emergency inbox access.

NOTIFIABLE DATA BREACHES (NDB) SCHEME9

The scheme, established in 2017, mandates organisations covered by the Australian Privacy Act 1988 (Privacy Act) to notify the Office of the Australian Information Commissioner (OIAC) and the individuals likely to be at risk of serious harm by a data breach.

OTHER RESPONSIBILITIES INCLUDE: + Conduct quick assessments of suspected data

breaches to determine if they are likely to result in serious harm

+ Recommend steps to minimise any damage from the data breach

CONSEQUENCES OF NON-COMPLIANCE:If an organisation does not follow through on notifying clients in the case of security breaches, it may be required to either:

+ Pay compensation

+ Issue a public apology

+ Have their customers notified by the Privacy Commissioner

If the situation is serious or repeated, the organisation could be fined up to $1.8 million.

9 Australian Government, Office of the Australian Information Commissioner, https://www.oaic.gov.au/.

6

SUMMARYToday’s landscape of cyber threats is more complex than ever because of the mobile nature of our workforce and a rapidly expanding data footprint. Organisations need to put resources and attention into planning and preparation, instead of a reactive response.

Transition from a cyber-ready to cyber-resilient organisation means formulating a plan for detection, protection and response through an integrated and mature security framework, covering people, processes and technology.

Being cyber-resilient today means making governance and policies, access and identity management, proactive threat management, infrastructure, and data controls an integral part of an organisation’s day-to-day security operations. It means deploying a managed security framework that covers all these aspects and controlling the risk to the organisation now and in the future.

SECURITY IS NO LONGER AN OPTION. IT’S A NECESSARY DISCIPLINE, AND IT’S NEEDED TO MANAGE ALL ASPECTS OF AN ORGANISATION’S OPERATIONS, ON A CONTINUOUS AND ONGOING BASIS.

To find out more about Nexon’s managed security services, call us at 1300 800 000, email us at enquiries@nexon.com.au or visit nexon.com.au/products/managed-security

CONTACT US TODAY TO DISCUSS YOUR SECURITY NEEDS AND MOVE CLOSER TO BECOMING A CYBER-RESILIENT ORGANISATION.

WHY NEXON?As an ISO 27001 certified organisation, Nexon’s managed security services are part of a comprehensive security framework designed to protect and securely store data and information. Services include endpoint, perimeter and email security functions within an integrated platform, enabling the safe use of applications while maintaining complete visibility and control. This allows customers and users to confidently pursue new technology initiatives like cloud and mobility, and to support key business transformation initiatives, while protecting organisations from cyber attacks — known and unknown.

Nexon’s services are scalable and flexible and can be tailored to the size and risk appetite of organisations across various sectors. Collaborating with leading security providers, Nexon provides clients access to the expertise and threat intelligence required in a rapidly evolving regulatory and technology environment.