CYBER RESILIENCE MAINTENANCE

Problem Statement:

Each organisation’s risk is unique and the way they deliver their business outcomes are inherently unique according to the tools and methodologies used within their ICT and business environment. Each decision made is a decision based upon a clear understanding of the organisations critical services to support business decisions, the data produced to provide evidence to that decision, the potential cyber security risks considered, the critical business assets, its drivers for change, and duty of care to the safety of individuals within their organisation.

This reliance on tools, technology, communications and the inter-connectiveness of ICT systems in general has changed and expanded the potential vulnerabilities and increased potential risk to operations. So even if you think your “good”, the chances are you still need to dig in and identify where your most critical cyber security risks are and how you can continue to combat then through an ongoing program of work that ensures you are reducing your legacy debt as well as identifying your most critical exposed and vulnerable assets.

Your organisation may have enlisted the services of cyber consultants to assess your organization’s cyber status, they have assessed your environment and provided you a number of recommendations that you have implemented, and you have now reached your utopian state of being “Cyber Resilient”. All is well in your cyber security world, isn’t it? Or is it? It is not uncommon for organisations that become cyber resilient after having invested a lot of time, effort, and funds in achieving it to simply schedule an Audit/Assessment as an annual event, management saying “we’ll monitor our cyber status on an annual basis” frequently as part of their normal financial statements audit processes.

None of this is a problem other than:

  • cyber criminals do not work on an annual basis, they are continually working on new and sophisticated phishing scams to get your staff hooked and thus your organisation.
  • your organisation will probably have staff turnover and new starters needing awareness training on a regular basis.
  • your organisation will probably get new players involved in their supply-chain and there is an assurance process you will need to complete to ensure they are secure in their dealings with you, and you are protecting yourself until they are

This list goes on and on, the fact is maintaining cyber resilience is a program of work that is continual from the moment you become resilient. It does not have to be expensive, but you do need a program of work co-designed with you to maintain your newly found resilience. It will contain your annual audit process and regular program of work, but so much more that must be dealt with before the annual audit, much of it is repetitive with vary degrees of frequency, including such basic requirements as daily checks for staff logons and renewals.

Service Description:

AUSCSEC’s Cyber Resilience Maintenance services are all AUSCSEC’s other services and capabilities called upon to help you through co-designing a program of work to maintain cyber resilience. AUSCSEC consultants have been through this process many times before in both the public and private sectors and are very adept at developing such programs of work so that they are not cumbersome and expensive to maintain but nonetheless highly effective.

AUSCSEC consultants also have a broad skill set in the IT environment and they can also provide advice on Executive IT Management, IT Infrastructure Management and Operations Management and thus consequently help you organize your IT resources accordingly around this new program of work.

Benefits:

The benefits of having an AUSCSEC consultant jointly design a program of work for you is that you can rest assured you are doing everything you can to secure your business environment and keep it secure. So instead of resting on your laurels you will be able to feel that you have got your organisation into its most resilient state possible now, and you have a program of work in place to maintain it. Of course, the biggest benefit, from a financial and effort perspective is that your program of work will be far less cost prohibitive to operate as part of a business-as-usual activity, than the assessment and remediation process you must go through when you are starting from scratch which is what you will be doing if you only conduct an internal audit annually.

Real Life Example:

In early 2021 we noted a ransomware attack on a notable Australian company, who had refused to pay the ransom, and managed to bring itself back online after a very extensive outage, months in fact, with assurances they were secure and resilient when they came back up. Unfortunately, within two weeks they were down again because their newfound resilience was simply a point-in-time solution and a lot can happen in two weeks, especially when you do not have that program of resilience maintenance in place and operating.