SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Time to give your security setup an end-of-year clean?
Fri, 15th Nov 2019
FYI, this story is more than a year old

With the holiday season just around the corner, it's time to embark on the annual end of year clean: garages, closets and, if it's been a while since you brushed away the high-tech cobwebs, your organisation's cybersecurity arrangements.

Doing so has never been more important.

The risk to Australian organisations posed by hacking attacks and data privacy breaches is real and rising and the stakes are higher than ever.

Australia's privacy watchdog, the Office of the Australian Information Commissioner, has the power to impose fines of up to $1.8 million on companies which experience serious or repeated data breaches and those which fail to remediate incidents appropriately within the prescribed time frame.

Companies that deal with customers who are EU citizens may also be subject to the bloc's extraordinarily stringent GDPR privacy legislation.

It allows privacy bodies to issue fines of up to 20 million Euros, or four per cent of global turnover, to large organisations which breach the privacy of EU citizens.

For companies which have been hacked or breached, fines can be just one of many entries on the expenses ledger.

Remediation, repair and legal bills, coupled with the cost of operational downtime and damage to business reputation, should key systems be knocked out, can run into the millions.

They did for listed property valuation firm Landmark White, Australia's most recent cybersecurity cautionary tale.

The firm is battling to stay afloat after two major data breaches earlier this year resulted in lengthy suspensions from the ASX, the loss of a CEO and suspension from the valuation panels of several major banks.

The cost of the first breach alone was put at $7 million.

Prevention is inevitably cheaper than cure.

And in the event that you do experience an incident, your preparation will put you in good stead to rapidly and accurately respond.

Taking the time to polish your protection measures this spring will ensure your enterprise is on firmer footing, if and when hackers and cyber-criminals come calling.
Here are some items to include on your task list.

Pursuing a patch perfect program

While ingenious assaults grab the headlines, many cybersecurity attacks succeed because of something that's both pedestrian and avoidable: unpatched vulnerabilities.

Research repeatedly shows that many businesses are slow to apply updates; frequently taking more than three months to do so.

It's a fact hackers are well aware of – and are all too willing to exploit.

Attending to your unpatched programs, as part of your spring cleaning drive, and implementing a regular patching schedule will reduce the odds of your falling victim to an opportunistic attack that need never have occurred.

Improving the visibility of the network

Ransomware attacks have hit the headlines less often in the past 12 months than was the case a few years back, when malware programs like Wannacry and NotPetya crippled scores of major organisations around the world.

That doesn't mean they've gone away.

Ransomware attacks remain a significant threat to Australian enterprises.

Increasing the visibility of the network—especially vulnerable protocols like RDP and SMB1—is one way organisations can increase the likelihood of their repelling one successfully.

Machine-learning based tools and technologies which allow suspicious activities to be flagged more quickly, thereby buying precious extra time to respond before encryption is completed, can help stop such attacks in their tracks.

Auditing your armoury to see whether there's a place for these solutions should be top of the seasonal To-Do list.

Tidying up your cybersecurity training program

Software solutions to stop hackers and cyber-criminals in their tracks are only one element of a strong cybersecurity posture.

Regular cybersecurity education, for everyone from the CEO down to frontline staff, is the best way to raise collective awareness of threats and increase the odds opportunistic gambits, such as phishing and whaling attacks, will fail to find their mark.

If your training program is looking lacklustre, lax or has lapsed entirely, now is a good time to spruce it up and set it back into action.

Preparing a disaster response plan

Hope for the best, prepare for the worst is prudent advice for decision-makers of all stripes. Being ready to respond rapidly, should your enterprise fall victim to a hacking attack or data breach, can mean the difference between a speedy recovery and a slow-moving train wreck.

Checking you are compliance-ready and, if necessary, putting resources and processes in place to enable your organisation to respond appropriately, in the event of an incident, should be on your annual checklist, each and every year.

Time to act

High-tech attack and data compromise are year-round risks and, in 2019, there's no room for complacency.

That's something Australian organisations which don't put appropriate protection measures in place may well find out the hard way.

Taking the time to conduct a thorough spring clean of the cybersecurity practices, processes and products in use across your enterprise will help minimise the likelihood of your company falling victim to an incident which could cost it dear.