18 Jan 2023
Blogs
The 2032 Olympic Games (to be held in AUSCERT’s home city of Brisbane) are less than 10 years away. That may seem a long way off from the present time, but consider this: the recent global pandemic caused significant suffering and loss on a personal level, while disrupting 2, maybe 3 years of industrial progress worldwide with supply chain issues and the like. Natural disasters, which Australia seems to have more than its fair share of, also disrupt our lives personally and professionally.
We know preparedness is important for dealing with natural disasters and pandemics, but we still don’t always get it right. The well-established insurance and trade industries responsible for rebuilding houses is an example of this – I know of many families affected in Brisbane’s Feb 2022 floods who are still living in alternative accommodation, waiting on rebuilding efforts to even begin. My point is, with cybersecurity a relatively new industry, now is the time to lay solid foundations for the future and “get it right” from the start. We don’t want to be looking back in a hundred years’ time in 2123 thinking “we’re still not getting it right”.
This may seem like a problem for senior management, although it’s our job as cyber security professionals to advise on these matters. Depending on the culture in your organisation this could be challenging, so why not reach out to other like-mind professionals in AUSCERT’s Member Slack to ask how they’ve been successful?
One suggestion is to talk about preparedness generally, rather than specifically about cyber. Help management understand that “cyber” isn’t just an “IT department thing” and speak about it as a normal business function. It’s just like completing your Business Activity Statement, running payroll, managing the lifecycle of your customers or any other function a business needs to do to retain relevance and solvency. Also, management should assume a cyber security incident WILL occur and keep that in mind when preparing. It’s possible risk assessments were calculated using “rare” or “unlikely” likelihood ratings to negate the “catastrophic” consequence, however as a professional you’ll be able to provide information about current events in cyber to make these assessments as accurate as possible. If you want some assistance keeping up with cyber security news, subscribe to AUSCERT’s ADIR for a daily digest.
In your briefings with management, talk about that crisis in the back of your mind – you know, the one that occasionally wakes you up in a sweat that you know would significantly impact lives (human or animal), livelihoods or the viability of your business. These days it’s usually ransomware, and because the actual risk is to the entire business we need to focus far wider than just the technical means by which ransomware is perpetrated, such as Lockbit or Royal.
In recent examples of both, the British Royal Mail were hit with Lockbit and QUT suffered a breach from Royal over the Christmas period. In both cases, the business impact was significant and ongoing. For example, courses and exams at QUT were suspended, and Royal Mail advised customers not to attempt to send letters and parcels overseas until the issue was resolved. Even more serious was the subsequent news that the Royal gang allegedly released the data stolen from QUT.
Whatever the crisis, you’ll need clarity on roles, responsibilities, and escalation protocols. This is far bigger than the IT department or the cyber security team. Your business will need to plan how internal and public communications are handled, have a war room, and manage handovers to prevent fatigue. If you don’t have a good plan already, why not lead a charge in your organisation to create one? Here’s a great template from the ACSC.
There are more considerations you may be called to advise upon, which are not traditionally “the IT dept’s problems”. You might need to help your organisation define a risk appetite. If we’re talking about ransoms, would your organisation pay a ransom? What legal and/or regulatory considerations are there? You might be in a situation in which lives depend upon payment of a ransom, and there’ve been rumours that cyber insurers may insist that you do pay the ransom to claim overall damages.
One of the best ways to draw out answers to these sorts of questions is to undertake a tabletop exercise. In these events you will bring together key decision makers from all parts of your business and simulate an actual crisis. There are plenty of consultants who’ll provide this as a paid service, and if you don’t know of any, reach out in AUSCERT’s Member Slack to ask your peers who they’d recommend. The ACSC’s Critical Infrastructure Uplift Program also provides tabletop exercises to certain industries, along with unique insights into national cyber security incidents they’ve responded to. At the very least you could run your own scenario using the ACSC’s Exercise in a Box, although sometimes bringing in outside advisors (particularly the Federal Government) does give your cyber preparedness plan extra credibility.
To help you with all of these concerns in 2023, we’ll continue providing our incident support and cyber threat intel for our members, and we’ll add additional training and awareness programs that aim to help with cyber-preparedness. We know that all of you are extremely busy with day-to-day activities, ever-increasing regulatory requirements and fighting cyber incidents. The new training courses will help you learn the very latest techniques in areas such as data governance, practical applications of cyber threat intelligence, and awareness of cybersecurity at the executive and board level. Hopefully you’ll all enjoy a prosperous, safe, happy and cyber-prepared 2023!
Mike Holm
AUSCERT Senior Manager