Nine steps towards building better security resilience

Australian organisations have taken a keen interest in building resiliency to adverse conditions, particularly those related to cybercrime, but there is more to do to mature these approaches

As business leaders, the past two years have really crystallised what is and isn’t important. People are crucial to our ongoing success and growth; culture is king; and above all, across people and technology, we value resiliency: to change, to crisis, and to whatever else our operating environment throws at us.

A recently-released ‘barometer’ shows “Australian companies are building resilience as they navigate a succession of crises”. It calls on businesses to create a “holistic, 360-degree strategy” to address threats to the digital ecosystems, noting that “the risk of cyber attacks and threats … is the top concern for both Australian and G20 organisations in 2022.”

This is far from an isolated perspective.

The Government’s own cybersecurity advisory recently implored Australian organisations “to improve their cybersecurity resilience in light of the heightened threat environment”, which includes ongoing ransomware and malware infections, and the risk of state-sponsored attacks.

There are some encouraging signs in the space. Dataminr research from this month shows that almost all Australian businesses “have invested in their business’ resilience, with 25% having invested over $100,000 between 2019-2021.”

However, the same research also concludes that “resilience has become a priority but not necessarily a reality, and businesses remain unprepared for risks despite the high-impact events in the last 24 months.” Cybercrime, it finds, remains a particularly palpable risk in the eyes of business leaders.

For organisations and their leaders to get ahead of cybercriminals and build resiliency measures, they should aim to take the following nine key steps.

Understand risk

Cyber resilience must be a primary focus of boards and senior management. It’s not something that can be left solely to the CIO. Executives should be able to demonstrate understanding in this area, and commit to periodically reviewing the organisation’s exposure to compromise. Regularly addressing the risk of cyber failure and ensuring that cyber resilience is built into all aspects of business and operating models is crucial for reducing the company’s exposure to cyber compromise.

Understand consequences

We can all comprehend how a prolonged breakdown of cybersecurity in the telecommunication sector, the banking industry, or an airline could be catastrophic on a national scale. It’s why critical infrastructure operators in Australia now face regulated cybersecurity responsiveness. At the small and medium-size business level, however, cyber disruption can be equally disastrous both for the organisation and for the customers who had placed their trust in it. For any organisation, the failure or disruption of operating systems or the compromise of sensitive, personal data will be reflected in their reputation, credibility, and, ultimately, profitability and licence-to-operate.

Inventory systems and data

Accurate assessment of risk and the consequence of failure is facilitated by a clear understanding of an organisation’s IT systems and of the data it holds. If boards and senior management understand the value of their data to those of malicious intent, if they know where that data is, how it is protected, and who has access to it, then they are in a stronger position to implement a cyber resilient business model.

Practise good cyber hygiene

The Australian Cyber Security Centre has developed a list of 35 strategies to enhance cyber resilience. While some are complicated and need the support of experts, simple strategies like regular patching of software and operating systems, password policies, multi-factor authentication, and application whitelisting will help mitigate about 85% of the current malicious intrusions.

Backup and response plan

There have been enough publicised instances of malicious destruction of data, or denial of access to data (as with ransomware), that building system redundancy and regular real-time backing up of data and records is a necessity. Redundancy and backup systems are essential to recovery after a successful attack. Boards also need to ensure that their regularly exercised response plans can be implemented immediately if an attempted attack is detected.

Malware protection

There is a growing range of off-the-shelf anti-malware systems. Cybersecurity technology companies are developing solutions that have moved beyond the concept of firewalls into predictive analysis, providing deeper layers of security.

Invest in cybersecurity

Investment in cybersecurity can never be a one-off activity because the threat landscape is ever changing. Effective cyber resilience requires continuous investment in the upgrading and refining of protective systems as a normal cost of business.

Empower your people

Cyber resilience requires the active participation of all staff. Without regular training and security skills upgrading, company expenditures on the most sophisticated protection systems will be less effective. A strong security culture creates an environment where peer behaviour reinforces positive security practices.

Consult cybersecurity professionals

Cybersecurity can become so complex that few companies can afford the expertise and resources to achieve cyber resilience on an in-house basis. Access to professional advice on cybersecurity is essential, as attack methodologies proliferate in sophistication. Managed service providers have the expertise to assist companies with professional advice and customised software solutions. What can never be outsourced, however, is the responsibility for cybersecurity within an enterprise.

Resilience is now a must-have element of culture and organisational DNA. All organisations can expect their resiliency to be tested at one time or another, and with an increased cadence due to the rapid pace of change generally. By maturing resiliency strategies and approaches now, organisations can be best prepared for when their test comes.