.st0{fill:#FFFFFF;}

Newsletter July 2022 

Share0
Tweet0
Share0

The purpose of this newsletter is to update readers on what might be happening in various areas of business related to IT, the provision of some commentary on known cyber security, data breaches and IT and business issues, and some advice on better securing your information assets.

In this Issue:

  • Overview
  • Topic
  • Recent Attacks and Threats
  • Alerts
  • Snippets
  • Recent Changes to Website

Overview:

Board directors and CEOs cannot afford to ignore issues of Privacy, Data breaches and Cyber-attacks in their organisations. Unfortunately (even sadly), these security areas are often treated separately, even though they are intrinsically linked.

To avoid gaps in the security posture of an organisation, these three areas must be considered as one framework.

This article presents a Holistic Digital Security Framework (HDSF) approach. This enables directors and senior executives to minimise the impact of security issues on their businesses.

Topic:

A Holistic Digital Security Framework (HDSF)

The Need

  • The Australian Government through various agencies (such as ASIC, ASD, OAIC, ACCC) are demanding Australian businesses protect their operations from cyber-attack.  
  • Organisations are being fined large amounts of money for violations of the Privacy Act including those where cyber-attacks have been successful.
  • Organisations are being fined large amounts of money for data breaches including many that have occurred because of cyber-attacks.
  • Since security issues are intrinsically linked, addressing them separately leaves gaps which will be exploited.

For these reasons a Holistic Digital Security Framework (HDSF) that is standalone and covers all three areas but aligned with and informing an organisations Risk Management Framework is more useful and perhaps even necessary.

An HDSF framework is one that allows both the board directors and the senior management team, to understand their roles and responsibilities. This allows them to develop cohesive plans to reduce overall business disruptions caused by unwanted cyber- attacks, data and privacy breaches.

The HDSF Framework

Security is everyone’s business, whether it be physical, cyber security, data protection, business systems protection, industrial control systems (ICS), operational technology (OT), Internet of Things (IoT) and privacy.

The HDSF Framework Components

  1. Overview

The overview contains the security objectives of the organisation, the assumptions and scope – internal units, external organisations – anything which might impact or is impacted by security. It is the basis of the framework.

  1. Governance

Governance enables board directors and senior executives, to understand the large picture of digital security: 

  • security principles, 
  • roles including accountabilities and responsibilities,
  • current and future compliance requirements, 
  • assurance mechanisms, 
  • legal and regulatory requirements, 
  • policies and procedures, 
  • alignment with organisational risk framework.   
  1. Design

The design of security systems is not just a technical function but an organisational wide approach seeking to satisfy the objectives established in the Overview. This will have many aspects such as: 

  • design principles, 
  • organisational setting (e.g., management framework alignment, accountabilities, and responsibilities), 
  • technology design, 
  • organisational resilience to reduce the impact of a large security event,
  • the means to recover, and 
  • controls to monitor performance and compliance.
  1. Culture

The number one security principle for any organisation is this: 

“Security is everyone’s business”.

This must be the basis for developing a “security culture”, whose objective must be to protect the information assets of the organisation including those of its clients, suppliers, and other stakeholders. A security culture means everyone

  • takes responsibility for security
  • receives continual training
  • is rewarded for identifying and fixing security holes or attempted breaches, a
  • accepts effective discipline for security breaches.
  1. Operations

This aspect of the framework is security in action: 

  • implementing design decisions though security projects, 
  • building and sustaining culture, 
  • implementing technical and other tools to identify threat and attacks, 
  • gathering and using intelligence information to prevent breaches, 
  • monitoring and reporting security events.
  1. Attack Response

It has been well demonstrated in various studies that having a well thought out and tested Incident Response procedure is key to reducing the event impact and decreasing the recovery time back to normal operation. 

Forensic analysis should be part of the post event analysis to discover the true impact of the security event as well as the circumstances around the event itself. It sometime takes up to 12 months or more to uncover the impact.

How you can use the HDSF Framework

The framework is used dynamically and reflects the current status of compliance in many different areas. Specifically…

  • Summary of all security activities across data, technology applications, networks, privacy, cyber threats etc
  • Compliance with regulators and laws
  • Alignment with Management Framework; accountabilities and responsibilities
  • Identification of gaps in security coverage
  • A basis for prioritisation of security projects
  • Establish and monitor projects
  • Establish a basis for negotiating insurance cover and associated premiums.
  • Monitor all security operations
  • Monitor data, cyber and privacy breaches
  • Manage Risk aligned with the organisations risk management framework

To learn more about how the HDSF can be applied to your business, please contact me. Consultations, Seminars and Workshops are available to suit your needs.

Reports and Statistics:

Publicly available reports worthy of summation are mentioned here with their source Url. Some of these are quite lengthy and will be summarised in the body of the website.

  1. Scamwatch report for March
    1. https://www.scamwatch.gov.au/scam-statistics?scamid=all&date=2022-03
    2. Amount lost $95,137,362 (up from $38M in Feb)
    3. Number of reports 16,445 (down from 18,000 in Feb)
    4. Reports with financial losses 13.9% (up from 11.2% in Feb)
    5. It seems clear that someone or an entity lost a lot of money in March !!
  1. TrendMicro reports
    1. TrendMicro published a report titled “BUSINESS FRICTION IS EXPOSING ORGANISATIONS TO CYBER THREATS” .
    2. The full report can be found at:
      1. https://www.trendmicro.com/explore/en_gb_trendmicro-global-risk-study
    3. As reported in two TrendMicro press releases (https://www.trendmicro.com/en_au/about/newsroom/press-releases.html#), the major points they emphasised are:
      1. 89% of Australian IT organisations compromise on cybersecurity in favour of other goals.
      2. More C-Suite engagement is needed in 2022 to mitigate cyber risk.
    4. Respondents to the survey indicated that for the C-Suite to support and take action:
      1. 62% think it would take a breach of their organisation 
      2. 61% say it would take customers demanding more sophisticated security credentials
      3. 60% of investors demanding more sophisticated security credentials
    5. I have developed the holistic security framework to enable a whole of organisation view of security. It is also the reason my next newsletter discusses why IT Architecture needs to be aligned with the management structure reporting to and including the CEO. Both of these discussions will help address the issues raised by the TrendMicro report

Snippets:

  1. Privacy and Data Protection
  • Privacy and Data Protection Laws vary considerably between countries and within countries. For instance, in the U.S., there is no Federal Privacy law (under consideration) but there are 25 in the State of California.
  • A very good reference handbook on data protection is available from DLA Piper and covers the various laws in 100+ countries. Their website allows you to compare the various regulations between countries. 
  • The Url page referred to above also allows you to download the handbook which is currently 1145 pages long!
  • It is, however, a good resource in the overview of the laws that pertain to Privacy and Data protection in many countries of the world.
  1. Telecommunication Laws
  • DLA Piper also publish a handbook on the various Telecommunication laws in many countries and include a function where you can compare the various regimes between countries.
  • This to me is only a few hundred pages! Nevertheless, it is a useful overview of the telecommunications laws in those countries covered.

Changes to Website:

Cyber Security Components Update (for members)

Share0
Tweet0
Share0
Author Image
Share0
Tweet0
Share0

Greg Porter

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}
>

Terms and Conditions - Privacy Policy