The Growing Importance of Risk Controls

Part 2a: Australia’s Essential Eight: Beyond Endpoint Control

Part 2b: Activating UK NCSC – US NIST Guidelines: Beyond Endpoint Control

As large and small organisations everywhere are discovering, cyber security has now shifted beyond the information technology team, to include operations and risk management participants – even becoming an executive and board level responsibility.

With the increased risk of cyber-attack, and the growing scale of claims, organisations are now required to identify and consider the true “cost” of an attack. This includes in-house planning, budgeting and supporting business continuity and risk management activities.

These are a few costs that we are finding clients are evaluating – as part of their broader business risks that relate to cyber security – to manage their operating and capital budgets:

• Market valuation
• Loss of intellectual property
• Cost of down-time
• Impact on safety or health and wellbeing of staff or customers
• Cost of re-establishment of services or productivity
• Reputational risk costs (short, medium and long term), including:
  • Contract breaches and external liability
  • Loss of future relationships with customers, investors, stakeholders, and suppliers
• Additional resourcing required, in case of a cyber breach (including additional specialist ICT support, public relations advice and support, and legal advice regarding notifications to government authorities and relevant parties, etc.)
• Administration overhead
• Impact on liquidity, debt covenants, and other established metrics

How you might be facing cyber security in your role and what this means for risk controls, visibility, and your organisation’s cyber insurance renewal

The need for quantitative measurement

Whether it helps to manage your own organisational risks – in a hybrid state that includes remote workers, or even your assessment of the introduced risk from vital third-party suppliers – there needs to be a data-driven shift in how your organisation approaches risk management and determines the effectiveness of its risk controls – now including cyber risk. It needs to be objective and preferably framework-based.

Quick read: The Australian, UK and US recommended cyber risk measurements.

Knowing the increased cyber risks to all facets of private and public organisations, the Australian Government, via the Australian Cyber Security Centre, devised a framework of mitigation strategies – the Essential Eight – as a baseline set of highly effective strategies that aim to make it harder for attackers to gain access to your valuable assets and systems.

Knowing the increased cyber risks to all facets of private and public organisations, the Australian Government, via the Australian Cyber Security Centre, devised a framework of mitigation strategies – the Essential Eight – as a baseline set of highly effective strategies that aim to make it harder for attackers to gain access to your valuable assets and systems.

The Essential Eight framework and its Security Maturity Model describes these eight measurable strategies and their implementation. It enables organisations of any size to measure the effectiveness of their cyber risk controls, with the aim of fixing any gaps that are identified. It defines the technical controls and how they should function to support cyber security prevention, containment and recovery objectives.

With an experienced and dedicated Security Operations Centre (SOC) or security specialists within your Information Communication Technology (ICT) team, the Essential Eight framework can be applied to measure the operation of each of the 8 security controls and their maturity level.

More recently, particularly in relation to ransomware attacks, the UK’s National Cyber Security Centre (NCSC) and the US National Institute of Standards and Technology (NIST) have recommended an expanded set of guidelines to better assess ransomware readiness and inform risk management activities. These controls provide additional visibility and measurement across the areas of prevention, containment and recovery through the addition of staff awareness, perimeter, endpoint protection and incident response metrics. The effectiveness of each security control is measured as a score, that informs ICT or SOC teams of any inadequacies in the operation of the key security controls. In parallel, these scores provide clear visibility to the executive, board, and risk managers, of the state of the current security posture and cyber risk readiness, highlighting any areas requiring particular risk management oversight.

The importance of sensitive data management: As organisations vary with their adoption and cyber maturity along their own digital journey, best practice requires appropriate policies and procedures that define and protect sensitive IT assets including data. Knowing what systems and data your organisation maintains, and defining the most sensitive and critical components and how best to protect them, is an important part of ongoing risk assessment activities that executives, boards and risk managers must oversee.

The establishment and management of systems, processes and procedures that critically identify, measure and maintain the protection of sensitive systems and information in an organisation, form part of an Information Security Management System (ISMS). Organisations everywhere are implementing this type of systematic security framework or standard in order to maintain the disciplined processes of ongoing IT governance which is so important in a hostile cyber world.

The new task for C-Suite, Directors, Risk Managers: The security controls of government security agencies and the requisite risk mitigation strategies for cyber insurance eligibility are increasingly mirroring the ACSC Essential Eight and NCSC & NIST’s guidelines, and they are becoming the ‘new normal’ across organisations in every sector. Just like we are seasoned to measure and trust a wellness marker in a routine blood test, cyber risk management has a security health measure in the Essential Eight in Australia, in the UK’s NCSC guidelines, and the US’s NIST guidelines.

As cyber now sits within the responsibilities of the leadership team, we encourage our clients to consider what security performance information they currently receive, its relevance and whether it is adequate to support operational decisions and governance duties.

With the added steps to cyber insurance renewals, and knowing that any changes to internal risk management processes can take time, we are supporting your efforts to better understand the internal cyber posture of your organisation as you prepare for the now more onerous cyber insurance renewal process.

To measure your cyber posture and provide the relevant quantifiable verification insurers are now looking for, consider activating an Insurance Renewal Initial Report.

Huntsman Security’s Essential 8 Auditor and SmartCheck software applications provide on-demand cyber vulnerability & maturity level assessment that enables you to:

Your risk profile is the single most important factor in informing re-insurance success. Huntsman Security’s Essential 8 Auditor or SmartCheck software applications strengthen your internal capacity to address these emerging cyber risk areas, support renewal of your cyber insurance, and manage your broader cyber security needs.

Contact us to start the preliminary steps to obtain your Initial Insurance Renewal Report