April 22, 2016
Prime Minister Malcolm Turnbull yesterday released the Federal Government’s cyber security strategy. While noted for its $230m funding commitment, new references to “offensive’ capabilities and the appointment of a new Minister for Cybersecurity, the strategy contains important lessons, learnings and warnings for corporates and government alike:
Cybersecurity is one of the most critical commercial and reputational risks facing Australian organisations today. Managing this risk is no longer a technical issue once removed from day to day operations, but both prevention and response need to be comprehensively embedded in people and systems.
“…cyberspace cannot be allowed to become a lawless domain. Both Government and the private sector have vital roles to play. While governments can take the lead in facilitating innovation and providing security, businesses need to ensure their cyber security practices are robust and up to date.”
FTI Consulting recommends that organisations implement a robust Cyber Security Framework consisting of Policies, Procedures and Practices to ensure they are able to identify, protect against and detect cyber security threats and to respond and recover from cyber security incidents.
FTI Consulting also recommends that organisations undertake a Threat and Vulnerability Assessment of their cyber security risks in context of their business focus and operations in order to identify the specific cyber security risks and the relevant security controls as part of a broader Cyber Security Control Plan that will guide future strategic and tactical management of cyber security risk.
These diagnostic tools enable organisations to properly identify and prepare for any cybersecurity issues. With all sectors now at risk – retail, infrastructure, finance, government, telecommunications – no Australian business can afford not to be aware of their potential vulnerabilities or to have robust practices in place to manage them.
How an organisation responds to an incident is often as important as the incident itself.
Response to a cyber security incident or data breach requires a sound forensic investigation response to determine the nature or circumstances of the attack and the potential security improvements required to help minimise the impact of similar incidents in the future. FTI Consulting recommends that a monitoring and detection capability be implemented by organisations to help identify and respond to cyber incidents at the earliest possible stage of an incident.
Notification of, and engagement with, consumers, employees, affected parties and regulators, are also critical factors in mitigating commercial, legal and reputational risk from cyberbreaches. FTI Consulting recommends organisations have a cybersecurity breach response and communications program in place to ensure that both regulatory requirements and stakeholder expectations are met.
“As the Snowden disclosures demonstrate, often the most damaging risk to government or business online security is not ‘malware’ but ‘warmware’; the ability of a trusted insider to cause massive disruption to a network or to use legitimate access to obtain classified material and then illegally disclose it.”
An ongoing issue for government and corporate entities is the very real risk of employee misconduct which can manifest itself in the misuse of corporate systems, theft or misuse of intellectual property, staff harassment, or the distribution of inappropriate material.
The risk of staff unauthorised use of confidential information or other information assets needs to be given an increased focus supported by appropriate security controls of information use and access.
“Technical solutions are important but cultural change will be most effective in mitigating this form of cyber-attack.”
The first step in undertaking cyber security cultural change is to gain an understanding of cultural awareness and attitudes with regard to cyber security and the impact this has on an organisation’s capacity to prevent, detect and respond to cyber security incidents.
FTI Consulting recommends proactively seeking staff feedback regarding their views and attitudes in order to gain insight into staff perceptions of cyber risks and their awareness of the organisation’s cyber security controls. These insights can provide the basis for both system improvements and employee engagement programs.
“As businesses and governments we must better educate and empower our employees to use sound practices online.”
Obtaining an understanding of staff views and attitudes will enable the development of a Cyber Security Staff Awareness Training programs designed to educate staff regarding current and emerging cyber security threats and the organisation’s expectations of staff to recognise and appropriately respond to cyber risks or incidents.
FTI Consulting encourages organisations to recognise that employees are both a potential threat, but also a potential security control and detection point for those attempting to perpetrate an attack on an organisation. Through training and awareness employees can more effectively contribute to the defences of an organisation against cyber threats.
“More strategic discussions between public and private sector leaders will focus on practical outcomes and elevate cybersecurity, both as a business risk and as a strategic opportunity rather than just as an operational matter.”
Government is clearly reaching out to the private sector to share both the responsibility for cyber security but also to help guide flexible and practical solutions to mitigate risks and support a safe digital economy.
Business has a genuine and rare opportunity to contribute to policy that can benefit it and avoid the risk of having restrictive regulation imposed upon it.
FTI Consulting suggests that the private sector needs to seize this opportunity through active participation and development of constructive, evidence based ideas. This can occur through new mechanisms proposed in the Government’s strategy such as streamlined processes, greater cooperation and annual leaders’ meeting, as well as through targeted public policy programs.
The Federal Government’s cybersecurity strategy contains a number of important signposts and opportunities for Australian organisations.
With the commercial and reputation risk of cybersecurity issues continuing to grow, FTI Consulting is able to support business and government to manage that risk, through both forensic technology and strategic communications services.