NSW government's new cyber security strategy
Today, the NSW government launched its new cyber security strategy. The strategy is aimed at boosting public sector capability across government departments and agencies. It comes off the back of a call earlier this year by the NSW auditor-general for urgent action to improve the ability of state government agencies to detect and respond to cyber security incidents.
This is a step in the right direction for the government, which needs to take a more strategic approach when it comes to detection and response. But beyond the public sector, the same urgency should extend to non-government organisations as threats to cybersecurity and cybercrime continue to increase in Australia, costing the economy up to $1 billion a year.
Private sector at risk of cyber security attacks
There is an indication that all organisations are bracing themselves for the heightened threat environment. Earlier this year, the Notifiable Data Breaches (NDB) scheme marked a major step in policy which ensured that organisations improved their security posture. Implemented in February, the Office of the Australian Commissioner (OAIC) reported 63 data breach notifications in the first six weeks and 242 data breach notifications between 1st April and 30th June. Of these breaches, the healthcare and financial sectors were the hardest hit.
The OAIC's reports are something we discuss frequently with customers. Organisations in many cases have either made the wrong start or do not know where to start when it comes to their security journey in order to detect and respond to attacks in a timely manner. The greatest thing about the NDB scheme is that it shone a light on the areas that organisations need to focus on. As well as this, it's giving us some great insights into the types of attacks we are seeing in organisations and as a whole, we know where weaknesses are and what we have to work on.
The most recent report shows that nearly 60 per cent of breaches have been a result of malicious attacks, which organisations should be able to detect and prevent. 74 per cent entailed the theft of credentials, which should be easily preventable with multifactor authentication. 29 per cent of attacks were through phishing scams, which with greater education and training on cyber awareness across the organisation can be better managed. With these issues are being brought into the spotlight and organisations are becoming more aware of what the problem is, they're already on their way to finding the right solution.
Security visibility key to risk mitigation
In the current landscape, government departments and agencies are facing multiple challenges when it comes to defending their cyber security. The biggest problem is where to start. It's a huge undertaking to gain visibility of the whole organisation and detect all types of attacks in the immediate. By taking guidance from the OAIC's reports, organisations can focus on the crucial parts of their environment which are under threat and gain visibility in the right areas of the IT network.
When organisations implement a security information and event management (SIEM) platform, purely for compliance, this can take too long to identify threats. The best approach for any organisation is to take a risk-based approach to gain the right a level of capability in a timelier manner.
It's not just about technology – people and processes are a major part in protecting an organisation's cyber security. In parallel to technology, organisations need to develop security capability from a people point of view. This extends beyond IT professionals to all staff, who need to better their cyber security awareness. Automation and machine learning are changing the way teams are working. The heavy lifting can now be done by tools so that teams can focus on higher-value tasks and enhance the effectiveness of the organisations' cyber security.
Cyber security threat management traditionally focuses on cyber security controls in an organisation, but visibility needs to be expanded to all systems in an organisation. Phishing attacks are normally very difficult to detect using traditional security controls, so you need to look at the behaviour of systems and users in an organisation to detect more advanced attacks. With visibility of all IT systems and applications, you expand the lens of visibility. Applying more advanced technologies like behavioural analytics to a broader dataset will help improve cyber security.
The auditor's new strategy for NSW calls out the need for government organisations to investigate what actually happened, not just the attack itself. For this, the right data will have to be inserted into the right platform. It won't be long before we see other states adopt the same policies. Victoria has already embarked on a similar initiative and the federal government has invested $17 million into cyber security over the next four years.
While the NSW government is taking a step in the right direction, cyber criminals continue to adapt and get more sophisticated. We need to ensure we have the right recommendations and guidelines in place to enable the right security control methods. This is especially important in government, where ample sensitive data needs to be protected.