Organisations, their business functions, their systems of systems are increasingly dependent on cyberspace and attacks in cyberspace are no longer limited to simple discrete events such as the spread of a virus or a worm, or a denial-of-service attack on an organization. As we see in the many newsfeeds that hit our desktop every day, campaigns are being waged by advanced persistent threats and involve persistent and sophisticated attacks aimed at establishing a foothold in an organization to deliver a set of resources and controls that an adversary may hold and execute at a time of their choosing.
They will then infiltrate organisational sensitive information for the purpose of working with other cyber criminals on the dark web to get the biggest bang or their buck. Ransomware attacks are common-place, recent examples such as the Colonial Pipeline hack and the JBS foods paid $14m to ransomware attackers in early 2021. Yet despite this, some organisations still choose to only take a light touch to Government, Risk and Compliance (GRC) activities because it means a continuous commitment to invest in assurance activities and this a new expense that hits the organisation’s bottom line with no clear payback outside of not being offline and/or inconvenienced.
Those assurance activities include the policies, procedures, and processes to manage and monitor an organisation’s regulator, legal, risk, environmental, and operational requirements which help inform the leadership team of the cybersecurity risk and the posture of the organization. Organisations opting to gloss over the Governance requirements and only concentrate on ticking a checklist to get past the first management hurdle of GRC are generally doing so to save time and money.
A cyber security audit is designed to be a comprehensive review and analysis of your business’s IT infrastructure, processes, policies and people, the audit is as much about understanding the culture of an organisation as it is understanding the decisions made by its executives with respect to risk. Ultimately the outcome of an audit is to learn about the weaknesses in your environment and implement controls to mitigate the risks by embedding repeatable processes that continue to build a resilient capability. An audit should be viewed as a tool to help mitigate the risks and help your executive understand if their organisation has embedded the correct controls to protect their organisation and if they have been effective and at the very least the GRC hygiene will serve as a baseline of maturity for your organization’s level of cyber resilience.
AUSCSEC will work with your team to discuss what’s in scope in accordance with your organisation’s business objectives. What your leadership team have agreed as their optimal acceptable cyber security posture agreed security posture, aned when you have agreed to accept an exemption and when you rule them out we will provide you with an audit trail to keep track of your business decisions.
We know that your organization will have a set of agreed prioritized activities that are well understood and that this information will help inform cybersecurity roles and responsibilities within your organization, and the risk management decisions made by your executive leadership team.
The audit should identify any threats, vulnerabilities, and risks. “You cannot secure what you cannot see”, AUSCSEC makes it possible to see the forest for the trees and speaks to you in your language about how to improve your security posture.
Aside from basic cyber awareness training and understanding the security culture of your organization, one of the first things an audit will determine is the state of your asset management system to help understand the age of your fleet, the version levels of the software, hardware, and firmware as a baseline. This along with data, personnel, devices, systems, applications and physical facilities that help your organization achieve its business purpose are identified consistent with their relative importance to the business objectives and the organisation’s risk strategy as well as third-party stakeholders, suppliers, customers and partners, your organization’s role in the end-to-end supply chain.
All of this information helps to inform on your organisation’s resilience requirements and whether they are appropriate to enable and support the delivery of critical services to your customers. What you have in place may not be effective enough to ensure the resilience of your organization. AUSCSEC will work in co-design with your team to help you understand any weaknesses in your environment and show you how you can implement controls to mitigate the risks by embedding repeatable processes that continue to build a resilient capability.
Building these standards, guidelines and practices enables organisations to identify and describe their current cybersecurity posture and describe their target state for cybersecurity. Additionally, AUSCSEC can help identify and prioritise opportunities for improvement within the context of building continuous and repeatable processes. Ideally, this also enables clear communications among internal and external stakeholders about your acceptable cybersecurity risk and defines a clear roadmap to maximize cybersecurity resilience at a cost that suits your budget and timeframe.
Real Life Example:
Many business leaders now understand that building cybersecurity is a real challenge to them, and that its not a matter of if, but when, they will come under attack. In fact its no longer considered an individualized problem as we have seen in recent events protection of your patch is not good enough you also have to understand your end-to-end supply chains and your third-party application interactions. Everything is inherently connected by default, the cybersecurity vulnerabilities of anyone you interact for your business, can now also leave you vulnerable and at high risk.
You don’t have to go far to see the extent to which cyber criminals will go in threatening our way of life, our economy and our national security. The Ransomware attacks on JBS Foods and Nine Entertainment alone during early 2021 are a reminder that, if successful, these criminals have the potential to bring a nations critical infrastructure to its knees and demand a ransom to bring it back online, and if you are lucky they won’t sell your information to the highest bidder when you pay the ransom. Nine Entertainment warns that ransomware recovery ‘will take time’.