Tag Archives: Tom Hartley

Cybersecurity Governance – the four cores to know

Posted on by
Reply

In past articles, we have looked at the four cores of managing cybersecurity – securing your people, your communications, your data, and your technology.

This is achieved through awareness training, best-practice policies and procedures, and selective technologies. These are the foundational components that every business is expected to implement for security. Oversight of these policies and procedures however, falls to the Board, and C-Suite executives.

According to the New Zealand National Cyber Security Center, “Boards and executives are ultimately responsible for the outcomes of any cyber incident, including the impact on stakeholder and customer confidence.” This therefore demands that these business leaders have a clear understanding of what is required to create an optimally secure business.

To this point, Gartner predicts that at least 50% of C-level executives will have performance requirements related to cybersecurity risk built into their employment contracts by 2026. In order to meet these demands, a sound knowledge of the four cores of cybersecurity is a must. In this instance the four cores relate to the governance, legal, financial, and insurance practices of the business. The NZ Privacy Act of 2020 stated that an organisation must now report any breach to the Privacy Commissioner, along with their clients, stakeholders, and interested parties. To add insult to injury, all breaches are accompanied by a financial penalty.

This is effective governmental leverage for implementing best-practice cybersecurity assurance in industries across New Zealand. Legislation is also currently being written that will hold Board and C-Suite members more directly accountable for the cybersecurity posture of any organisation they manage as it is in other countries. Simply approving or cutting a cybersecurity budget is no longer enough.

As the saying goes, if you think compliance is expensive, try non-compliance. Restoring a ransomware breach and achieving the correct cybersecurity management structure is far more costly than putting the right controls in place from the start. here is no Return On Investment when it comes to cybersecurity implementations. Its purpose is to protect the ROI on the products and services that make you profitable and keep you in business.

Cybersecurity insurance packages come in different configurations based on multiple factors for each case. Picking the suitable suite depends on knowing the protections and gaps in your business. Knowledge at the Board level of what is in the Risk Assessment and Treatment plan is a requirement for purchasing cyber risk insurance. Each of these areas is relational to the knowledge that the Board and C-Suite have of the organisations cybersecurity posture – its governance.

It’s no longer enough to blindly approve policies and budgets without knowing what’s in them, and more pressure and accountabilities will be emphasised at the C-Suite level to get it right. Discount it at your peril. We understand that most business leaders “don’t know what they don’t know” when it comes to cybersecurity governance. We therefore always recommend (and offer) that a professional cybersecurity audit is the best place to start.

An assurance audit conducted by an independent professional outside your IT department or service provider will offer a fact-based objective report of your current cybersecurity governance and management posture. This gap analysis helps determine where resources need to be directed and, in some cases, might help recommend an international certification such as ISO 27001.

Cybersecurity is the right balance of governance and management; one depends on the other. Commitment at the Board and C-Suite levels demonstrates leadership and sets the tone for staff to follow.

Getting the Basics Right

Posted on by
Reply

Every business, regardless of industry or size, is vulnerable to cybersecurity attack- that’s just a fact; your business is not immune. As of the writing of this article, there’s an uptick in attacks across New Zealand in both the retail and manufacturing sectors, businesses that normally would be considered low on the radar, and that will only increase in these and other unexpected segments during the year.

According to CertNZ, 2021 was a busy year with 8,831 cyber incidents reported and a combined loss over $16.8 million (these are just reported cases). The primary causes of these incidents were phishing and credential harvesting, scams & fraud, and malware; where phishing had a significant increase in numbers.

I often hear, “We don’t know what we don’t know,” with many businesses adding that they’re not experts in cybersecurity. Covering the basics doesn’t require a specialized skillset or a large financial expenditure. There are four pillars of cybersecurity that every company should cover; securing people, securing communications, securing data (note: this was inadvertently missing from our last article), and securing technology.

Securing People

As noted above, the primary cause of cybersecurity breaches begins with phishing, credential harvesting, scams, and fraud- all due to direct interaction with people. Training employees to look for anything out of the ordinary and taking precautionary steps helps reduce the risk of exposure. Employees trained properly become your human firewall and first line of defense.

Securing Communications

Using technology to secure your inbound email and other communications works in concert with securing your people to reduce the initial attack surface. Products such as Trustifi can also help businesses secure outbound email traffic which is the main source of cyberactivity. Intercepting and misrepresenting emails in transit to recipients are ways cybercriminals deliver malware and harvest business and employee information. Protecting confidential information such as invoices, contracts, etc is especially important.

Securing Data

As our businesses grow and we’re on the move more, the flexibility of having our data up to date and accessible everywhere increases. Platforms like Office 365 and Google allow us to work collaboratively and provide us with that mobility and some extraordinary powerful tooling. SharePoint, office applications, OneDrive and email everywhere is important in today’s business world. In addition to protecting access, securing data means the ability to back it up and retrieve it if lost. These platforms offer limited and complex backup options which spells trouble if you need it now and it’s vanished. There are however some very good cloud-to-cloud solutions to secure your data and give peace of mind.

Securing Technology

Securing PC’s, laptops and other mobile devices is the last line of defense. Should something slip through your people and communications layers, having next generation Anti-virus technology on those devices is critical. Reliance on the off the-shelf brands that we’ve long known is not going to stop many of the advanced malware and attack methods. You need something built for a business environment.

All or any combination of the pillars mentioned here will go a long way to establishing reliable, resilient cybersecurity as the key to defending your business. Carefully selecting the right products and combinations is important, and the good news is that many of the technologies cost about the price of a coffee per month. A small price to pay for a big sense of relief.

Making Security awareness a habit

Posted on by
Reply

Looking forward to 2022, we can expect another period of dealing with the invisible and deadly COVID-19 virus. Three years in, it has changed how we live, work and interact with others nationally and globally. We have trained ourselves to keep to our one-metre distance in public places, wash our hands thoroughly, and use sanitisers.

We wear masks and use technology to track our activity in case of possible exposure and communicate sites of interest, more recently, as a vaccine pass. It’s true to say that these measures have worked, and it is also true that we will have these methods at the ready once we get past this season of the disease and see another pandemic coming our way. But, as much as it has disrupted our personal lives, it has also affected our businesses. It has upset inbound and outbound global supply chains, put burdens on hospitality, increased remote working from home (turning our homes and lives on end), and meant meeting online at all hours of the day and night, not to mention reading and responding to more emails than we would like to.

And that has also seen us come across an increase in other invisible, deadly killers to business- forms of malware, delivered primarily via email phishing to unsuspecting individuals or vulnerabilities to weak and underperforming technologies. So for every notable reported attack (the NZX in 2020 and the Waikato DHB in 2021, for example), there are an untold number of those that go unrecognized and unreported.

All of the cybersecurity predictions for 2022 and beyond are pretty much alike- expect more, expect worse, and expect harsher damages from attacks. We will see an increase in ransomware and attacks against mobile and IoT devices, a rise in frequency, and sophisticated methods of avoiding detection.

What can you do?

An Information Security Management System (ISMS) is not just an assortment of technology; it is the collective series of methods that a company employs to achieve their cybersecurity goals. Most companies have some form of implementation (or parts thereof) but different requirements and ways to achieve them, typically letting them down. Here are four common suggestions and steps for every business in 2022:

  1. Conduct a Cybersecurity Assessment

I hear a lot of, “We don’t know what we don’t know,” and that is precisely what hackers exploit. An audit performed by an independent cybersecurity professional outside of your organisation or service provider will ensure an evidence-based, impartial review, define gaps, and make appropriate recommendations and is well worth the cost. You wouldn’t let your accounting department do your financial audit, and you should look outside for your cybersecurity review.

  1. Understand and incorporate good governance

The NZ Privacy Commissioner revised the Privacy Act of 2020. It has new rules and penalties around digital information and for failure to recognise and protect the privacy of your stakeholders.

They have a free short 30-minute e-Learning course that will help you and your employees get to know the regulation. Combined with appropriate policies and procedures, they set the tone that management takes the security of the business seriously, thereby protecting the needs of all employees, suppliers, and customers.

  1. Apply 3 pillars for protection

There are three foundational pillars to cyber protection that every business and individual should take to defend themselves against harmful threats; training (securing people), email filtering (securing communications), and deploying next-generation Antivirus (securing technology). These three methods are similar to the preventive measures we apply to COVID-19. Individually, they won’t prevent an attack, but together, they help reduce the risk and damage from one.

  1. Stay aware.

CERTNZ, SecurityBrief NZ, and other security bulletin websites can provide knowledgeable, timely information about what is happening in New Zealand. Just ten minutes a day is all it takes to stay ahead of the game.

Unlike COVID, threats from cybersecurity attacks will never go away, and like COVID, everyone is a target. So vigilance and resilience are our number one defence, and the approach to taking it seriously now and every day is the only way to guarantee your cybersecurity looking forward.