Expanded security guidance draws on real-world experiences to offer clear protections against the most common attack vectors
Any company operating a multi-storey office building would develop painstaking fire escape plans, and any hospital would develop backup plans detailing how it could operate in the event of a power failure. So, if responsible businesses are actively addressing these risks, why are so many companies still failing to lay down detailed plans for dealing with a cybersecurity incident?
Statistically, such an incident is far more likely than a fire or catastrophic power outage. Figures from the Australian Cyber Security Centre (ACSC)’s 2016 Cyber Security Survey suggest that 90 percent of Australian organisations faced some form of attempted or successful cybersecurity compromise during the 2015-16 financial year – and 58 percent had at least one incident that successfully compromised their data or systems.
“Organisations faced numerous malicious cyber threats on a daily basis,” the report warns, noting that spear-phishing emails alone affect organisations hundreds of times per day. “Experiencing a cyber incident is not a matter of it but when, and what type.”
Senior management must, the ACSC warns, weigh their investment in cybersecurity against other business needs and consider the overall level of cyber risk, their organisation’s exposure to such risks, and the potential whole-of-business cost that could be incurred if a serious cyber incident were to occur on their network.
“The costs of compromise are almost certainly more expensive than preventative measures,” the report’s authors advise.
As is so often said, however, the devil is in the details. Just what these preventative measures should comprise, and how they should be implemented, remains a significant challenge for many security strategists who are often so caught up in the day-to-day of fighting security threats that long-term planning remains an elusive and difficult goal.
For those that recognise the importance of cybersecurity but don’t know how to go about it, Australian organisations benefit from a proactive government that has worked in recent years to raise the bar for cybersecurity defences.
This attention, notes Carbon Black managing director for Asia-Pacific and Japan Kane Lightowler, has manifested as invaluable guidance from the Australian Signals Directorate (ASD) – whose Top 4 Strategies to Mitigate Targeted Cyber Intrusions have become a rallying cry for CSOs struggling to define and target their mitigation efforts.
“What ASD has been doing is fantastic,” Lightowler says, “because they’re taking real, factual observations and turning them into practical guidance and simple recommendations. This is cutting through the marketing noise and giving some of those organisations who are not as mature, simple steps to improve their security posture.”
Those steps – which include application whitelisting, patching of applications and operating systems and minimising administrative privileges – encapsulate a range of cybersecurity best practices that are held to be capable of blocking 85 percent of common cybersecurity compromises.
Application whitelisting, in particular, “is the most proven, effective way, by far, to prevent malware and unauthorised software from running in an organisation,” Lightowler says. “What the ASD has observed and recommended is definitely in line with best practice and the way that we see organisations moving around the globe.”
Organisations with mature cybersecurity practices are already likely to be practicing many if not all of the recommendations, but they also offer much-needed clarity for smaller organisations with less distinct practices, or those who are unprepared for the disruptive power of trends like mobility, the Internet of Things (IoT), and the cloud.
The new guidelines address more specific threats, including the disabling of untrusted Microsoft Office macros; blocking Web browser access to Adobe Flash Player, Web ads, and untrusted Java code; introducing multi-factor authentication; and conducting daily backups of important data.
Use of multi-factor authentication has become widely recognised as a critical capability in fighting abuse of user privileges – a tactic that was fingered in 81 percent of cases analysed in the DBIR – while regular and effective backup has been critical to business continuity for decades.
The rising tide of information about real-world attacks, driven in large part by a rush to embrace cloud-based threat-intelligence platforms that aggregate data about customers’ cybersecurity experiences, has given the industry a significant boost when it comes to developing cybersecurity strategies that are relevant to real-world events.
This, in turn, means that businesses looking to guidance like the ASD Essential Eight can rest assured that its recommendations are based on fact rather than vague assertions. They can also help prioritise financial and technological investments on the biggest likely vectors for compromise – and that, Lightowler says, makes them well worth embracing as technology and business executives work to proactively tighten their security environments.
“The big trend is going to be an increased focus on preparing for a response to a cyber incident,” he says. “This is really good data for organisations and it’s going a long way to increase the maturity of cybersecurity practices in Australia.”
Those practices are going to be put to the test as mandatory breach-notification laws come into effect early in 2018 – promising a host of new revelations as large organisations are forced to share detailed information about their real cybersecurity exposure and its effects.
If experiences to date are correct, many of the breaches to come will be the result of failure to comply with one or more of the protections outlined in the ASD Essential Eight – further reinforcing the case that forward-looking Australian companies should waste no time incorporating them into everyday cybersecurity practice.
“There are two main issues here,” Lightowler explains. “First, you want to reduce absolutely every risk, everywhere possible, to make sure you don’t get breached. But when you’re dealing with today’s sophisticated attackers, there is no such thing as zero percent risk – so the second issue is limiting the extent of a breach when it happens.”