Cyber Today CYBER SECURITY IN THE TIME OF COVID-19 DIGITAL TRANSFORMATION: IS YOUR BOARD PREPARED? ONLINE SAFETY: THE BIG CHALLENGES REMAIN ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Cyber
MAY 2020
CYBER SECURITY IN
THE TIME OF COVID-19
Today
DIGITAL TRANSFORMATION:
IS YOUR BOARD PREPARED?
ONLINE SAFETY:
THE BIG CHALLENGES REMAIN
CONTENTS
PUBLISHED BY :
ABN 30 007 224 204
430 William Street Melbourne VIC 3000
Tel: 03 9274 4200
Contents
Email: media@executivemedia.com.au FOREWORD
Web: www.executivemedia.com.au 2 Foreword
3 Minister’s foreword
PUBLISHER
David Haratsis OPINION
david.haratsis@executivemedia.com.au 5 Cyber security in the time of COVID-19
EDITOR INSIGHT
Giulia Heppell 10 Consumer Data Right: With three
giulia.heppell@executivemedia.com.au months to go, are you ready?
14 With digital transformation comes risk:
EDITORIAL ASSISTANTS Is your board prepared?
Kate Hutcheson, Simeon Barut 18 Case study: YMCA NSW
DESIGN STARTUPS
Abby Schmidt 22 Startup success as Aussies go global
26 Cyber security entrepreneurs gear up
PARTNER ORGANISATIONS to solve business problems with CyRise
CyberCX | Deloitte | Exabeam Pty Ltd
Katana Technologies Limited STARTING OUT
Rapid7 Australia Pty Ltd 30 Entering the cyber workforce
The editor, publisher, printer and their staff and
agents are not responsible for the accuracy or MEMBER INTERVIEW
correctness of the text of contributions contained in
this publication, or for the consequences of any use 34 Putting the ‘security’
made of the products and information referred to into chief security officer
in this publication. The editor, publisher, printer and
their staff and agents expressly disclaim all liability
of whatsoever nature for any consequences arising SPOTLIGHT
from any errors or omissions contained within this
publication, whether caused to a purchaser of this 38 Security in the time of pandemic
publication or otherwise. The views expressed in
the articles and other material published herein do
not necessarily reflect the views of the editor and DIVERSIT Y
publisher or their staff or agents. The responsibility 42 Diversity key to cyber security skills gap
for the accuracy of information is that of the
individual contributors, and neither the publisher nor
editors can accept responsibility for the accuracy of DATA PROTECTION
information that is supplied by others. It is impossible
for the publisher and editors to ensure that the 46 Information security for a
advertisements and other material herein comply GDPR-inspired ecosystem
with the Competition and Consumer Act 2010
(Cth). Readers should make their own inquiries in 48 Is your patching up to scratch?
making any decisions, and, where necessary, seek
professional advice.
CYBER AT TACKS
© 2020 Executive Media Pty Ltd. All rights reserved. 52 Legal issues arising from a data breach
Reproduction in whole or part without written
permission is strictly prohibited.
All stock images sourced from iStock.com CYBER SAFET Y
Vegetable based inks and recyclable materials are
55 Online safety:
used where possible. The big challenges remain
Cyber Today | 1
FOREWORD
Foreword
A message from Damien Manuel, Chair, AISA.
T
he cyber security industry – and — developing intuitive and scalable cyber
the entire world – has been shaken security solutions that can adjust to a
by the emergence of the novel work-from-home workforce
coronavirus, known officially — gaining better understanding of how
as COVID-19. While the world businesses can leverage and use digital
watched as China dealt with a new pathogen collaborative tools to reduce travel
back in December 2019, other countries — understanding what doesn’t work and
missed the opportunity to learn, adjust what could possibly work, and drive
and take immediate action, mainly because innovation of new services, products
humans are not very good at assessing risk and solutions.
and we naturally take the position that bad While all we hear about in the news at
things happen, but to other people. the moment is the number of new infections,
Long before the outbreak, over the the mortality rate and new laws or measures
past 20 years we somehow moved from a that are being put into place by various
society and business community that didn’t governments around the world to address the
tolerate poor telecommunications – hence pandemic, businesses also need to continue to
the reliability of copper landlines – to a manage their other risks, stay afloat and deal
society that is now tolerant of conferencing with ongoing cyberthreats. Misinformation
with jitters, lags and every fifth word across social media and attacks from threat
missed. We moved from reliable but limited actors both locally and internationally are
technology, to unreliable but feature-rich still impacting businesses and communities.
solutions. We also moved from having Over the next six to 12 months, our lives will
warehouses with inventory, to a just-in- change. We also need to remember that many
time nature of manufacturing and delivery. lives are already changing as people lose loved
The world pivoted from locally made to ones, businesses go under and job losses are felt
globally delivered. While we, as a business as the global economy slows. In times like these,
community, reduced costs and increased the role cyber security plays in protecting the
profitability through these measures, we community and organisations from hostile
forgot about one thing – resilience. actors will continue to grow in importance,
particularly as we all begin to work and operate
in an environment of global uncertainty.
Misinformation across social media and Aside from the physical health of staff
attacks from threat actors both locally and and the community, in times of stress and
uncertainty we also need to manage and
internationally are still impacting businesses monitor mental health. The trauma that
and communities some people in the community – particularly
frontline staff at supermarkets and in other
service industries – are experiencing
The pandemic presents society with through physical, verbal and emotional abuse
challenges, but also with opportunities, and due to panic buying by customers, needs to be
these include: acknowledged and managed.
— building improved and more diverse Things will be difficult; plans will be
supply chains to remove single reliance on disrupted and the times ahead will be
a company, country or technology emotionally challenging. We can reduce
— understanding the impact of global these impacts by pulling together, supporting
disasters on interconnected supply those who are less able, and learning from
chains to better estimate and predict the this experience to build a more cohesive and
consequences of disruptions resilient society. •
2 | Cyber Today
FOREWORD
Minister’s foreword
A message from Tim Watts, Shadow Assistant Minister for Communications and Cyber Security.
A
s the Australian information Morrison Government, the absence of political
security (InfoSec) community leadership on cyber security has been telling.
stands on the threshold of a new In recent years, there have been a lot of
Commonwealth Cyber Security people doing a lot of things in Australian
Strategy, it’s worth reflecting upon cyber security, but little evidence of a
the lessons of the first four-year strategy. In centrally coordinated strategy. We’ve seen a
2016, then Prime Minister Malcolm Turnbull flurry of initiatives launched in defence, law
announced the Commonwealth’s first Cyber enforcement, national security, international
Security Strategy with great fanfare and diplomacy, industry development, research
significant government funding. It contained and skills development. But the follow
dozens of objectives and policy initiatives, through on these initiatives has been patchy
and since then we’ve made some progress. at best. It’s unclear what the government’s
But the biggest lesson we’ve learnt is that the priorities are across this sprawling agenda.
contents of a strategy mean little if there’s no Even worse, as specific initiatives have been
political leadership to deliver it. left to unfold on their own accord within
Four years ago, the 2016 Cyber Security their own governmental silos, we’ve seen
Strategy promised ‘clear roles and plenty of inconsistency. For example, how
responsibilities’ for the Australian cyber did the government reconcile its encryption
security sector. Central to this was a dedicated legislation with its goals for diplomacy and
minister and a special adviser to the Prime industry development?
Minister. Today, neither position exists. Politicians aren’t popular right now
Since these roles were abolished by the (believe me, I get it!), but this is where we
Cyber Today | 3
FOREWORD
need political leadership. Australian cyber the Australian Government are collaborative
security needs political leadership within and coordinated… One possible improvement
government to set priorities, lead change and could be to have a single coordinating
improve accountability. Australian cyber minister and/or a coordinating executive
security also needs political leadership with oversight across all cyber functions’.
outside of government to speak directly We’ve seen the same argument made
to Australians in the media and in the internationally. The United Kingdom’s
community about the InfoSec challenges the Joint Committee on the National Security
nation is facing, and to bring together the Strategy considered a similar question in the
diverse members of the InfoSec community UK context in 2018, and concluded, ‘There
as we confront these shared challenges. is little evidence to suggest a “controlling
It’s not just me saying this. Far from it. mind” at the centre of government, driving
In the public submissions to the new Cyber change consistently across the many
Security Strategy, you’ll find the same departments... involved. Unless this is
arguments over and over again. addressed, the government’s efforts will
Deakin University, for example, is likely remain long on aspiration and short on
arguing for a ‘minister dedicated to cyber delivery. We therefore urge the government
security rather than a shared portfolio. It to appoint a single Cabinet Office Minister
also signals to the market the importance who is charged with delivering improved
of cyber security and enables a minister cyber resilience across the United Kingdom’s
to focus on key priorities’. Meanwhile, critical national infrastructure’.
Lockheed Martin complains of a ‘fragmented In 2018, Alastair MacGibbon said that the
approach that is often contradictory, greatest existential threat we face today is a
incomplete, and not cohesive’, and catastrophic failure of our cyber security. It’s
VeroGuard Systems observes that ‘currently, not hard to see why. Yet, there is no person
there is no evidence that a government, in the Morrison Government who has this as
association or organisation is responsible their sole day job.
for managing cyber risks in the economy’. Reform is important. Fresh policies
Microsoft wrote in its submission that are important. But for them to matter –
‘the government should consider whether for them to be properly and coherently
the existing governance arrangements are implemented – we need a dedicated
ensuring that cyber functions performed by minister. It’s long overdue. •
4 | Cyber Today
OPINION
Cyber security in the
time of COVID-19
BY DR SUELET TE DREYFUS, SCHOOL OF COMPUTING AND INFORMATION SYSTEMS,
THE UNIVERSIT Y OF MELBOURNE
As organisations shepherd entire office buildings of employees out the door to work from their
homes in response to the COVID-19 crisis, cyber security is taking on a new urgency.
N
ever before has there been such become an experiment in commoditised
a rapid migration en masse from customisation at scale. The following are
formal office environments to some key messages.
home workspaces.
IT departments have, in many IT managers, as much as possible, shape
cases, been given impossibly short deadlines the cyber security around the user’s tasks,
to cater to this. Slow reactions and poor not the other way around
leadership from some governments have led Cyber security works better in the real world
to pandemic panics of all sorts, and the result when it is designed and shaped around the
is that IT departments around the globe are way end users actually work, not when simply
scrambling to ‘make this all work by Monday’. imposed from a long list of repeating ‘no,
As if rapidly building the infrastructure you can’t do that’. Not surprisingly, if cyber
to ‘recreate the office’ in each staff security gets in the way of people doing
member’s unique home environment wasn’t things they want to, they find workarounds.
complicated enough, IT security teams And, as we know, workarounds can trigger
have to figure out how to defend, from the risky behaviour.
outset, this complex and decentralised new The principle of least privilege is to give
work environment. end users only what they need to do their
Picture an employee copying company jobs. ‘Only’ is enough – but only if you
data on his 16-year-old son’s spare laptop as understand their jobs in the new entirely
a workaround to some barrier, in order to working-from-home world.
participate in a work conference call and
group work session. What could possibly The end user thinks cyber security ‘gets in
go wrong? the way’
Building in security by design in the new Hospitals provide a good window into the
work-from-home set-up isn’t easy in these thinking of end users about this. Medical
time frames, but it’s incredibly important. staff view their mission as saving patients’
Everyone is on a steep learning curve. By the lives and providing high-quality care. If
end of this pandemic, IT security teams may cyber security rules get in the way of that,
have developed new skills in flexibility and then they’re going to do what it takes to
end-user empathy – a positive thing for the carry out their mission regardless. In a
future of IT security in organisations. But it’s world of patients laying sick on gurneys in
going to be a bumpy road to get there. overcrowded emergency department (ED)
Many employees may only be comfortable hallways, doctors are not going to have two-
or productive working in certain ways factor authentication (2FA) very high on their
from home. COVID-19 cyber security could priority lists.
Cyber Today | 5
OPINION
We’re about to enter a period where things That’s time-consuming, but there can be
move very fast inside hospitals and clinics. a high pay-off in more successful end-user
Predictions are that the healthcare system adoption. Fewer attempted workarounds
will be swamped. Our own research team’s means less risk of a breach to clean up in the
study shows that ED doctors conduct, on middle of a pandemic, when physical access to
average, 100 tasks an hour under normal devices may be difficult.
circumstances1, but these are probably not
going to be normal circumstances. Cyber Enter cheerful cyber security
security measures cannot slow medical staff Human factors in cyber security matter
down, or people may die. because human error plays a major role in
Yet, hospitals have experienced attack exposing organisations to risk. Taking the
after attack, including recent ransomware end user on the journey on security upgrades
assaults that took out regional health services is more likely to get buy-in.
in Victoria in late 2019. The Victorian Auditor- One of the most obnoxious things the
General pointed out the serious risks in the end user can experience is a command, via
hospital system.2 a heavy-handed email, to implement some
Figuring out how to balance these security upgrade in short order – ‘or you will
competing interests means that those in IT be cut off’. Astonishingly, this still happens.
security need to pause to examine, even There are better ways to go about this.
briefly, how people go about their work in an Employ teachers, journalists, science
average day. It’s not just about customisation communicators – those who can explain
to home-work settings; it’s about problem- why the extra hassle is needed and can make
solving how people’s work is going to evolve transitions much easier. An employee who
over time in those settings. And it’s unlikely understands what happened to Maersk3 will
to be a one-size-fits-all solution. be more inclined to take the extra time and
6 | Cyber Today
OPINION
effort. Bespoke walk-throughs for untangling easily leverage off this theme to educate the
a frustrated end user’s knots can shift a new army of workers from home that cyber
negative employee to an accepting one. A hygiene is also important. Some in the industry
smile, patience and empathy really matter for worry that this term trivialises the risk, but
problem-solving in times of high stress. like fighting a pandemic, basic steps can let
Software developers should also turn us #FlattenTheCurve so IT defenders aren’t
on automatic updates as the default setting overwhelmed. It’s a concept that employees are
when shipped. Imagine if all software probably ready for and would embrace.
automatically updated unless the end user A key factor here is that organisations
manually turned it off from doing so. This must give staff the paid time needed to
simple standardised action by developers adapt and learn how to use new security
could change the IT security landscape requirements for end users. Too often,
quickly and effectively. Some software does this training can be seen as an imposition
this, but not all. because the staff member’s other work is not
Developers can still give end users the reduced. Small lessons, in bite-size chunks,
same level of micro controls for if, when may work best.
and how much to update. Some end users In summary, cyber security must not
will likely want the flexibility to turn make people’s lives harder and must be as
off automatic updates, or be asked for automated as possible.
permission to update each time, and there’s IT workers are vital to keeping the
nothing wrong with that. But the COVID-19 economy afloat and supply chains and
virus environment isn’t the only place we functioning during this pandemic, and
need herd immunity. resourcing them properly in the coming
months is a winning strategy. •
Cyber handwashing
References
The public is getting the message loud and 1 https://people.eng.unimelb.edu.au/reevaml/One%20
clear from public health officials that hand Hundred%20tasks%20an%20Hour.pdf
cleaning is vital to stopping the spread of 2 https://www.audit.vic.gov.au/report/security-patients-
hospital-data?section=
COVID-19. As such, hand sanitiser has sold out 3 https://www.wired.com/story/notpetya-cyberattack-
everywhere. The IT security industry could ukraine-russia-code-crashed-the-world/
Cyber Today | 7
PARTNER CONTENT
Keeping a security mindset
Neil Campbell, Vice President for Asia-Pacific at Rapid7, recently talked with Nigel Hedges, Head
of Information Security for CPA Australia, about keeping a security mindset in this current market.
Neil Campbell (NC): What InfoSec Virtual private networks (VPNs) have a latency
initiatives have you put in place that are impact, so you have to think about voice quality.
proving valuable right now?
Nigel Hedges (NH): Shoring up security NC: When you have so many people
operations, with the idea of improving working remotely, your VPN’s quality may
the mean time for incident detection and degrade, and you may make a risk-based
response issues, was a driver for me. Also, decision that not all traffic needs to go
Nigel Hedges the implementation of an identity and access back via the VPN. Was that a challenge you
management program. Another was to adopt faced?
software as a service (SaaS)–based security NH: We are using a split tunnel VPN along
management tools with quick set up times with a low-touch, cloud-based hygiene
and low levels of involvement. That has really solution to farm that data over, so it is still
benefited CPA Australia. We have been able protected. That way we are still able to
to pivot quickly to remote working, and our receive security telemetry from the remote
key security solutions can provide richer environment when people are using the
security data via the internet. internet, including SaaS applications outside
Neil Campbell the VPN.
NC: What have been your main challenges
with staff working from home? NC: I have heard you say that identity is
NH: We’ve been a consumer of infrastructure the new perimeter. How does that work?
as a service for some time now to meet the NH: Regardless of the device, gateway or
needs of members. As early as July last year, firewall, I want to know who is using it or
we had implemented SaaS security controls; traversing it. Based on that identity, we can
however, with this sudden requirement for bring all the security information together
securing remote workers coming so quickly, and make informed decisions.
we had a fast shift in some areas, including
our customer experience staff using call NC: How does your central security
management software and working remotely. solution keep track of everything?
NH: There is a certain reality that integration
with all these different platforms is not
possible for one solution to be able to get that
information and interpret it in a rich way in
all cases. For me, using a security-monitoring
platform that has a rich plug-in ecosystem
is really important. One of the tasks I do
frequently is checking the plug-ins of Rapid7’s
security information and event management
(SIEM) to see what new integrations have
been added so that I can create a richer
dataset from which to detect unusual
activity. Having multi-factor authentication
technology, also integrated to the SIEM, is
integral to enabling remote working while
minimising risk. •
This article is an extract. For the full
conversation, visit rapid7.com/c/ANZIDR.
A | Cyber Today
8 | Cyber TodaySecure Advancement
Happens Here.
Break down barriers. Innovate with confidence.
See how with Rapid7.
TO LE ARN MORE :
Visit us at www.rapid7.com
Or email us at: anzsales@rapid7.comINSIGHT Consumer Data Right With three months to go, are you ready? BY DAVID BRAUE Looming open data requirements put new security burdens on financial services companies, but CDR’s security and data-management model offers lessons for everyone. 10 | Cyber Today
INSIGHT
D
ata governance is hard – but as a often been haphazard or even absent in fast-
major new consumer data regime growing, data-hungry organisations.
nears its 1 July commencement MicroStrategy’s recent Global State
date, you nonetheless need to of Enterprise Analytics 2020 report
make sure your data governance highlights the ongoing problems with data
and security policies are well under control. governance. Data privacy and security
The Australian Competition and concerns are cited by 43 per cent of
Consumer Commission’s (ACCC’s) role in respondents as the key challenge around
coordinating Consumer Data Right (CDR) better use of data and analytics.
legislation highlights its intended role as a Other key issues include limited access to
catalyst for competition, forcing companies data and analytics across the organisation
to standardise their product descriptions (29 per cent), lack of the proper technology
and give consumers access to their data to (21 per cent), and lack of a centralised tool
facilitate comparison shopping. within the organisation for capturing and
From 1 July, the big four banks will be analysing data (21 per cent).
required to give consumers access to credit Each of these is an obstacle for better
and debit card, and deposit and transaction access and management of corporate data
account data through a secure CDR portal. – and, in turn, is a significant blocker for
Mortgage and personal loan data will execution of the data governance that an
follow from the beginning of November. open-data regime like CDR requires.
Consumers can appoint third parties, such This translates into relatively
as brokers and financial advisers, to access deficient data governance ratings, with
data on their behalf. just 38 per cent of survey respondents
Smaller approved deposit-taking institutions saying that over half of their data was
(ADIs) will follow suit from 1 July 2021, by which governed. The survey also identifies a
time the ACCC will have ramped up efforts ‘divide between the data-privileged and
to extend the regime to energy providers. insights-rich, and the data-deprived and
Telecommunications companies will be the next insights-starved’, with executives enjoying
target, with other industries certain to follow if good data visibility that operational staff
CDR delivers the pro-consumer outcomes the struggle to match.
government wants. In a CDR environment, such internal
CDR has evolved over several years, with barriers are no longer acceptable: the point
enabling legislation only passed in mid 2019 of the exercise is to give consumers access
and formal rules about its operation finalised to all of their relevant data, with failure to
at the beginning of this year. Early tests of do so potentially punishable by sizeable
data exchange involved the big four banks financial penalties.
and nine other entities, which were chosen as Complying with the legislation introduces
data recipients to refine the CDR ecosystem. complexities of its own. Many organisations,
The CDR regime is ‘a complex but after all, will struggle to meet CDR-related
fundamental competition and consumer privacy expectations around the creation
reform, and we are committed to delivering it of a culture of privacy; appointing a
only after we are confident that the system is senior manager to lead a CDR strategy;
resilient, user-friendly, and properly tested’, implementing appropriate reporting
according to ACCC Commissioner Sarah Court. processes; gaining and managing informed
‘Robust privacy protection and and express consent from consumers via a
information security are core features suitable dashboard; security governance;
of the CDR, and establishing appropriate management and reporting of security
regulatory settings and IT infrastructure incidents; and destruction or de-identification
cannot be rushed.’ of CDR data when it’s no longer needed.
The organisation gets in the way Securing the CDR
For technology and security professionals While the rules governing CDR are relatively
working in financial services, the clear, meeting their requirements demands
introduction of CDR poses very real issues adoption of technical standards that have
around data governance – which has, to date, been developed by CSIRO data arm Data61,
Cyber Today | 11INSIGHT
MicroStrategy’s recent Global State of Enterprise Analytics
2020 report highlights the ongoing problems with data
governance. Data privacy and security concerns are cited
by 43 per cent of respondents as the key challenge around
better use of data and analytics
which has been appointed as the Data That register incorporates a number
Standards Body (DSB) for the CDR regime. of security practices – and associated
Version 1.2.0 of those standards, which technologies – including management of
are called the Consumer Data Standards identities and access, management and
(CDS), has been held to be the ‘binding revocation of digital certificates, and the
baseline of the CDR regime’. As such, every publishing of APIs and web interfaces to
technology and security manager – even enable CDR participants to query metadata
those in other industries where data across registered entities.
management is essential, if not legally Other security mechanisms address
mandated – should make themselves issues like authentication flows, consent
familiar with the guidelines. mechanisms, transaction security, encryption
Those guidelines revolve around eight standards, levels of assurance, and more.
technical principles and four ‘outcome
principles’ – the first of which notes that Taking data to the next level
‘security of customer data is a first order CDR compliance, then, requires much more than
outcome’ that must be delivered by the CDR simply installing a product. Its complexity is
application programming interfaces (APIs). part of the reason that CDR’s go-live date, which
‘The API definitions will consider and was originally set for late 2019, has been pushed
incorporate the need for a high degree back twice – and why many organisations will
of security to protect customer data,’ the struggle to achieve compliance.
principle says. ‘This includes the risk Yet, even as they push towards the finish
of technical breach but also additional line, companies must be on notice for further
concerns of inadvertent data leakage changes. A current Treasury inquiry is
through overly broad data payloads exploring potential next steps for the CDR
and scopes.’ legislation and framework – including
Affected organisations must also apply a potential ‘write’ capability that could
with Office of the Australian Information empower agents to create bank accounts,
Commissioner (OAIC)–mandated privacy organise payments and change products on
safeguards designed to prevent the customers’ behalf.
inadvertent compromise of personal data – Such changes obviously carry significant
adding even more onus on security managers additional security risks – demanding
that may find their data-management ongoing compliance with evolving technical
environment completely inadequate for the standards, as well as changing design and
demands of the CDR regime. functional expectations.
A formal security profile, included within ‘Although undertaking such a further
the CDS definition, builds on standards, review in 2020 may be considered to be
including the Financial-grade API Read premature, it indicates the importance
Write Profile (FAPI-RW) and standards the government places on CDR, and the
relating to OpenID Connect 1.0 (OIDC). This benefits it may bring to Australians and
includes mechanisms for securing the the Australian economy,’ Holding Redlich
federation of data exchange among multiple Partner Angela Flannery and Senior
system entities, including data holders, Associate Sarah Cass wrote in a recent
data recipients, authorising customers, and analysis of CDR developments.
a register of these parties supported and ‘Even businesses in sectors that are
maintained by the ACCC. outside those targeted for CDR in the short
12 | Cyber TodayINSIGHT
term should already be considering how For consumers, CDR will catalyse the
they may benefit (and help their customers creation of such innovation by freeing
benefit) from CDR.’ them from the artificially high burden of
Those benefits can be significant, switching providers. For companies, that
according to a recent Enterprise Strategy added competitive pressure will provide
Group and Splunk survey of 1350 business critical impetus for building a clear, secure
and IT decision-makers, which confirms the data-management infrastructure to support
importance of a mature data strategy. those innovations.
Organisations with clear data-management Whatever your industry, discipline
policies report benefits that include better around better data management offers the
customer retention and time to market or promise of significant business improvement
manufacturing time, the survey found. – particularly as exploding data creation
Australian organisations are at the front of sees data flooding onto cloud services that
the global pack, with 74 per cent saying that require different management strategies. The
they have managed to reduce their volume of cleansing and organising of enterprise data is
‘dark data’ – unknown and untapped data – therefore a key priority.
over the past 12 months. This process also provides the
Within the financial services industry, opportunity to develop and enforce clear
89 per cent of firms agreed that the intelligent security guidelines around the management
use of data analytics was becoming their and access of data. By analysing how
only source of differentiation – and analysis privacy and technical authorities have
showed that organisations with mature data approached the challenge of CDR, you’ll be
policies were 10 times more likely to develop well positioned to ensure that your own
innovative products and services that turned organisation is taking on an approach that is
into significant revenue earners. as secure as possible. •
Cyber Today | 13INSIGHT
With digital transformation comes risk:
Is your board
prepared?
CONTENT PROVIDED BY THE AUSTRALIAN INSTITUTE OF COMPANY DIRECTORS
Digital transformation is alluring. It’s an opportunity to use computers to streamline operations,
connect physical infrastructure to the internet, collect data in real time, optimise operations and
improve productivity and performance. But is your organisation ready?
T
he Internet of Things (IoT) is one governance, each of those connections is a
of the key digital transformation potential backdoor for attack.
technologies and offers many
opportunities for businesses. What if we get it wrong?
Australian agriculture There is mounting evidence to suggest that in
technology (agtech) company The Yield is the race to transform, some organisations are
using sensors to give oyster farmers early downplaying, not appreciating, or are even
warnings of changing water conditions unaware of the cyber risks that can arise
via their mobile device. This technology from connecting physical equipment to the
assists 300 oyster growers to better navigate internet, which links operational technology
environmental changes. with information technology.
Rio Tinto’s autonomous heavy-haul train Retired Major General Patricia Frost
in Western Australia’s Pilbara region uses is the Washington DC–based Director of
data from connected sensors and artificial Cyber at Partners in Performance, a global
intelligence (AI) to guide the way the train is management consulting firm. She has 32 years’
driven, delivering product to the port nearly experience in the military and was, until 2016,
20 per cent faster than a manned train. Director of Cyber, Electronic Warfare and
According to the Internet of Things Information Operations for the US Army.
Alliance Australia (IoTAA), at the end of 2018 Frost notes that many of the industrial
there were 10 billion IoT devices in operation systems used to manage utilities, water
globally. That is tipped to reach 20 billion purification, gas and steam turbines are
by 2022 and more than 60 billion by 2025. legacy systems. They are built standalone,
Technology analyst Telsyte predicts that often using supervisory control and data
the average Australian household will have acquisition (SCADA), which, although not
37 IoT devices by 2023. immune to cyber attacks, have been somewhat
‘If policymakers and businesses get it protected by the air gap between them and
right, linking the physical and digital worlds the internet. There is now a race to connect
could generate up to US$11.1 trillion a year these legacy systems to modern information
in economic value by 2025,’ according to technology networks over the internet.
management consultants McKinsey & Co. ‘That is creating a new attack surface and
There are, however, risks involved in vulnerability,’ says Frost. ‘Systems in the
connecting real-world objects to smart past were literally separated and isolated
devices. Without proper security and in air gap networks. My concern is that
14 | Cyber TodayINSIGHT
we are rushing to digital transformation Belinda Cooney GAICD, Chief Financial
without truly understanding the operational Officer of Interactive – an Australian IT
risk based on threats the business is now services provider – and Non-Executive
exposed to.’ Director of the 86 400 neobank, believes that
This stretches from criminal ‘hacktivists’ while directors have not been blindsided
to nation-state attacks. by the integration of IT and operational
technology, the pace at which it has
Boards must understand and assess the risk proceeded has caught some unawares.
Frost warns that boards need to understand
what equipment is being connected to which Cyber security questions for directors
networks – and for what purpose – and and CEOs
they also need to assure themselves that the ‘When I think about security and risk as a
organisation is properly prepared to deal director, it is very hard to decouple IT risk
with a cyber attack. She says that boards from operational technology because you
should make serious assessments. have people using the systems,’ says Cooney.
‘Ask, where does the value of the business ‘You can’t think of them as isolated things.
sit? What are our most critical assets? When asking questions at the board level,
And then overlay the digital domain and a lot of people think cyber risk is mitigated
connections between the IoT and business by doing a penetration test to figure out if
information network,’ she suggests. ‘Why are anything has happened. In my experience,
we making certain connections? Is that truly it is a lot more than that. You need to extend
of value to the business? Or is it just ease of your line of questioning. Who is using
access? In some cases, technology has made the system and what is the access to our
us a little lazy. We want the data now, even physical environment?’
though it’s not bringing much value to us.’ Directors need to consider how
Certainly, there is enthusiasm to connect decisions are being made about
the physical and the digital. Extrapolating connecting the digital and the physical.
McKinsey & Co research through to 2025, ‘Who is responsible and accountable?’
IoTAA CEO Frank Zeichner estimates that asks Frost. ‘The governance may need to
IoT can deliver an economic kicker to the change in companies when connections
local economy worth up to $116 billion and a are made in the digital domain that could
two per cent hike in national productivity. bring a detrimental operational risk to
This is not to be sneezed at. the company.’
Cyber Today | 15INSIGHT
Below are five questions boards and ensure that organisational culture provides
management should be discussing when it ‘enough psychological safety for people to
comes to cyber risk. speak up if they see something funny, [and]
1. How is our executive leadership informed report it if it’s not quite right’.
– through our systems, processes and The time and focus a board dedicates to
governance – about the current level data and privacy governance will depend
and business impact of cyber risks to the on things such as the organisation’s size, the
organisation? quantity and quality of its data holdings,
2. What is the current level and industry, risk appetite and history, and its
business impact of cyber risks to the strategic direction. The basic steps, however,
organisation? What is our plan to are the same.
address identified risks?
3. How does our cyber security program 1. Foster a culture that values data
apply industry standards and best and privacy
practices? Have the values and risk appetite
4. How many and what types of cyber underpinning data handling been
incidents do we detect in a normal week? established and communicated throughout
What is the threshold for notifying the the organisation? Is the organisation
executive leadership? appropriately equipped and resourced to
5. How comprehensive is our cyber incident embed the right culture into its people,
response plan? How often is it tested? systems and processes? What channels does
What is the role that board directors play, the board use to ensure that it knows how
and are they included in annual exercises? data handling is occurring ‘on the ground’?
Establishing a culture of effective data 2. Futureproof the board
and privacy governance How do new data-driven business models and
Besides good oversight of the cyber risks value chains enhance, or threaten, what the
associated with data and operational organisation is doing? What new technologies
technologies, Cooney says directors must can be deployed to enable the organisation to
16 | Cyber TodayINSIGHT
do more with, and to protect, its data assets? 5. Focus on your stakeholders
What new laws must the organisation adhere Does the board consider a wide range of
to, and what frameworks, standards and stakeholder perspectives when making
guidelines should the organisation take heed decisions about data? Is stakeholder-care
of? Amid all the change, what are the attitudes a key value? Does this align with actual
and mindsets of individuals, stakeholders, practice and is it communicated externally?
regulators and lawmakers? What should the organisation do, or stop
doing, to enhance stakeholder trust?
3. Appoint key personnel and hold them To help directors promote a good
accountable data and privacy culture within their
Does the organisation have key data, and organisations, the Australian Information
privacy roles and responsibilities at the Security Association (AISA) recently joined
operational and leadership levels? How forces with the Australian Institute of
should resources and staff be allocated in Company Directors to publish a practical
terms of compliance (protecting data) and boardroom guide, titled Data and Privacy
performance (leveraging data) functions? Governance.1 The guide highlights
What are the reporting requirements and current privacy compliance obligations
key performance indicators? impacting boards in Australia and outlines
a performance framework for how an
4. Enhance privacy and security resilience organisation might use and manage data as
How ready is the board and executive a key asset.
team to deal with a data-related crisis? Directors can access this guide at
How can the board improve its resilience https://aicd.companydirectors.com.au/
capabilities, such as change readiness and membership/membership-update/data-and-
incident management? Are privacy and privacy-governance-director-tool. •
security risks accounted for throughout the
organisation and in project development? 1 Australian Information Security Association and
Australian Institute of Company Directors, 2019,
How are third-party relationships managed, Data and Privacy Governance, Australian Institute of
secured and assured? Company Directors Director Tool
Cyber Today | 17INSIGHT
CASE STUDY:
YMCA NSW
How a quick board response helped an organisation during a ransomware attack.
IN 2019, YMCA NSW was hit Land attending the Garma Chowdhary had worked
with a ransomware attack that Festival of Traditional Cultures, previously with technology
encrypted its operating system. and the organisation was services business Servian
Instead of paying the ransom, between IT managers with a and called one of its partners
board and management made contractor running the show. for advice. The YMCA
a quick decision that helped the Reflecting on the attack, board and executive team
organisation take back control.1 Chowdhary, who was Acting expedited communications
It took YMCA NSW 20 days to Chair at the time, notes: ‘In and decision-making. They
recover from the ransomware the not-for-profit world, there met daily from the Monday,
cyber attack that crippled its is an assumption you won’t with critical incident team
computer systems in August be targeted by cyber security meetings held every morning
2019. The not-for-profit youth attacks. It crippled us for and afternoon. Chowdhary
organisation has a $70-million- three weeks’. dialled into board meetings
per-year turnover, serves more The Y NSW, as it’s been from Arnhem Land, while
than 40 communities and rebranded, is a sizeable Hughes and Le Bron called in
employs more than 2000 organisation, but as a not-for- from London.
people. Its services include profit it had considered itself an According to Andrew
gymnastics classes, swimming unlikely target of cyber attack. Gemmell, Head of Cyber
lessons, camping, out-of- Nevertheless, it had decent security at Servian, this rapid
school-hours centres, and systems hygiene, made regular and clear engagement of
youth and community services. backups, and was planning to the board was critical. ‘One
If the cyber attack had forced move key systems to the cloud. of the keys to the success of
the organisation to close its The board had addressed the this was just how strong the
doors, around 15,000 families issue of cyber risk directly inside communications were,’
in New South Wales would have through its Risk, Audit and says Gemmell. ‘There were
been affected. Finance Committee, and had regular board meetings and
There’s never a good time recommended taking out [the directors] made sure they
for a cyber attack, and for the cyber insurance earlier in 2019. were available and aware to
YMCA, August was particularly The Y NSW also had make decisions very quickly.’
challenging. Chair Richard disaster recovery and business Chowdhary quickly
Hughes and CEO Susannah continuity plans, and, following posted a letter detailing
Le Bron were in London the Royal Commission into the attack on the website.
for a global conference of Institutional Responses to Although no personal
the international YGroup (to Child Sexual Abuse, had information was compromised
which all international YMCAs developed a critical incident or lost, the YMCA used social
belong), Deputy Chair Shirley response plan it was able to media to keep stakeholders
Chowdhary was in Arnhem use. Although this plan did not fully informed.
directly address a cyber attack, Chief Operating Officer
1 Extracted from ‘Quick board
response could save your the board from the outset Lisa Giacomelli strove for
organisation during a ransomware determined that, in alignment transparency. ‘I kept sending
attack’, Company Director, March
2020, Australian Institute of
with organisational values, emails to keep a clear paper
Company Directors ransom would never be paid. trail so that every aspect of our
18 | Cyber TodayINSIGHT
management of the incident
was documented,’ she says.
Gemmel adds, ‘Directors
made sure they were available
and aware to make decisions
very quickly’.
The Y staff had to work
on personal computers and
devices, and some had to
work from home, all working
round the clock to rebuild
systems and operate the Y’s
extensive businesses manually.
Chief Financial Officer
Jenny Woodward says
that since the attack, the
organisation has refreshed its
disaster recovery and business
continuity plans, ensuring
that copies are printed and
stored offsite; implemented an
information security charter;
boosted cyber education for
staff and IT professionals;
invested in systems monitoring
and event detection services;
and now has a three-year IT
strategy and a road map that
emphasises security.
Servian worked with the Y
Lessons for organisations Lessons for boards
staff to ensure that systems
— Engage in cyber security — Ensure that board members
were restored in order of
education for all staff and understand the risk of cyber
criticality. According to
IT professionals. attacks and their potential
Chowdhary, ‘There was a
— Assess the configuration consequences.
business opportunity loss,
of the network for — Address cyber security
business continuity issues...
potential weaknesses. explicitly in relevant board
[and] a whole host of
— Invest in modern cyber committees.
compliance issues. The main
security technology, — Review insurance cover
lesson is that cyber security
including monitoring and regularly, including
attacks can happen to anyone’.
event detection services business continuity and
Cases such as these are a
designed to arrest the specialist cyber insurance.
reminder for directors to be
spread of a cyber attack. — Seek regular cyber
proactive with data security, says
— Regularly revisit disaster security updates from
Scott McKean, Chief Security
recovery and business IT leadership regarding
Officer of IT firm Interactive.
continuity plans, ensuring systems resilience and
‘Board members should ask
that contacts are current current risk landscapes.
about the effectiveness of
and printed copies of the — Determine how the
their incident response plan:
plans are accessible offsite. organisation could
how quickly the business can
— Identify executives continue to meet its
detect and respond to an
who will be responsible financial obligations and
incident, what the implications
for communicating pay staff if computer
and potential damage from
with official bodies systems access was
any breach are, and what level
following a data breach restricted for a significant
of cyber insurance or other
or cyber attack. period of time. •
contingencies are in place.’ •
Cyber Today | 19PARTNER CONTENT
Embracing cyber’s
modern age
Deloitte boosts its cyber practice to meet the cyber-is-everywhere demand.
I
n this pandemic era of COVID-19, we have service delivery, and customer experience
all become even more aware that cyber isn’t and satisfaction – the professional services
merely a technology issue, but a strategic firm announced that the founders and 50
business and personal risk that is impacting team members from Australian security
every facet of our lives. architecture specialist Zimbani were joining
As every aspect of our world becomes the firm from April, flagging its intention to
even more connected – highlighted currently build on that recognition in a big way.
by the flight to home-based working – latent Due to its speedy growth, Zimbani came
cyber threats are exponentially growing in to the notice of Deloitte’s Technology Fast
number and 50 in 2017, following its founding five years
complexity. earlier, and, in 2018, was recognised by the
Cyber had Australian Financial Review Fast 100 and
already moved CRN Fast50.
beyond the Deloitte’s CEO, Richard Deutsch, explains
organisation’s that as cybercrime is regularly listed as
walls and one of the major business risks globally, ‘It
information is critical that businesses are on the front
technology foot, anticipating, monitoring and managing
environment the threats and key risk events in real time’.
into the He adds. ‘Deloitte sees cyber-readiness and
products resilience as a key enabler for our clients,
themselves hence investing accordingly’.
and the spaces Deloitte Australia Cyber Leader Ian
where experts Blatchford adds that Zimbani’s focus on
conceived security architecture and engineering
them, and ‘makes us one of only a handful of providers
customers use in Australia capable of operating at scale,
them. Now, we adding to our previous deals in the region as
are evermore conscious that cyber is in our part of our significant investment in Asia’.
homes and our lives, and know that it is time Deloitte Asia Pacific Cyber Leader James
to embrace cyber everywhere. Nunn-Price elaborates, pointing out that
This is no longer a slogan, but the trigger across the region, Deloitte has recently
for organisations and the people within them invested in Singapore, bringing in Practical
to align their priorities and work together Smarts to the firm, as well as SecurePath in
to embrace the fact that cyber is everyone’s Malaysia and Code QB in Thailand, in order
responsibility. to ‘hyperscale our cyber business to ensure
As an acknowledged leader1 in Asia-Pacific we deliver superior cyber expertise to our
professional security services, Deloitte was clients at a time of unprecedented demand’.
evaluated against 17 other major vendors in By adding this strength to its 17,000-plus
the Asia-Pacific region. cyber practitioners worldwide and across its
With an extensive list of scoring 125 offices – which include Australia, China,
criteria and parameters – including the India, Japan, Korea, New Zealand, South-East
comprehensiveness of its offerings, portfolio Asia and Taiwan – Deloitte brings more than
benefits delivered, market execution, 26 years’ experience in providing cyber
risk services to the region, enhancing the
1 IDC MarketScape: Asia/Pacific Professional Security
Services – Advisory, Assessment and Awareness 2020
work of its 30-plus unique Cyber Intelligence
Vendor Assessment (doc #AP45547920, February 2020) Centres worldwide. •
A | Cyber Today
20 | Cyber TodayDELOITTE Cyber Everywhere. Go Anywhere. Cyber is about starting things. Not stopping them. Build solutions for a ‘cyber everywhere’ world. Strengthen controls to ensure you will thrive. Find out more at: www.deloitte.com.au/cyber © 2020 Deloitte Touche Tohmatsu. © 2020 Deloitte Touche Tohmatsu.
STARTUPS Startup success as Aussies go global Cyber Today shines a light on one cyber security company that is making big waves. 22 | Cyber Today
STARTUPS
D
atasec Solutions Pty Ltd is an Healthcare solutions
IT security company based Datasec’s modular vision for Cryptix has
in Melbourne. The company extended into the healthcare industry,
develops, implements and in conjunction with HP and US partner
supports cyber security and InTimeTec, to develop a device-based
information management end-point solutions integrated electronic medical record
(Cryptix) with a view to solving critical (EMR) solution for streamlining patient-
security and compliance issues when centric data capture and integration into
organisations transmit private or business- hospital EMRs.
sensitive information. Cryptix EMR will improve patient
The key to Cryptix is the modular nature data security in protecting personal
of its design, which incorporates strong health information in accordance with
authentication (with business rules) and key industry standards, like the US
encryption. Each module is built on application HIPAA (Health Insurance Portability and
programming interfaces (APIs) and can be Accountability Act of 1996), while also
integrated into any third-party application, meeting compliance in Australia (Australian
whether it is hardware or software. Privacy Principles) and Europe (General
This design allows Cryptix to provide a Data Protection Regulation – GDPR).
value-add, fast-to-market solution for vendors
looking to integrate these key security tools
into their range of solutions. Datasec’s modular vision for Cryptix has
One such vendor is HP through its print
division, which is working closely with extended into the healthcare industry,
Datasec to build off device encryption in conjunction with HP and US partner
(no data stored on the hard drive) and
authentication solutions for its multifunction InTimeTec, to develop a device-based
printers (MFPs). integrated electronic medical record (EMR)
The journey for Datasec started in 2012
with the original concepts around the solution for streamlining patient-centric data
technology. Through the next few years, capture and integration into hospital EMRs
Datasec built out its product portfolio by
including a secure file-sharing platform
called Cryptix. In 2016, the company Key lessons
decided to modularise its technology The journey, however, hasn’t been easy,
and developed APIs around its three key and there are many lessons from Datasec’s
pillars, which led to an opportunity with history. The following are the key takeaways.
Samsung. A year later, Samsung Print — Think global, not local. Having a global
was acquired by HP, which set in place the view opens up the business to much
steps that have now led to Cryptix being broader opportunities. In cyber
imbedded globally within the HP ecosystem security, foreign markets are often more
– with products already available for mature and more open to investing in
deployment via HP’s Workpath platform. innovative technology.
Being involved in HP’s Workpath — Capital raising. It’s tough to raise
development program as a beta developer investment for startups in Australia, but
since 2017 has opened up myriad secondary having a bigger-picture view also opens
opportunities for Datasec. the business up to foreign investment.
With the growing cyber security — Partner. It’s difficult to do it alone at the
compliance landscape, organisations are now best of times, but in the startup world,
scrambling to integrate security modules doing so can be very taxing mentally,
into their solutions. By using Cryptix, they physically and financially. Identifying
can get to market in a matter of weeks or and engaging with key partners, who
months, at worst. This is very valuable to understand products and benefits, can
vendors like HP as it not only ticks the box assist startups in getting to market more
for compliance, but it also gives them a big rapidly, and can provide a simpler path
advantage over competitors. to success.
Cyber Today | 23You can also read
