Australian cyber security 2020 – right strategy, wrong plan
There’s a lot of discussion about Australian cyber security right now, AustCyber has just released the Australian Digital Trust Report 2020, the Australian Cyber Security Industry Advisory Panel report will shortly hand down its recommendations to Government. This will be followed, very shortly, by the release of the much-anticipated Australian Cyber Security Strategy 2020. For the vast majority of Australian companies, all they want to know is what does this mean for me, and how can I measure and improve my cyber resilience?
Where is Australian cyber security now?
There is no doubt that Australia’s cyber resilience has been found lacking, with evidence to show that there has been little improvement since 2016. Suggestions of industry based resilience levels and more frameworks and standards have been thrown into the mix……. everyone has an opinion and an agenda. The fact of the matter is, Australia already has a cyber security framework complete with a maturity model that tells you what good looks like and what your current cyber resilience level is.
The Essential Eight
The ACSC Essential Eight framework was published in 2017, detailing eight critical security controls that prevent, limit the extent of and aid recovery from cyber-attacks. The Australian Signals Directorate’s (ASD) own findings show that effective implementation of the eight mitigation strategies provide cyber resilience against 85% of targeted cyber-attacks.
Commonly known as ‘The Essential Eight’, the framework is acknowledged internationally. It’s easy to articulate and understand and incorporates the key cyber hygiene activities that are globally recognised as the cornerstone of an effective cyber security regime. The ASD considers the Essential Eight to be the most effective cyber resilience ‘baseline’ for all organisations with Government Departments mandated to meet at least the Top 4. So, if Australia’s ‘Go To’ strategy is not driving cyber resilience, this begs the question “Why not?”.
Encouragement or enforcement
According to the ANAO, despite recommendations about the benefits of the Essential Eight framework, the lack of improved cyber resilience by Australian Government departments over the last few years may be down to a lack of the enforcement of controls; if there is no consequence for poor performance what is the driving force for improvement?
Environmental factors – the economy at risk
There is little doubt that the Prime Minister’s announcement on 19th June got everyone’s attention, “Australia is under attack”. It was very clear. In the Advisory 2020-008, the ASD counselled improved resilience and the use of Essential Eight, particularly two of the most fundamental controls…. patching and multi-factor authentication (MFA).
The goal to achieve resilience through Essential Eight compliance hasn’t changed but now the magnitude of the clear and present danger of non-compliance has been starkly revealed to all. So, the question remains …. what can be done to encourage or enforce the effective implementation of the Essential Eight framework? Other economies, such as the US and the UK are in the midst of establishing accreditation programs to do exactly this for their CMMC and Cyber Essentials initiatives.
Factors affecting enforcement
Setting aside the obvious introduction of penalties, personal accountabilities or the public humiliation of naming and shaming any under-performing entities, what other factors could affect Australia’s ability to improve cyber resilience.
If you have ever been tasked with the operational management of security controls you will know it is a huge responsibility. Trying to keep on top of a dynamic environment requires skilled resources and plenty of them. The reality is that many organisations have just a handful of IT staff trying their best to manage an overwhelming workload. Can we improve the workflow and efficiencies of some of these workloads? Where do these businesses start on their road to achieving Essential Eight compliance?
Measuring security control implementation takes time, whether you are the operational security team owner or an external auditor. The task is fraught with judgements, inconsistencies and human error…..and to top it all, once you’ve gone to the bother of undertaking all the work, the results may not representative of the current status. As we said earlier, cyber security operates in a dynamic environment, what was robust yesterday may be compromised today. Entities and auditors need Essential Eight audit solutions that are easily installed, that can systematically assess an environment, either at a point-in-time or continuously.
There is no shortage of consultancy services working hard to support entities everywhere in their pursuit of improved cyber resilience. However, these resources can be costly, so not accessible for many companies. The process can also be disruptive and time consuming. Finding a solution, an Essential Eight audit tool, that can give you a quick and easy way to measure your cyber resilience will enable these businesses to quantify their position, create a plan and begin to move forward with confidence.
A compelling event
The COVID19 pandemic been a costly journey so far for many of us. Our risk management capabilities have been tested and our resilience is still in question. The insurance industry talks about it being a 1 in 100 year event we are living through. What have we learned?
We’ve learned that while there were contingency plans in place we overestimated our preparedness and probably our resilience too. It’s now clear that significant events like COVID19 can seriously damage our social fabric and economic infrastructure. Vulnerable to dysfunctional global supply chains and over reliant on imported goods and services; we’ve largely done it on our own. With other nations distracted with their own issues, we have managed to sustain the operation of our economy and society with local skills, resources and capabilities; and in any other sort of catastrophe we need to be able to do it again.
Stay focused and stay local
Australia has a tried and tested cyber security framework in the ACSC Essential Eight, which is supported by the Essential Eight Maturity Model. The model provides advice on how to implement the Essential Eight in a phased approach. It also assists organisations in self-assessing the maturity of their environment and implementing a resilience improvement program.
Our recommendation for Australia, in relation to Australian cyber security, is to stay strong and stay focused on the Essential Eight and the durability it will bring to our economy. It is one of the most straightforward and achievable strategies available. If cyber resilience remains an ambition for Australia, …. we have our goal, now we just need to focus on how to make it happen.