Cyber Security Risk Management Strategies

Submitted by sylvia.wong@up… on Thu, 03/31/2022 - 19:04

A business can adopt various cyber security principles to form a cyber security framework. The framework establishes the expected workplace behaviours and practices to protect the business from cybercrime.

By the end of this topic, you will understand:

  • what a cyber security framework is
  • the drivers that influence the selection of cyber security principles to create a framework
  • a process to meet the cyber security needs of the business
  • how to continually improve a framework
  • how to communicate with and lead technical experts to deliver technology change.
Sub Topics

A cyber-attack can be made using:

  • physical means (such as when laptop is stolen)
  • technical attacks (such as using hacking tools to exploit weaknesses in information technology software or hardware)
  • exploitation of human behaviour that results in cyber security lapses (such as not locking a computer screen when the computer is not in use).

A table of common cyber-attacks and their type of attack are included below:

Common Cyber Attack Attack Type

USB Sticks Used From Home in the Workplace

In this case, the home USB stick carries malware (malevolent software). When the USB stick is inserted into a business PC, the malware loads to the PC and allows a hacker access.

Physical

Stolen Laptop Contains Business Data That is Not Encrypted

This allows a cyber-criminal (hacker) to use software to read potential confidential data or the private data of individuals. Not protecting private data is a violation of the Australian Federal government’s Privacy Act of 1998 (amended to include digital data in 2012).

Penalties for business’ that have private data (such as banking details) accessed by unauthorised third parties is in the tens of thousands of dollars per breach (e.g., per record breached).

Physical
Anti-Malware Software on a PC is Not Updated With the Latest Library of Known Malware Technical

A Phishing Attempt is Successful

Phishing is a form of cyber-attack where links are embedded in emails, social media posts and on websites that when selected load malware, often in the form of a virus. When a staff member clicks on a phishing link in an email, the business network is then infected.

As the virus (a form of malware that replicates once on a device across a network) was new and if the network anti-malware software was not updated, the virus spreads.

For example, the virus could be a type of keylogger which records the keyboard entries on the PCs in the business and sends files of the entries to hackers. In this case, the hackers could:

  • read entered usernames and passwords for staff
  • use these authentication details to log on and steal data.
Technical

Outdated Webservers

For example, in a business that uses an Oracle database to contain sales data and an Apache webserver to provide access. If the webserver is not updated and a known hacker exploit remains open, the data is compromised.

Technical

Staff Login Using Public Wi-Fi

Some staff who are mobile use public Wi-Fi to login to the business network. This is against business policy as public Wi-Fi allows hackers a method (sometimes called a vector) to connect to the business PC. Hackers use the connection to install malware on the business laptop using the Wi-Fi.

Behavioural

Staff Share Passwords and Usernames

In this case, staff leave their access details on Post-It notes on their desks. Any visitor can read and then memorise the access details.

Behavioural

A cyber security framework is a strategy to deliver cyber security that is comprised of:

  • Physical barriers to protect infrastructure (such secure server rooms and passcodes to access digital devices)
  • Technical responses such as patching computer software to close known security flaws
  • Policy and procedures in the workplace to provide direction on cyber-safe required and prohibited behaviours

A cyber security framework describes a set of activities that are performed by Cyber Security Managers (CSM). Some activities are performed by the CSM (such as researching new cyber threats), and some are initiated by a CSM and performed by other staff or contractors in the business (such as when a business’ Training Officer provides cyber security awareness training as required by the CSM).

Watch

Learn more about the role of Cyber Security Frameworks. Watch the video below:

Example

The NIST Framework

The National Institute of Standards and Technology (NIST) in the USA developed a commonly used cyber security framework, often referred to as the NIST framework.

The framework helps business’ to:

  • establish a baseline of the current cyber security activity in the business.
  • identify what the business wants in terms of cyber security.
  • compare the actual cyber security activity to the desired level of cyber security. Then prioritise closing gaps in the actual position to move to the desired level. Priority gaps are cyber security threats that pose the greatest risk to the business. For example, the risk from an unsecured sales database that can be accessed by hackers is greater than the risk from a single unsecured mobile phone with no business data on the phone.
  • perform tasks to close cyber security gaps as well as:
    • provide training and raise cyber security awareness in the workplace
    • enhance policy to provide new directions to improve cyber safety
    • researching current cyber safety trends and hacker tactics to proactively adapt to new threats.
    • These tasks are performed repeatedly to create a cycle of continuous improvement.
  • advise and engage internal and external stakeholders (such as senior management and the business’ clients and partners) in the process of meeting cyber security needs.

NIST tasks are grouped into 5 categories:

  1. Identify: Identification of the data, systems, assets, and people that require protection. These are all types of digital business assets.
  2. Protect: Protection of digital business assets using tools, strategies, policy, and technical change.
  3. Detect: Detection of attempts to attack the business by monitoring the business’ digital platforms (this includes the network, computers, mobile devices, and the applications that the business relies on).
  4. Respond: Responding to cyber security breaches and attempts to access systems by unauthorised 3rd parties (hackers). Additionally, tasks in this category enhance the security and continually improve cyber security.
  5. Plan: Plans for the recovery of systems if a cyber-attack damages the business’ digital platform.

When first undertaking to deliver the NIST framework in a business, a cyber security manager will commence with Identify tasks and work progressively through to Recovery tasks (such as writing specific recovery plans for various situations).

Once a first pass is completed, the cyber security manager reacts to changes in the business. For example, as new digital equipment is purchased:

  • The type of equipment, the role in the business and the data it may store needs to be identified. A business is required by the NIST framework to maintain a Digital Device Registry of all digital business assets.
  • Depending on the type of equipment, the protection needed must be applied. In the case of a Smart Phone, business cyber policy is required by the NIST framework to have anti-malware software installed on it.
  • The new device needs to be included in the cyber security monitoring tools the business uses. This allows the business to detect cases of cyber-attack that use the new device.
  • The new device needs to be included in response planning. The steps that need to be taken in the case that the new device is affected by a cyber security attack.
  • One new device requires numerous tasks across each of the 5 activity categories in the NIST framework to be repeated.

Below are example tasks from the NIST framework:

ID.AM-1 (Identify/Asset Management/Task 1) Physical devices and systems with the organisation are inventoried (such as in a digital device registry).
PR.AT-3 (Protect/Awareness and Training /Task 3) Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities.
DE.AW-3 (Detect/Anomalies and Events/Task 2 Detected events are analysed to understand attack targets and methods.

Note: Reviewing the contents of the digital asset registry is a regular task for cyber security managers. The devices, software, and workflow in a business change from time to time which requires the registry to be updated.

Reading

Read the full NIST framework. Follow the link below:

Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (nist.gov)

Cyber Security Frameworks and Government Regulations

For optimal cyber security, businesses should look to using a cyber security framework to ensure a complete coverage of cyber security needs are met. Aside from being in their best interests, Australian businesses may be required to deliver cyber security to protect their systems and data because of government requirements. Further, depending on the scope of a business, international regulations may also be applicable. Regulations, international and domestic, set requirements to:

  • Protect an individual's personal information
  • Maintain the availability of services

The table below lists regulations that Australian businesses must comply with as well as some regulations that must be complied with based on specific types of business operation:

Data Privacy Legislation

Privacy Act 1988

Businesses in Australia with more than $3,000,000 in turnover or do business with government and otherwise are involved in the banking, health sectors.

Digital information records kept by businesses that detail an individual’s personal information are required to be protected from unauthorised access by the Federal government’s Privacy Act of 1988. Amended in 2017, the Act requires that Australian businesses comply with the Notifiable Data Breaches Scheme (NDBS). If a business holding personal data is compromised and data is copied or accessed by unauthorised third parties (hackers), the business must:

  • assess the breach and determine if the data is accessed is ‘likely to result in serious harm to any of the individuals to whom the information belongs’.
  • if the assessment is that serious harm could eventuate, inform the Australian Cyber Security Centre and provide advice to affected individuals on what steps they should take.

Complying with the NDBS does not remove responsibility from a business and the Privacy Act allows for the Office of the Information Commissioner to apply fines as of 2022 of up to $2,100,000 in serious cases.

There are additional Federal Government Acts, such as the 2012 Health Records Act, that place additional requirements on businesses operating in the health sector regarding data protection. This Act notes that ‘A contravention of this Act is also an interference with privacy for the purposes of the Privacy Act 1988, and so can be investigated under that Act.’ Much of the data privacy legislation in Australia, while providing additional requirements, relies on the Privacy Act of 1988 to assess penalties.

State and Territories in Australia also rely on the principles in the Privacy Act to apply their own regulations. For example, the Victorian government’s Health Records Act of 2001 requires medical practitioners to protect patient health records.

Reading

The Privacy Act 1988 can be found online here:Privacy Amendment (Notifiable Data Breaches) Act 2017 (legislation.gov.au)

The Federal Government Health Records Act can be found here:Federal Register of Legislation - Australian Government

The Victorian Health Records Act can be found online here:Health Records Act | health.vic.gov.au

Essential services Legislation (SOCI Act)

There are 11 business sectors in that are included in the 2018 Security of Critical Infrastructure (SOCI) Act. The sectors are as follows:

  • Communications
  • Data storage or processing
  • Defence industry
  • Energy
  • Financial services and markets
  • Food and grocery
  • Health care and medical
  • Higher education and research
  • Space technology
  • Transport
  • Water and sewerage.

A business operating in these sectors that is considered critical to that sector (large with many customers, vital to the service delivery in that sector) must adhere to the SOCI Act. The original Act required these businesses to be prepared to counter a cyber-attack and efficiently restore services.

The SOCI Act was modified in March 2022 with the Security Legislation Amendment Critical Infrastructure Protection Act 2022. Now, businesses are required to use an appropriate cyber security framework that:

  • identifies all cyber security risks and provides a risk management plan for various recoveries to the Australian Cyber Security Centre
  • acts to continuously reduce cyber security risk with an active cyber security strategy that continues to improve
  • segments data, networks, and systems to minimise the impact of cyber-attacks.

International Legislation

Australian businesses that maintain client information for individuals living in other countries must comply with local regulations for data privacy. As Australia has stringent data privacy laws it is likely that adhering to local regulations is sufficient.

However, reviewing overseas legislation (such as Europe’s General Data Protection (GDPR) legislation) should be undertaken by cyber security managers where applicable to:

  • ensure understanding of the principals
  • ensure there are no gaps in compliance with international requirements.

For example, Article 5.1-2 of the GDPR states ‘Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose’. An Australian business with European customers must delete customer records when a client is no longer active as a result.

Reading

For more information on the GDPR refer to the GDPR.EU website:What is GDPR, the EU’s new data protection law? - GDPR.eu

While not a federal, state or territory regulation, the CPS 234 cyber security framework must be met as a minimum standard of cyber security by business members of the Australian Prudential Regulation Authority (APRA). To operate as a bank, insurer, health insurer, life insurer or superannuation investment company in Australia you must be a member of APRA. Where CPS 234’s standards of cyber security are not met by an APRA member, APRA can penalise and ultimately revoke a company’s license to operate.

Reading

For more information on CPS 234 refer to the APRA website. Follow the link:Information security requirements for all APRA-regulated entities | APRA

Group of designers programmers working on a new project at the office.

Depending on the business type, the amount of cyber security required varies. Compare a bank with branches across Australia to your local bakery. While both businesses can be the targets of a cyber-attack, clearly a bank has a need for higher levels of physical, behavioural, and technical cyber security. As a result, cyber security frameworks typically have levels of responses.

The table below contains the response levels for three well known frameworks including the NIST framework. All frameworks set out to protect the digital platforms of a business. While relying on one framework provides clarity and simplicity, when frameworks issue updates that change their design, it is possible to use elements of various frameworks to build a custom framework.

Framework Type Response Levels
National Institute of Standards and Technology (NIST)

There are three levels that in NIST are called Tiers.

  • Tier 1 – Partial Response: Relies on a low level of cyber security controls. Awareness in the business and cyber security are not a high priority.
  • Tier 2 – Informed Response: Cyber security has the support of business management. The approach is not expressed as policy and cyber security information is shared informally in the business.
  • Tier 3 – Repeatable: There is a process to develop an organisation-wide approach policy to cyber security. Business cyber security awareness and technical protection is developed.
  • Tier 4 – Adaptive: There is strict policy and an organisation-wide approach to cyber security to continually improve it.

This is informed by research and continually adapts to changing threat levels.

Critical Information Security Framework (CIS)

The Centre for Internet Security produced the Critical Information Security Framework (CIS). It uses an 18-step process to address cyber security requirements. Within each step there are three levels:

  • IG1: Is the minimum level recommended. It is recommended for small to medium companies without a dedicated cyber security manager.
  • IG2: Is an expanded set of safeguards. Where IG1 has 56 activities that are required to be continually performed, IG2 has 74 more activities. IG2 is for large companies with a cyber security manager.
  • IG3: Includes the 130 activities in IG1 and IG2, along with 23 additional activities for a total of 153. IG3 is for large companies with significant cyber security resources. IG3 businesses are those that are likely to be targeted by sophisticated hacking attacks.

Based on a business’ risk profile (an estimation of the cyber security risks a business must manage) and the available cyber security resources, the IG level appropriate can be selected. For example:

All IG levels are required to create a digital device registry. While only IG3 businesses are expected to use a network device detection tool to record devices on the business’ network. IG1 and IG2 businesses create a digital devices registry manually

Australian Cyber Security Centre (ACSC) – Essential Eight

In Australia, the Australian Cyber Security Centre (ACSC) is the principal government agency responsible for cyber securing Australia.

The ACSC has developed a cyber security framework based on 8 cyber security principals with three levels increasing from Maturity Level 1 to Level 3. Level 1 delivers basic protection and Level 3, the highest strength protection.

The Essential 8 maturity levels represent levels of sophistication in an expected attack. A sporting goods store is less likely to attract high end hacking crews while a bank will be attractive as the rewards are higher. The sporting goods store still requires protection; however, it is less of a target compared to companies with very valuable data and assets.

The Essential Eight name refers to 8 areas of cyber security concern:

  1. Application control
  2. Patch applications
  3. Microsoft Office Macros
  4. User application access
  5. Admin privileges
  6. Patch systems
  7. Multi-factor authentication
  8. Backups.

An example of how the levels vary from each other is that while multi-factor authentication is required by users logging on to systems by all maturity levels, only Level 3 requires users to authenticate again before accessing important databases.

The Essential Eight

The Essential Eight focuses on essential technical requirements in cyber security. It is a framework but does not address in detail the steps that are to be taken (such as in NIST and CIS). Further, non-technical steps such as building cyber awareness or policy design are outside the scope of the Essential Eight.

The Essential Eight’s requirements are met and exceeded by the application of frameworks such as CIS and NIST.

As the Essential Eight is a requirement for Australian government agencies to comply with, it is described here as it is an identity framework in the Australian cyber security space. As NIST/CIS are comprehensive and provide specific directions and steps, these frameworks are used in this unit to provide guidance on cyber security. NIST and CIS follow a similar series of steps. For example, the NIST framework addresses tasks to identify, protect, detect, respond and to recover from cyber security threats. The CIS framework has 18 core steps to complete. These steps, like those in NIST; identify, protect, detect, respond, and recover from threats.

For example: CIS control 1/sub-control 1.1 requires the creation of a digital device registry. This maps to NIST’s equivalent task ID.AM-1 (‘Physical devices and systems in a business are inventoried’).

Also CIS control 17/sub-control 17.4 requires that businesses: ‘Establish and maintain an incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur’. This maps to NIST framework RS-CO-1 (‘Personnel know their roles and order of operations when a response is needed’).

Reading

Other Frameworks

There are many other cyber security frameworks. For example, the AESCSF (Australian Energy Sector Cyber Security Framework) is recommended to be complied with by the Australian Energy Market Operator (AEMO). AEMO are empowered by acts of parliament to regulate the Australian energy sector For more information, refer to: AEMO | Australian Energy Sector Cyber Security Framework

The Australian Prudential Regulator Authorities (APRA) CPS234 cyber security regulations are another framework. The CPS234 cyber security framework is a minimum requirement for all APRA regulated entities (such as banks, insurers and building societies). For more information, refer to: PPC 141117 Draft Information Security Prudential Standard (apra.gov.au)

All frameworks aim to provide a standard, effective approach to cyber security that responds to a business’ identified cyber security needs.

Explore

Who are Cyber Criminals?

Understanding the motivations of cyber criminals will assist in identifying what level of cyber security at a minimum a business should maintain. The term ‘hacker’ refers to a cyber-criminal looking to gain unauthorised access to a business’ computer network and systems. The motivation of cybercriminals includes the following:

  • The challenge: No reason aside from beating the system. The attack if successful may or may not result in malicious damage.
  • Financial: Wanting financial reward from having access to a business’ systems. Such as using financial data to make illegal money transfers.
  • Activism: Wanting to attack a business’ systems as the business operates contrary to the views of the hacker.
  • Vandalism: Motivated by anger or simply a desire to cause damage, the hacker(s) delete databases and deny access to the systems they attack by taking them offline.

Hackers range from individuals using common hacking tools and applications through to teams of hackers with sophisticated information technology skills. Some hacker groups are unaffiliated and some work to further the interests of countries. 

Cyber Threat Mitigation Versus Removal – Zero Trust Thinking

Cyber security frameworks are based on a principle of mitigation that reduces the risk of cyber-attacks through applying policy, technical change, and physical security. The levels of security almost all cyber security frameworks use provide increased ‘hardening’ to protect a business’ digital platforms.

In some cases, threats are managed rather than removed. For example, a known source of malware comes from the use of USB sticks. As USB sticks are portable, they are a convenient vector for malware to jump from device to device. The CIS framework requires all three tiers (high to low levels) to ‘establish and maintain a secure configuration process for enterprise assets’ including USB sticks. This is noted in safeguard 4.1. This may reduce the potential for a USB stick to carry malware. However, to remove the threat entirely, what is needed is a prohibition on the use of USB sticks. In cyber security, a model that looks to remove rather than mitigate threats is called Zero Trust.

Zero Trust is an additional cyber security strategy that, working alongside cyber security frameworks as an additional layer of security, works to remove cyber threats by authenticating every action that occurs on a business’ digital platform. In effect, a business’ data, systems, and network verify each access at every point from the browser to the database. If a device or request cannot be verified, it is removed or blocked. As USB devices are unknown devices, Zero Trust thinking removes the access for business users to plug USB storage devices into their PC’s and other business devices (such as Internet of Things televisions and whiteboards).

Removing threats rather than mitigating threats is best practice cyber security. However, as is the case with USB sticks, removing threats reduces productivity and business operational flexibility. Cyber security is based on principles of restriction and is not a tool for improving a business’ workflow.

Adopting frameworks and making use of Zero Trust thinking needs to be carefully considered by a business. Balancing cyber security requirements with business operational needs comes from a cyber security manager consulting with stakeholders to determine the required scope.

Case Study

Zero Trust sees a business’ digital platform (the hardware and software that comprises the business’ operation) as a single ‘protect surface’. Within that surface, the network and systems are logically divided into many micro segments. A business using Zero Trust will have multiple points of authentication requiring multiple devices and user actions (such as requiring Multiple Factor Authentication (MFA)).

Therefore, there is a much higher cost to implementing Zero Trust business wide. In most businesses, cyber security is supported by limited budgets. In these cases, it may be better to assess a business, identify what requires Zero Trust protection and budget specifically for the protection of the highest risk and most valuable digital assets.

Watch

Learn more about Zero Trust thinking. Watch the video below:

Activity 1

Zero Day and Internal Threats

Any strategy, such as cyber frameworks or Zero Trust, remain exposed to Zero Day and internal cyber security threats. This is because their vector (attack approach) cannot be predicted.

Zero Day threats are malware (malevolent software) that use an unknown technique to gain access to a business’ systems. Most hacker tools and exploits are documented and can be mitigated by:

  • applying patches (updates) to software to close security vulnerabilities
  • ensuring the business provides training and awareness on common hacker techniques (such as Phishing)
  • creating cyber safe policy and cyber safe procedures
  • relying on cyber security frameworks to continually enhance the business’ cyber security approach.

Zero Day Threats

A Zero Day exploit has no track record and no known procedure to identify it or close the vulnerability it exploits. The term Zero Day refers to the malware or hacking technique being very recently discovered. It is possible that the malware or exploit has existed for some time, and it is only when a business notice there has been a cyber-attack (such as theft of data), that the Zero Day term is applied to the new hacking technique. In the time that it takes for a remedy to be developed, hackers have a window of opportunity to access any system that shares the weakness that is being exploited.

Internal Threats

Staff in a business are authorised and working on a business’ digital platform as a part of their employment. If a member of staff decides to act to damage a business within the role they have been granted, no amount of cyber security can defend against it. There are however general practices that should be adopted by businesses that can limit the impact of rogue staff. In some cases, insider threats are not malicious but occur due to negligence and failing to follow business cyber security policy.

Case Study

CISCO

In December 2020, a terminated employee at CISCO deleted 16,000 user accounts and caused an estimated $3,000,000 in damage to the business. The ex-employee was jailed for two years.

Northern District of California | San Jose Man Sentenced To Two Years Imprisonment For Damaging Cisco’s Network | United States Department of Justice

Mitigating Zero Day and Internal Threats

There is no task in a cyber security framework that can actively work to specifically mitigate internal threats or Zero Day malware and exploits. The best approach is as follows:

  • Actively research emerging trends in cyber-attacks to be advised ahead of time to advise staff and management. This buys time to consider if additional protection could be useful. For example, if the Zero Day exploit attacks a weakness in a web server the business uses, it may be possible to move incoming traffic to another web server design (e.g., to move from Microsoft IIS to Apache).
  • Consider briefing staff to be additionally cautious reading email. Often malware is spread using an email with a particular title or content which can be watched for.
  • Keep all software (operating systems - such as Android and applications – such as Oracle and SAP) patched to at least the second latest patch release (it may be that the latest patch release is being tested by your business before release). By doing so, when a patch is released by a software vendor to respond to a Zero Day exploit (such as Microsoft releasing a patch for Office), the process to apply the patch will not involve many patches to be applied to catch up to the latest patch.
  • Do not allow administrator access to technical staff permanently. Ensure that there is a change control process that requires approval to grant access. Once a task is complete, the activity the admin role performed should be audited to ensure only the required activity was undertaken.
  • All users (admin and user) should be limited in the amount of data they can delete, copy, move or alter in a period (for example 24 hours). The data amount that it is limited to should be small relative to the business database. This limits the potential for any user to bulk delete, copy, or alter large quantities of data.
  • Staff roles should be limited to only specific activity on the business’ digital platform and random audits of staff system activity should be conducted. Staff should be informed that this will occur as a deterrent to damaging cyber behaviour.
  • Manage staff exits by revoking access immediately to the business systems on staff leaving the business.
  • Businesses need to have continuity and recovery plans in place for their business-critical systems (at minimum) in anticipation of Zero Day and internal threats.

Watch

Learn more about the range of possible insider threats. Watch the video below: 

Insider Threat Mitigation Resources and Tools | CISA

Collaboration and analysis by business people working in office

The factors that determine the cyber security strategies a business will employ vary according to:

  • regulatory requirements
  • risk profile (determines how attractive it is to cyber-attack)
  • the direction that senior management (stakeholders in a business) opts for:
    • more cyber security means less productivity and flexibility
    • less cyber security means more opportunity for cyber threats to become actual attacks.

Regulatory Requirements Assessments 

Regulatory requirements must be complied with. Being non-negotiable, businesses are obliged to develop policy that complies with the cyber security requirements stipulated by the various tiers of government in Australia. To assess regulatory requirements for a business, consider the turnover of the company and the type of business.

Case Study

ACE Pty Ltd

You are assisting ACE Pty Ltd by working with senior management to develop a company-wide response to cyber security needs. ACE is company that is a pet food wholesaler. The business has an annual turnover of 6 million dollars and holds financial information of companies that it trades with.

You assess that:

  • there are no international regulatory requirements as ACE deals only with domestic clients
  • ACE is not operating in an essential service and does not need to comply with the SOCI Act
  • ACE does need to comply with the Privacy Act of 1988 and must also comply with the National Data Breach Scheme requirements.

Risk Profile

To launch a successful cyber-attack on a business, hackers typically take three approaches:

  1. Send malware out in using a phishing attack that uses hundreds of thousands of emails. The emails are sent to addresses in mail lists of known addresses. These mail lists can be bought online and are shared in the hacker community. Such attacks are not targeted and are crimes of opportunity. If someone in any business opens an email and clicks a link, malware will attempt to open that business’ system to allow hackers to then steal data and damage systems.
  2. Target specific businesses and will use sophisticated and simple technical methods to explore vulnerabilities in their cyber security. For example, using SQL injection methods where SQL (a database query language) is entered into an entry field for execution such as a search field on a website. SQL injection exploits a security vulnerability in an application or website to then execute the malicious SQL code.
  3. Attempt to gather security credentials through contacting staff in the business. This can be done using various tricks (such as using fake identities and calling staff or using email).

A targeted business will be those that are attractive to cyber criminals. A business’ Risk Profile measures the attraction and is a good indicator of the level of cyber security a business should adopt. A risk profile describes the business and considers in what way a cyber criminal will be attracted to attack it.

A tool to assess how likely a business is to be targeted by cyber criminals is called a Risk Profile (RP). Cyber security managers develop RPs based on:

Diagram for Risk Profile

We will now consider these two components.

Classification by Industry Type

When developing a Risk Profile, the business’ industry is a fundamental factor in determining the level of cyber security required. Certain businesses are very attractive to hackers.

Businesses Handling Financial Details and With Substantial Money in Bank Accounts

  • Large retailers, banks, insurance companies and government departments will hold attractive data such as credit card details that hackers can use to either make purchases themselves or sell to criminal gangs (often overseas) to make purchases.
  • Personal information these businesses hold (such as addresses, phone numbers, bank accounts) can also be used to secure loans and obtain credit cards for purchases. Identity theft allows cyber criminals to profit financially.
  • Businesses with bank accounts that hold significant finances are attractive targets. Banks that have customer accounts can be compromised by hackers allowing theft of money using transfers from accounts.
  • Businesses that are likely to have large cash reserves in bank accounts are also targets. If access can be gained online to a business’ banking accounts, cyber criminals can make illegal transfers.

Businesses That can be Ransomed or Blackmailed 

  • Hackers are aware that businesses with critical infrastructure can be attacked to deny access to that critical area of a business. By doing so, the hackers can ask for money (a ransom) to be paid to restore the access. For example, a business such as a supermarket requires that their registers can scan items and calculate costs. If a cyber-criminal could first disable registers, then block the supermarket from restoring the registers to working order, a ransom may be requested to allow the supermarket to restore the registers to work again. This hacker technique is performed by software commonly called ransomware.
  • Businesses that provide essential services and otherwise have a central information technology platform that is essential to their operation are vulnerable to ransomware attacks. Hackers appreciate these companies will be motivated to pay ransoms if a cyber-attack is successful.
  • Hackers have also been known to steal sensitive data and ask for money from companies. If the blackmail demand is not paid, the hackers will threaten to release the data publicly.
    • Many businesses have data that they consider confidential and would be damaging if released publicly.

Businesses That are Attractive to Activists or are State Sponsored 

‘Hacktivists’ attack businesses to steal data, compromise systems and cause damage those that the hackers feel are contrary to their beliefs. Businesses that are the focus of negative attention from groups in the wider community need to recognise that they can be a target for a cyber-attack. In addition, cyber-attacks sponsored by foreign countries on Australia’s critical infrastructure do occur. Such attacks may look to steal data or to damage infrastructure. The SOCI Act is in part a response to these kinds of state sponsored attacks.

Explore

A well-known hacker community with hacktivist tendencies is called ‘Anonymous’.

In 2020, Anonymous DDoS attacked the Minneapolis police department. The website was offline until the overload traffic on the police department web servers was ‘dumped’ (a term meaning blocked). Anonymous claimed the attack was in response to Minneapolis police involvement in the death in custody of George Floyd.

For more examples of hacktivism refer to the following website: Hacktivism: Definition, types, + newsworthy attacks - Norton

Businesses With Third Party Connectivity 

A business that seemingly is not attractive to a high-end hacking attack may in fact be a prime target. This occurs when a business has network connection or business with large, more attractive companies. Small businesses connected to bigger businesses may have less cyber security in place and provide hackers with an opportunity to:

  • gain unauthorised access to the smaller company
  • send what seems to be legitimate requests to the larger company over a network connection or use the network connection to hack the bigger company by compromising cyber security.
Case Study

Third Party Connectivity

A car dealership enters into an agreement with a bank to preapprove finance online to sell cars. The car dealership now has a connection to the bank that hackers could exploit to gain access to the bank’s data.

The risk profile has changed, and the business is now more attractive to hackers. As a result, the dealership should ensure that:

  • PC’s that connect to the bank cannot be accessed without multi-factor authentication
  • staff cyber security awareness is improved
  • bank advice on cyber security is adopted
  • financial data is held in a highly secure data environment
  • cyber security framework guidelines are adopted for data handling and storage.

If the dealership considered a Zero Trust approach:

  • No portable USB devices, web browser or email can be accessed from the PC’s connecting to the bank.

The Level of Cyber Security in Place

A second component of a risk profile considers the preparedness of a business to cyber-attack. Cyber criminals are very similar to burglars. They prefer to attack businesses with weak protection and are more successful if a business has limited cyber security in place.

A cyber security manager will continually assess the changing hardware and software, access methods, data storage and overall cyber security in a business to continually improve cyber security. As change in the digital platforms of a business evolves, the associated Risk Profile should be changed to reflect the cyber security in place. These risks should be described and prioritised in order or the two factors:

  1. The potential impact to the business
  2. The potential that a risk will eventuate

As new risks emerge, the risk registry is used to:

  • close exposures that the business has by sorting risks from highest impact to lowest impact and attending to the highest risks first that are most likely to occur.
  • evolve the Risk Profile as new cyber security threats are identified as their chance of occurring and threat to a business.

A cyber security manager needs to assess evolving threats in cycles of review. Hackers repackage threats (altering the code), vary their tactics and – in the case of Zero Day threats – develop new methods to attack businesses. To respond, cyber security managers should regularly:

  • review businesses for changes in the IT environment and update risk registries
  • update procedures and implement or configure cyber security software often
  • research cyber security trends using reputable sources of cyber security information
  • prioritise threats, close gaps and mitigate threats. 
Case Study

Threat Priorities

As a cyber security manager at ACE, you become aware of the following threats:

  • Staff require cyber security refresher training on ACE cyber security policy
  • An update to the business firewall (a device that blocks unauthorised external access to the business network) has opened commonly used ports to access (a port listens for network requests and allows access to external and internal users and software) that should be ‘closed’ – as this stops unauthorised access.

The first threat is that staff may open emails or visit websites that contain malware. Each PC they use has anti-malware software installed and the browsers they use cannot visit non-business websites. It is likely however they will receive emails that are phishing attempts. The PCs do not contain any business data. 

In the case of this threat, the likelihood of an attack is high, but the impact is low. The second threat has high potential impact. Further, as Australian business’ often face cyber-attacks from hackers, the chance the open ports could be exploited is high.

To manage these two threats, the second threat poses the greatest risk and needs to be rectified as a priority before providing additional training.

In building a risk registry, a tool called a CSRA is used.

What is a CSRA

To prioritise risks, a threat scale is from low impact, to medium and high is often used. A high threat level indicates that the risk to the business is significant. This scale is called a CSRA matrix and is used to prioritise risks. An example 3 x 3 matrix is shown below.

The probability that a risk will occur is graded on the Y axis from low to high. The impact is likewise graded from low to high on the x axis. Cyber security managers with stakeholders decide how the 9 combinations of probability and impact are ranked. No business has infinite resources, and a business ranks grades the 9 combinations to reflect the priority. For example, in the diagram above, this businesses CSRA matrix manages cybers risks with high impact but low probability as medium or a lower priority than medium impact/medium probability risks. The rankings depend on the type of business and in some cases any High impact risk will be ranked High priority even if it has a low probability (for example, in risk averse businesses such as banks).

Once a business develops a matrix, identified cyber security risks in the registry can be assigned priorities to direct more resources to protect the highest risks.

(A matric can use any number of threat levels rather than 3. Another common matrix is a 5x5 matrix that has low, medium, high, very high and critical rankings which creates 25 possible priorities).

Tip

The NIST and CIS frameworks address this requirement as follows:

NIST

Within the Identification phase, a risk management strategy to:

  • Develop risk management processes with stakeholders ID.RM-1: Risk management processes are established, managed, and agreed to by organisational stakeholders
  • Develop a CSRA matrix and create a prioritised cyber risk registry ID.RM-2 and ID.RM-3: Organisational risk tolerance is determined and clearly expressed, and risk analysis is performed.
  • ID.SC.1-4 also address risk analysis and risk assessment for third party suppliers.

CIS 

CIS Version 8 control 7 addresses creating and maintaining a risk registry as a part of an overall cyber risk management strategy by at least monthly reviews. Point 7.1 and 7.2 not a requirement to “Establish and maintain a documented vulnerability management process for enterprise assets” and to :Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews”

Case Study

ACE Pty Ltd CSRA

You are the cyber security manager at ACE Pty Ltd who are a pet food wholesaler. You maintain a CSRA and have three levels of threat assessment.

Mobile phones are assessed as a Level 1, or low threat. The phones are locked using passcodes and the business’ policy is that no business data is held on phones. The phones do not connect to the business’ network.

Desktop PCs are a Level 2 threat. The PCs have anti-malware protection. Some business sensitive data (non-confidential or private) are on the PCs and the PCs are networked to the business’ sales system. The PCs receive email and these emails could contain malware. The PCs could allow a hacker to attempt to access the sales system.

An attack in the sales systems is a Level 3 threat. It is a database with client–server connectivity that enables orders to be processed. If the sales system was unavailable due to a cyber-attack, ACE would not be able to function.

Creating a Risk Profile for a business allows a cyber security manager to brief stakeholders efficiently, accurately and clearly to allow senior management to make informed decisions about:

  • the level of cyber security required and cyber security priorities
  • the budget that is required to deliver the identified cyber security.

Additional Considerations When Setting Risk Levels 

A CSRA matrix, aside from hardware and software, should also consider a business’ workflow. How does data move internally and externally across a business’ digital platform? While a business’ databases may hold critical data, a review of the connectivity that allows access to that data may rely on a simple network router. As a result, the database software and disk hardware warrant high priority protection, as well as the routers that connect users to the database.

Portrait of success business people working together in home office

Consulting With Senior Managers

A third factor that determines the cyber security strategies a business will adopt is the sentiment of senior management.

After creating a risk profile (considering the regulatory requirements, target values of the business to hackers and having built a digital registry with a CSRA matrix), a cyber security manager needs to engage with business management.

Whether a business is establishing or maintaining their cyber security environment, consulting with a business’ senior managers ensures:

  • a common business wide approach to cyber security
  • resources to support cyber security
  • cyber security levels that senior management support.

Bringing recommendations to management allows for cyber security policies and procedures to be endorsed. As a cyber security manager, it is likely you will present small, incremental changes rather than wholesale changes as the business will have an existing cyber security framework. However, it is possible that a cyber security manager will be appointed to a business that has insufficient cyber security that will require major changes.

Regardless, when presenting cyber security recommendations to stakeholders, ensure that:

  • the technical, regulatory, and behavioural changes required are budgeted for time and cost
  • the impact on business operations is clear – how additional cyber security will affect the business’ productivity
  • the threat(s) that need to be countered are identified, how the threats could attack the business, and provide an estimation of the threat level (how damaging and how likely the threat is to occur)
  • they are provided with a current risk profile assessment. 

We previously looked at the role of cyber security frameworks, Zero Trust thinking and the role of the Risk Profile. From a pure cyber security perspective, the maximum levels of technical, physical and policy security should be applied to all areas of the business.

However, even banks prioritise security based on the level of risk a threat holds. For example, ATM machines are designed to resist physical tampering and use complex encryption and sophisticated authentication to resist cyber threats. The networks from ATMs to the bank’s systems are likewise robustly protected. In contrast, the bank manager’s PC requires a username and password to unlock and maybe a passcode. The reason for this is priorities – costs and business efficiency. An ATM, if compromised, may result in a large sum of cash being stolen or access being given to transfer even larger sums. The bank manager’s interactions with the banks systems are always checked and the manager mostly reviews data rather than sending money. Allowing a manager simpler access also speeds up processing of bank business.

Consequently, advising management to support cyber security to deal first with high risk, high impact threats is appropriate.

In consulting with management, business imperatives may be considered despite the cyber risk that a business activity holds. For example, allowing mobile device access to a business’ network creates the potential that a hacker could gain access to a business’ network. To ensure this threat is removed (such as in the case of Zero Trust thinking), not allowing remoted access is optimal. However, a business may rely on staff being able to access core systems when away from the office and removing remote access is impractical. If a business has operational needs that can open a business to a cyber-attack, robust authentication, cyber threat awareness training, clear cyber safe policy and up to date software must be always in place.

Tip

Seek the Widest Range of Stakeholders to Gather Input

In any business, there will be stakeholders in cyber security policy outside senior management, although it is senior management that grants approvals for cyber security initiatives. It is important to consider what the needs of these stakeholders are. For example, the shipping manager may have their team’s productivity impacted if additional authentication is required (such as if Multi Factor Authentication) for the PCs in the shipping team. This also extends to contractors who may have valuable external experience that can be incorporated.

In some cases, compliance managers should be involved in changes to ensure compliance with government cyber security regulations. Third parties that a business trades with may also have input where new cyber security protocols affect how they interact with the business resulting in a need for them to modify their security.

In some cases where the scale of the change is very significant (such as moving a business from one network platform to another), it is also prudent to engage consultancy to validate any proposed security arrangements.

Threat Response Strategies and the Role of a Cyber Security Manager 

When a business’ Risk Profile is developed, it creates a unique set of requirements. Fortunately, as discussed, cyber security frameworks have variable levels of cyber security response. The higher the level required, the more resources and restrictions needed. This allows a business, using a Cyber Security Risk Analysis matrix, to be able to select what devices, software and workflow requires the highest levels of protection and what does not.

In working with management, the role of a cyber security manager is to:

  • develop appropriate responses to threats (more resources for higher risk and higher probability threats) based on framework levels
  • develop threat appropriate policy and procedures and seek approval from management
  • continue to develop cyber security within the scope of management approved cyber security policy
  • increase awareness of the seriousness of the cyber threat posed by hackers and seek resources to meet requirements.

Note

A business can mix and match requirements from cyber security frameworks. Frameworks themselves reference each other’s factors, levels and activities to allow integration. What matters is that a business develops a considered approach to cyber security for maximum cyber security return on the resources they invest.

The following case study demonstrates how management and cyber security collaborate. Note that while a cyber security manager will have a good grasp of establishing a cyber secure workplace, they are not technical experts who implement changes to databases, apply patches to software or configure routers. Cyber security managers work with tech expertise to delivery secure environments. Further, in working with management a cyber security manager should:

  • use less jargon and simplify concepts to avoid unnecessary complexity
  • focus on the addressing threats and changes in terms of the impact of the business.
Case Study

Working with Management

As a senior manager at ACE Pty Ltd you meet on a regular basis with the business’ cyber security manager. As a part of an expansion, ACE have acquired a transport company. The transport company has a central depot and will support shipping of ACE goods from the main ACE warehouse.

The cyber security manager meets with you and other managers from the ACE executive and recommends that for the new business, the following tasks be undertaken:

  • List all the software, hardware and workflow the business uses in its information technology platform in a digital asset’s registry.
  • Review the current policies, technology, physical security, and level of cyber awareness in that business.
  • Identify gaps in cyber security in the trucking business and how they can be closed. This is to be done using a Cyber Security Risk Analysis to identify existing threats and prioritise the threats according to risk level and likelihood of an attack. Creating the analysis will form part of an overall Risk Profile. The analysis relies on the contents of the Digital Assets Registry.
  • Make a workflow map to create cyber secure data flow from the new business to ACE.

In the meeting, the cyber security manager tables a budget, timelines and clear outcomes and then requests approval for their plan. You indicate in the meeting you will provide a response in a day or two, however, given the clarity and need to act the plan is likely to proceed.

The outcomes from gathering approval from stakeholders to implement cyber security will result in change in the business environment. Security activity such as patching servers or anti-malware software on PCs does not require management sign-off. Engaging with management to seek approval for new cyber security initiatives occurs:

  • requiring change in business policy, operations and otherwise additional budget to implement (budget beyond the typical yearly working budget).
  • when a gap in existing cyber security has been identified that requires change in business policy, operations and otherwise additional budget to implement.
  • in the event of a cyber security attempted breach or breach that warrants engagement with management. It is expected that if staff can send and receive emails that spam email and phishing emails will be received. The CSRA matrix will identify high and medium impact threats and a business may potentially see these threats as requiring management involvement.
  • as required and described by the cyber security manager through regular and expected reporting. The timing of these reports will be described in the policy that describes the role of a cyber security manager or officer in the business (see below).

Senior management approves cyber security policy and for high level impact threats at least, should approve recovery plans in the event of a cyber security breach. As noted in the NIST framework: ‘Risk management processes are established, managed, and agreed to by organisational stakeholders’ and senior management describes how ‘Organisational risk tolerance is determined and clearly expressed’ (NIST ID.RM-1/2).

Explore

Specific Tasks in Frameworks

A review of the tasks in a cyber security framework provides a step-by-step guide to comprehensive tasks to provide optimal cyber security for a business. As a part of an overall strategy, these tasks close gaps and improve cyber security.

Consider these examples:

  • Classifying data to identify sensitive information that should be encrypted (CIS 3.7/NIST ID.AM-5 ID RA-5)
  • Identifying cyber security gaps in third party companies and requiring gaps to be closed (CIS 15.4 – 15.7/NIST ID.SC-2,4 and DE CM-6)
  • Encrypt data on removable media (CIS 3.9/NIST PR.PT-2) – Note: this task is dependent on policy and a business may choose to adopt Zero Trust thinking which will prohibit removable media.

There are more than 200 such tasks. In some cases, a business may decide not to follow a framework due to operational considerations (such as deciding to keep using USB sticks).

Case Study

Countering New Threats

After meeting with the stakeholders, as ACE’s cyber security manager you have identified two new high impact threats from acquiring the new transport business. You believe the business needs to counter these threats. The threats are:

  1. The transport company allows for remote access into its shipping management system without using multi-factor authentication (MFA). You identify this in a CSRA as a high-risk threat with a high probability of impacting ACE’s business. This is because if an employee of ACE (including staff joining ACE from the purchased trucking company) are subject to a successful phishing attack, they may inadvertently provide hackers with their usernames and passwords. Using MFA with a short-lived passcode and a long-lived passcode would mean even if hackers had the usernames and passwords, they would not obtain access as they would not know the passcodes. Remedy: You recommend adding MFA to the shipping management system. This is in keeping with ACE’s Operational Policy as all access to ACE systems requires MFA. You advise this will take 3 weeks to implement and cost $5,000.
  2. The transport company’s shipping system relies on a different webserver to the webserver used by ACE. The other web server is patched to the latest release, however, in the past this webserver has been subject to a few Zero Day exploits. You recommend moving from the old web server as a priority. Remedy: Move the shipping system to the same web server as ACE. You advise this will take 7 weeks to implement and cost $25,000.

Senior management consider the recommendations and advise that:

  • Adding MFA to the shipping system should be high priority and you are told to proceed.
  • The senior management decides to stick with the old web server for the time being to minimise disruption to both businesses. They understand the risks posed by using the existing web server and feel the likelihood of a Zero Day event is low and the cost and time required to migrate to the new server is significant. They ask you to re-address moving off the old web server in 6 months. 

After taking direction from management:

  • you arrange with ACE IT to implement the MFA changes and create a new procedure document on how to access the shipping system
  • you ensure training is provided to staff before MFA is implemented and load the procedure into ACE’s document management system
  • you monitor the old webserver using a reporting tool to identify any unusual data traffic or sources of traffic (using the IP address of the request)
  • additionally, you research weekly for any patches or news on new exploits the old web server software is experiencing.

Senior management take advice and rely on experts in their business and externally. The role of the cyber security manager is to advise stakeholders when change is needed to improve cyber security. The role of senior management is to consider advice, weigh up the risks, consider the impact on the business and provide guidance – (approve, disapprove, adopt elements from a suggestion). Without emotion, based on facts and best practices, cyber security managers consult with senior management. Depending on the tolerance for risk in a business as set by senior management, the cyber security environment is crafted.

Factors Influencing Stakeholders

Senior management are motivated by business principles. Management operates from a vision for the business and will think in strategic terms. Strategic planning looks to the future and where the business looks to be in a year, two years and even longer. Management relies on department managers to deliver strategic vision using operational planning. Operational planning focuses on today, next month or the end of a project.

As a result, while management will likely have an operational background, all operational changes are considered through the lens of how the change advances the strategic plan. Factors influencing stakeholders and senior management include the following:

Increasing productivity, doing more for less resources, in less time are the ambitions of any business. While cyber security protects a business from cyber criminals, cyber security does not improve productivity. For example, authentication, data management policy and technology security make processes slower, cost money to implement and do not generate profit for a business. Any management decision on additional cyber security, however necessary, will consider the impact on the business overall.

All activity in a business is budgeted and no business has unlimited resources. Cyber security, like staff training, equipment procurement and marketing are budgeted. Unlike marketing, cyber security is not profitable and spend needs to be carefully justified. Working with management and presenting cyber security needs using a Risk Profile allows the focus to be placed on high impact and high probability threats. This ideally allows budgets to be prioritised towards protecting the business first from these threats.

Activity 2

Policies, Procedures, and Frameworks

A business relies on a cyber security manager to develop sound policy and procedure to manage cyber threats. Cyber security frameworks provide a comprehensive coverage of the policies required to build sound cyber safe procedures. The following table describes critical cyber security activity and provides references to example cyber security frameworks:

Cyber Security Activity Description Example Frameworks
Continually Researching and Assessing Cyber Threats to the Business The threats from hackers evolve. The techniques change to keep ahead of existing cyber security techniques. This can be seen in new forms of malware and in new software exploits that hackers have identified. Cyber security managers should continually seek new information from authoritative sources on changes in cybercriminal tactics. For example, the Australian Cyber Security Centre provides regular updates.

CIS: Controls 4

NIST: Respond RS.MI-3)

Building Response Plans

If a cyber-attack is successful, that is not the time to develop a plan. Plans to respond to cyber-attacks should be considered in advance. The resources, people, lines of communication and steps to recover should be identified, tested, and reviewed. For example, if recovery from one form of cyber-attack requires using a data backup, a full recovery test should be conducted and re-checked.

Note that clear escalation procedures need to be in any recovery plan to ensure all relevant personnel are informed and engaged in the recovery.

Plans should be clear, concise, and accurate. They should be scaled according to the required response. For example, recovery of a PC maybe a short plan, whereas recovery of the corporate database will be much larger.

CIS: Controls 11, 12, 16, 17

NIST: Respond (RS.IM 1, 2) Recover (RC.RP 1, IM-1/2, CO-1, 2, 3)

Technology Implementation and Change Policy When a company looks to build a business case to procure any new technology, policy that requires consultation with cyber security management should in place. This ensures that new threats posed by the new technology can be assessed and planned for. Further, depending on a risk analysis, the new or modified technology will have a risk level: if the tech resource (hardware, software, workflow) is a target for a cyberattack, what is the risk to the business?

CIS: Control 16

NIST: Protect (PR.IP-1)

Building Business-Wide Cyber Security Awareness (Including Training)

Protection from cyber-attack requires a business’ staff to have awareness of typical hacking techniques; cyber safe work practices; how to report cyber security incidents; and what they can and cannot do in the workplace. For example, while staff at home may choose to visit websites as they wish, at work, a cyber secure business controls what websites can be visited.

To achieve awareness, cyber security training for all staff and clear, concise policy and procedures are needed.

CIS: Controls 1, 2, 14

NIST: Identify (ID.AM 1, 2, 3, 4, 5, 6

Creating response plans to respond to high impact cyber attacks is a fundamental delivery item when fulfilling a cyber security role. Based on a risk analysis, contingency planning must be conducted to provide planning in the event of a cyber-attack. What is required in a response plan should be documented in a threat response planning policy. Further, a plan needs to identify:

  • the roles of key staff in recovery.
  • communications methods to ensure the recovery is smooth – for example, phone numbers, email addresses, video conferencing method – to be used to ensure the recovery team is working smoothly and the wider business (including stake holders) are kept informed.
  • work arounds while a cyber-attack is being recovered from, and when a recovery can be considered complete. There may be requirements to comply with government regulations as well and these should be noted and allocated as a task to be completed.
Explore

What Should be Included in Cyber Security Training

Cyber security training should:

  • cover the organisational security requirements and those particular security risks that are part of the role staff fulfill.
  • be delivered as e-learning, PowerPoint, or as formal presentations. The training design should be informed by a business’ training manager as to the delivery style. In businesses without a training manager, short, clear and simple direction ensures clarity and quick to delivery material. Using images to demonstrate points (e.g., a screenshot of someone logging on) assists in ensuring the message is clear.
  • send informal emails from time to time to staff on cyber security measures. This is useful in enhancing cyber security awareness.
  • be given to all new staff before they start work. There is no set best time regarding when to provide refresher training to existing staff. However, as cyber security training provides a key defence against a successful cyber-attack, training should be:

Writing Policy

Writing new cyber security policy or amending existing policy is an output from the activities above. For example, from discoveries made during research or requirements of additional technologies being added to the workplace.

A business is likely to have a policy template that guides the writing format for policy. In some cases, a technical writer will write all the policy in a business based on the input from subject experts (such as cyber security managers). This ensures that a consistent style is used for all policy.

In cases where a cyber security manager writes the policy, always ensure:

  • clear and simple directions are provided
  • that a reason for the policy is provided and that the policy outlines the threat that it counters
  • that the policy is divided into meaningful user subjects, such as ‘Policy on using mobile devices’ or ‘Policy on remote work’.
Case Study

Creating Policy

You are the cyber security manager at ACE Pty Ltd. It becomes necessary to add a new compliance to the ACE mobile device policy. Due to a vulnerability in public Wi-Fi, all mobile devices must use 4G/5G networks and Wi-Fi is prohibited when connecting to the ACE network.

You write a dot point into the policy after obtaining approval for the change from the relevant ACE stakeholders:

  • ‘Access to the ACE network is provided only when 4G or 5G networks are used. Wi-Fi is prohibited and any attempt to use Wi-Fi is blocked’.

You follow up the addition to the policy with an email to ACE staff informing them of the change.

Activity 3

Watch

Learn more about how to write cyber security policy. Watch the video below:

Industry Experience

Frameworks provide a general approach to cyber security. There are also sources of industry specific cyber security knowledge that may be available. When developing cyber protection for a business, considering these sources for direction on policy and process can assist with ‘tailoring’ to customise security to best fit a business.

Examples of these sources include:

  • consulting with industry association.
  • consulting with software and hardware vendors that sell industry specific platforms.
  • liaising with government agencies such as the Australian Cyber Security Centre. The ACSC has deep understanding of specific best practices for industry and are integral in supporting the SOCI Act.
  • Some frameworks provide custom frameworks that are pre-designed. For example, the Australian Energy Cyber Security Framework (AECSF) is designed to meet the needs of the energy sector (for example a business that supplies gas). The framework is a federal government initiative in partnership with energy suppliers.
Reading

For more information on the Australian Energy Cyber Security Framework, refer to: AEMO | Australian Energy Sector Cyber Security Framework

Module Linking
Main Topic Image
Young people working together on a project in a startup company office
Is Study Guide?
Off
Is Assessment Consultation?
Off