Understanding Cyber Resilience: Key Strategies for Businesses

thank you for taking the time to attend our webinar my name is Sam and I'll be your host for today we do encourage any

questions you may have so please feel free to add them to the chat and we'll address them at the end um however we do

value your time so if we do run out of time we will email the answers out as well as a recording to this event uh on

that note I'd like to welcome Robert Buck founder and managing director of diamond it he'll provide an introduction

today for our webinar and our presenter Gavin Hall he's one of our business technology

Consultants uh so on that note over to you rob thanks Sam I do need to update that

LinkedIn photo I realized that um yeah it's making me look younger and younger every year so might need to update that

one um yeah so as Sam said I'm just going to do a quick quick introduction and um as you can see here we've got the

the classic um cyber criminal hoodie shot and this is obviously the internationally known uh symbol for Cy

cyber criminals and a strong recommend if you ever see someone in a hoodie like that sitting at one of the desks at work

um be very concerned because um yeah they they may be up to no good especially if you can't can't see into

the hoodie um so we've got this quote here and um we we try to keep our stats as as relevant as possible I think

sometimes you see these stats about um you know on average like $4 million and those sorts of things but they don't

really associate very well for small business um but as you can see still quite an expensive exercise as well as

the reputational damage that can come with that and uh they are increasing um I guess our message for

for a while now really is that cyber security goes beyond technology um it's a lot of the breaches

that occur frankly do um tend to occur for fairly simple reasons so even the Opus breach from a little while back now

uh it was basically a a fairly fundamental era from one of the software developers and the way these things tend

to get portrayed in in the media and I guess it's the the pr machines that that do this is that they're uh they they

love the term sophisticated attack um it is it it is the way they portray it but a lot of the time it is pretty much

something simple but I guess the problem is there's a lot of something simples and a lot of that to keep on top of so

that's where the concept of governance really comes in and just ensuring that all of those doors are closed is is a

job to itself the other thing I would say is that we're seeing more and more pressure

from external bodies um you know government as well as cyber insurers are really starting to lift their standards

so cyber insurers obviously they see what they get as claims and they study them and they see where the holes are

and so the pressure they put on their customers is typically related to what they're seeing as the major threats and

so one of the themes that we're starting to see at the moment um potentially have some customers who've been asking us

about this recently is mobile device management so I think gab's going to speak a little bit to that later on

that's just something that only around about 2% of organizations are doing at the moment but certainly a very um it's

it's just as possible to to have those sorts of breaches as others and I think we've got a stat that we've been talking

to customers about recently where about 80 million phones per year are lost or stolen and you need to make sure that

that's that door is locked as well because in the world of BYOD uh there might be some pretty

simple security measures that may not be in place so again I guess just to to wrap up my intro really this is about

governance of the way that you handle cyber it's not necessarily about having phenomenal um cyber Security Experts

it's really about just making sure that a lot of different doors are closed and if you can achieve that you put yourself

in a significantly better um position in terms of being protected so I'll throw back to you Sam thanks

everyone great thanks Rob uh certainly some ominous stats in there so our goal today is to provide you a holistic

overview um on how to approach cyber resilience so on that note I'm going to pass over to

gav thanks Sam so if we cast our minds back 12 months the media was full of news about

Opus medy Bank healthc care industry and many others almost every day there was articles about data breaches cyber

security and business technology personal information being compromised was at the Forefront of everyone's Minds

now if we fast forward today what do we see there's been strides in the legal space to strengthen Australia's position

on the approach of securing personal information you might have seen some articles about that recently at what's

happening at both the state and federal government level there's still data breaches cyber security attacks are

still being reported in the media that part hasn't changed some media subscribers might

view this as okay so 12 months ago we had a series of attacks works now happening to stop that from reoccurring

great but without trying to use the analogy of whacka Mall here the threat landscape has also Advanced

dramatically the use of artificial intelligence tools for example has exploded across many industries from

generating written documents to designing images and now it's being used in cyber attacks social engineering and

fishing were once easy to spot there was poor grammar bad spelling however many of these are now backed with AI making

it much harder for people to spot and last year Australians Alone lost over $3 billion to scams already you can imagine

how having AI behind this would take that number to a whole new level so today we'll be exploring this

holistic approach to cyber resilience and this slide is to indicate that will have a number of different

topic areas and a mix of themes that will run consistently throughout you'll begin to see how these themes come

together as we progress thanks G certainly some important themes in there for Business

Leaders to consider so with pressure mounting on Business Leaders let's start with cyber

accountability sure so we'll start here sharing a quote from the minister for home Affairs and the minister for cyber

security in that directors have a critical role to play here and they do need to lift their own cyber literacy

levels and we also need to really reinforce that point that this is a risk that can never be eliminated it can be

effectively managed however and so that quotes from last year 2022 we dial forward to uh a more recent quote from

the aicd this year we've got 53% of directors believe cyber attacks have have impacted their board's risk

appetite even more so than inflation and the co 19 pandemic so that begs the question then

what can be done to improve cyber accountability so just on 12 months ago it's actually October

2022 the aicd and csrc jointly published a set of princip Les that can be used to provide a

top-down approach and assist board members in meeting their accountabilities for those on the caller

who are familiar with these now is a great time to reflect on what you may have adopted within your teams for those

not so familiar we'll take a look at these now and I note that this report is freely available online and we can look

to provide a link to this after the session so firstly having defined roles and responsib abilities who is the

person accountable for information security in your organization do they have what they need to do in order to do

that effectively and what roles and responsibilities do third parties perform for you third parties are

engaged by many organizations but we need to remember that it comes back to the organization having accountability

and ownership of the risks having a cyber strategy to set the direction is very important this

provides boards and top management with an understanding of what is required for the organization to be able to achieve

its objectives in a secure way it also AIDS in The Wider business strategy formation it helps with planning and

forecasting not just from a financial perspective but also the changes necessary for security to support these

growth and expansion initiatives the size of these strategies is very dependent on who you are and

what you do it doesn't need to be a daunting activity for small and medium businesses but consider this an

opportunity to build capabilities in people processes and technology for example you might start small and this

year focus on beginning an essential 8 implementation and perhaps just reviewing the security risks of your top

three suppliers having risk management practices that incorporate cyber threats

and vulnerabilities provides a means for you to identify risk and how you want to manage them reporting and visibility

around this helps directors to satisfy their accountabilities but it also allows for a focused dialogue in teams

around what factors might be impeding you from meeting your goals which brings us to the fourth

point cyber culture what's being done in your organization to build that culture in the workplace it's an area that many

organizations do under invest cyber awareness training and fishing tests are excellent ways to start this

journey also incorporating cyber risk management practices into day-to-day process is a sure way to gain traction

because it involves the team at a Grassroots Hands-On level in these types of

activities and lastly having a plan for cyber incidents and rehearsing this is critical some organizations have what's

known as a BCP business continuity plan or Dr plan Disaster Recovery these types of things deal with business

interruptions and typically a lot of the content is around responding to fires floods utilities aren't available but

what we need to remember here is that a cyber incident response plan is specific now without getting into the details of

cyber incident response plans here it's important to rehearse the different incident types as a desktop exercise and

give yourself the opportunity to build out a Playbook as to how you might respond to these different threats so

for example if you had a ransom attack today when the attack happens and you're held

at Ransom how will you communicate with them who will communicate with them what type of help will you need who's going

to provide that where will you get it from communication what will you say to them how will you say it because it's

likely that Regulators insurers law enforcement and most certainly your customers will be wanting these details

and I'll be wanting it as soon as possible so to close out this section I'll just highlight here that some of

the themes that we've addressed here relate to strategy management and Leadership risk management as well as

incident response great thanks gav wow there certainly so much more to unpack there

at a later date maybe another uh webinar perhaps so we often get questions on how to stay up to dat with the everchanging

legal and Regulatory landscape where where do we start and what's coming sure so here we'll take a look at

a high level some of the changes happening in The Wider legal and Regulatory landscape that are likely to

impact across a number of Industries and we'll start that with saki security of critical infrastructure act now this

aims to build resilience across 11 industry types and 22 asset types these are areas considered

critical to the country so of those 11 industry types for example we're talking about things like defense industry

healthc care and medical Financial Services markets so organizations that are required to comply with saki need to

be actively managing risk in this context that includes cyber it's about ensuring critical services are available

for example we want to avoid a situation where a regional Shopping Center's ATM can't be accessed because of a bushire

in another state that sounds like a very extreme example I know but I make this point to

illustrate the need to consider the various types of risks faced by people controlling these assets it's Paramount

with a breadth of third- party relationships that we now work with so at a federal level you may have

heard about proposed changes to the Privacy Act this is getting a lot of media attention at the moment the Govern

the government recently published a report in response to over 100 proposals received from consultation about the

proposed changes I've picked out four points to talk about here today the first is the $3 million

exemption so that exemption for small business if removed would likely mean that small business regardless of size

would be would be requiring to comply with the Privacy Act we understand this could introduce new or additional

governance activities within many small businesses secondly the definition of personal information is proposed to be

widened no longer about but relates to an individual say that again it's personal information is no longer

information about an individual it's information that relates to an individual it's a it's a very fine

change but can have very broad implications for what that means in an organization for example a user Behavior

like location coordinates in a mobile app and similar things are relied upon by many organizations offering Digital

Services this type of information will likely need to be considered in terms of how is it collected what else is

collected that relates to an individual and how do we now keep that secure in a similar way that we secure names address

date of birth the Pia or privacy impact assessment is something that's been

around for quite a while now guidance for this is freely available on the OIC website however the proposal seeks to

mandate this to be undertaken when you're performing activities that are considered higher risk to the security

of personal information and the last Point here in relation to small medium business and

coming back to that $3 million threshold um by having that in place would

require data breaches to be reported within 72 hours so at a state level New South

Wales is actually leading the charge with this Queensland is likely to be a close follower with a similar set of

changes this New South Wales ppip which is essentially about providing transparency and mandatory

data breach reporting for public sector agencies in the age care industry many are poised

to see the release of a new data and digital strategy and what that means for The Wider industry we are aware there's

been struggles in this sector in terms of data availability integration as well as Legacy technology challenges it's

likely that the release of this will trigger review of many Age Care providers in their approach to

delivering it services and likely trigger some new projects within the industry and lastly on this slide APPA

CPS 230 so whilst APPA is being known as the supervisor of Australia's Financial system it's not a party that many small

to medium businesses may have encountered or even heard of I've included mention of their new standard

on operational risk here because it does include elements of business continuity and third party risk

management the breadth and depth of what this means to be implemented for even some of the larger Banks within the time

frame has been the focus of many industry discussions however the push to have

greater risk management of third parties can result in additional due diligence security risk assessment requests and

those targeted in small to medium business that are providing services to these larger

groups that could result in new contractual requirements or having to implement enhanced security and Risk

Management Solutions in order to be able to continue to provide those services so in summary for small to

medium business what can you do here with helping to be resilient firstly staying up to date with news as these

changes progress in particular Privacy Act changes and adopting the Pia the privacy impact assessment that I spoke

of these two points are really easil easily actionable and will help you give a much more much more informed view

about the type of personal information you're collecting how it's used or processed how it's controlled and stored

because it's it's easy to know where you want to get to when you know where you're coming

from so in this section we've explored risk management once again we've also explored the themes of Information

Management business continuity and data breaches thanks Kevin so the essential eight is effectively becoming essential

to organizations these days so what approach do you recommend for businesses to look to adopt these

strategies sure so up until now we've been talking about people and process but this is where we shift into

technology and we look at the essential eight now this was initially designed as a set of strategies that can be applied

to Internet connected networks in order to help you prevent limit and recover from cyber attacks so if we look at

those eight items four of those are focused around how do we prevent an attack happening application control

patching applications Microsoft Office macros and some hardening three of the controls relate

to limiting the impact of an attack done by restricting privileges having multiactor authentication and patching

operating systems whilst lastly daily backups helps recover from cyber incidents it's also worth noting that

there's three levels of maturity when it comes to implementing this and the strength if you like of these controls

increases as you progress up that maturity ladder it's also worth noting you can be at varying levels of maturity

at times for example you might be a level one at patching applications but you might be a level two when it comes

to backups so it's understood that various Australian governments and their

agencies have in fact mandated the essential a level one compliance um and there's been dialogue

about further lifting that to a level two a standard for government agencies however whilst it's not

mandated in the private sector what we can observe is this is becoming a contractual requirement in some

Industries particularly those that might interface with defense health or even dealing with the government and in some

cases that then leads to a need to undertake an anual ual attestation saying yes we have this or in some cases

a verification maybe that's an audit to make sure that you're complying with those contract

obligations and that in itself then drives about a process to need to make sure that what you have done is kept

current and accurate as your network changes and things improve situations change so I guess you might be thinking

what are the drivers for this obviously chains of compliance through contracts as one of them um in many cases it's the

risk posture that your clients have taken which then creates the need for them to ask you about having essential

eight it may come about as a result of your own risk assessments or even just following good business

practice the thing that many industry stakeholders like about the essential eight is that if you do nothing else

it's the simplest place to start building a healthy technology security posture you don't need to implement all

eight at once so if cost or resources are an issue you could potentially Stager this over a period of time and

you may wish to couple that with undertaking a risk assessment when doing that phased approach it's something to

consider as an inclusion in developing that cyber security strategy that I touched on

earlier so the themes that we've talked about here again um risk management is a feature business continuity again is a

feature related to this and we've talked about the essential eight being applicable to Internet connected

networks you might have noticed that subtlety when I introduced the essential 8 and I said that it was designed with

internet connected networks in mind but there's a plethora of other things that we use many of us use a PC at work

creating documents throughout the day sending emails and then we might use our own mobile phones for responding to

emails on the train on the way home it's so easy to connect and do what we need to

do so you might be thinking same same right but it's different the threats and vulnerabilities for different

Technologies may require different control sets so if we have a look at that as an

example in some or organizations um operational technology and Legacy systems have often been in

place for many years they can use unsupported software platforms which heightens the security risk it may also

require significant effort to retain these in a modern environment on the other side of the

page if we look at fast changing lots of organizations have mobile phones tablets which particularly

have software updat dates new apps and changes on the daily if we're also then allowing bring

your own devices it adds additional complexity as the organization doesn't have full control over these you don't

own them so you may then look to require to adopt a policy that provides direction to people on what is and isn't

allowed in the workplace with boo we also need to remember that where staff are using their personal devices

accessing company information like emails um they may also have company information saved on their own devices

but at the end of the day people go home and in some cases they share that device with kids or a partner and it may not

even have a pin code so for these reasons and more it's worth considering other devices in your overall approach

to security guidance is available from the Australian cyber security Center in

relation to mobile devices and it also has a detailed Manual of controls that can be considered for use in securing

other Technologies across an organization here we've touched on BYO devices mobile devices and operational

technology thanks gav uh the line between work and personal devices certainly has blurred of late uh this is

a segue actually to corporate governance which does play a large role in mitigating cyber risk so again where do

we start thanks Sam so um a lot of people start with Google if you try and search

the word governance in a search engine and then you click images you see diagrams that are just

full of words so to save this distraction and keep your attention here I've gone with a very short and brief

slide buckle up we won't be here too long governance is important when managing risk and again when I say risk

here I mean cyber and information security inclusive risk needs to be considered

throughout your process now large organizations have typically established policies and processes around many of

the things that we see here on the screen however regardless of size there's many common activities that take

place so think about your environment meetings are held decisions are made changes take place people come and go we

deal with external parties and often sometimes maybe things don't go to plan so what can we do to be resilient in

this space where you haven't established governance processes or you do have some but you're coming from a low level of

maturity some ideas that you can start to adopt help build resilience within the this space could be considering each

decision that you need to make what could go wrong and how would you deal with it if it did go wrong secondly when

it's time to renew contracts and agreements with third parties you might like to consider getting some external

assistance and undertaking a more detailed Security review thirdly when introducing new

changes think about what could go wrong with where what are the risks when we hire new staff we give them access to

systems and equipment do they need that access what can they do with that access for many smaller businesses the

introduction of governance can seem daunting especially again coming from that low Baseline of maturity so if

you're only just starting this journey you might like to consider making a goal that risk is your focus for the coming

month just pull together a really simple list of risks that you think you might

have and that gives you the basis of a risk register you can then use that at Team meetings maybe talking about two or

three points only in the beginning but it'll help you with engaging your team and start to build that cyber awareness

culture and embed this as start of as part of your ongoing process from there if you need some

assistance to qualif if the risk so do we understand what the risk is what can

happen um you may like to involve a discussion with an expert but once you've got that understanding you can

then much more easily quantify what the impact might be to you and your organization and lastly thinking about

how visible risks are do you have a way for your teams to identify and escalate these find a way to make it easy for

people to identify them perhaps a standard agenda item in team meetings having a way for people to report them

and consider it even within the processes shown here the takeaways from this is keep it

simple so if we look at governance on a Post-It note here Size Matters many of these challenges are common but they're

faced on different scales agil and building from fundamentals is important you can start

small and plan to build on things over time by including these in that cyber security strategy that we've already

spoken about and from a visibility perspective if you're not asking about risk you

might not be told what the risks are and therefore you won't know make sure it's part of the process and part of those

conversations in this section we've touched on leadership and management as well as risk management which you'll

Note have emerged in many of the prior topics today thanks gav love the Post-it note

analogy to keep things simple so to round out we often see firsthand with our customers how cyber insurance

requirements are changing constantly and driving security changes um can you provide some insights for us

please okay so when people first think about insurance a classic example that comes to mind is your car you you've

probably heard someone saying in the past it's insured if this happened or it's insured if that happened but within

the Cyber landscape the nature of threats and vulnerabilities are Ever Changing unlike cars where you can

possibly count the number of types of claims on your fingers maybe toes as well one of the trends that we're seeing

across Industries is the additional due diligence that insurers are looking for when providing that coverage quite

simply they're interested in what you do how you do it and what sort of controls you have in place to protect against

cyber threats and vulnerabilities because after all these are your business risks and you're

looking to transfer or mitigate these so naturally they are wanting to know this in order to assess the likelihood and

consequence and then get to what is the premium you might have received a questionnaire from an insurer asking

about this in the past sometimes they're brief maybe even a page in other cases they're many multiples of pages and

they're asking what sort of security items you have in place and going into great

detail so from a must have's perspective we observe there's a number of controls

that have vastly becoming the norm now from an insurer's perspective do you have multiactor authentication what are

you doing about protecting end points is there training undertaken for staff have you got some kind of plan in terms of

how you respond to incidents and do you have backups now if we look at those items

alone and we look at it through an essential eight lens these items here shown on screen are very much about

preventing attacks and then with the backups recovering from incidents but the landscape is changing

and so what we can see now is that insurers are asking for other information about other areas for

instance top management how engaged are they with security risk assessment how engaged are they with the manage

management activities of those risks we talked about the essential eight earlier but there's an expanded interest in that

particularly around now how do we limit the impact of attacks and there's also an emerging Trend to get more

information about what is being done to protect against other vulnerabilities that could be vulnerability scanning and

and that is a term I know can be interpreted quite widely but it may be as simple as running a scan to make sure

that systems are up to date with the latest patches penetration test is another one that that can be seen on

these questionnaires where attempts are made to essentially hack into you um and then seam sock which is a very

interesting one so that stands for security incident and event management and Security operation Center

so this is a solution if you think of it like a bucket it ingests or takes in all kinds of different journals and logs

from different systems so maybe it's 365 maybe it's Windows events and others and then it works to analyze these before

alerting a security team where there's an anomaly these things typically run 24/7 and um as an example it might be a

case of someone has logged in from an unusual location and straight after that we start to see a lot of um high traffic

of files being transferred out of the network it looks to analyze those different logs as a series of events and

then trigger alerts so that sounds quite sophistic ated but it's many of these emerging

items that are starting to feature on those due diligence and questionnaire forms and we can expect to see them more

commonly adopted perhaps over the medium and longer term and I guess to round out this

section insurers want to know about your risks and what you're doing to manage them so we've touched on here insurance

as a topic contractual requirements and risk management and so if we pull all of this together

and circle back to the themes that I shared at the start and touched on at the end of each section we can see

throughout three things really stand out here data breaches risk management and business continuity if we know the data

that we have where it is how it's protected and we're able to identify and appropriately manage the risks that we

have we're then in a much better position to make sure that our operations continue uninterrupted and

that we're better placed to handle incidents so what I'm saying here is that these areas are Paramount in

building cyber resilience and a core elements across all of those five topics and for inclusion into that cyber

security strategy so where to start when initiating this holistic approach if I

recap one point from each of the sections that we've spoken about today the first is having that cyber strategy

it really helps bind the organization and provide that direction it informs budgets and activity planning it

provides the foundation for change secondly being aware of that Regulatory and legal landscape and

asking yourself what what are the privacy and data risks that we face as a result of the decisions or the changes

that we're making on the essential 8 make it part of your journey but don't forget about

other devices embed cyber risk activities into existing processes and engage frequently

on these and from a cyber Insurance perspective consider what do you need in

terms of cover what controls might you need to adopt in the the future to manage that risk

profile and so at this point I'll touch on how Diamond it can help in this space we can assist with the preparation of

cyber security strategies policy development we can provide support and Analysis to conduct privacy impact

assessments we can assist in many facets of risk management which does include checklists um third party supplier

assessments we can help prepare cyber incident response plans we can also facilitate mock exercises of these and

again those mock exercises a few people in a room for a short space of time cyber awareness

upskilling whether that's face-to-face or online training we can assist with the essential eight and mobile device

management implementations and for organizations that might have some skill sets or some

subject matter experts internally if you just require aist assistance for General business analysis or perhaps some

project management and cyber security Consulting we can help there as well oh great thank you Gavin I tell you

I'm I'm in awe of your knowledge across all of these areas um I'm sure today's presentation is just the tip of the

iceberg uh and I'd like to thank everyone um who joined us today for taking the time to attend this webinar

there has been a lot of information Pres presented which we will summarize and make available with resources and links

for more information that Gavin may have touched upon um during the presentation as well as a copy of the webinar and in

the meantime please do reach out if you'd like to discuss any of the content presented today