As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness. Evidence of your organisation’s adoption of the ACSC’s Essential Eight framework can support cyber insurance renewal, and is now a tool that underwriters are starting to look for to validate your cyber maturity. By better managing cyber security controls, your organisation can better influence the price of risk and the cost of cyber insurance premiums. Cyber risk assessment to support insurance coverage ..read more

Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they both converged at the interface between the security function and the business. One set of challenges sat at the security leadership level in terms of the recognition of the impact of an incident on the security team and its oper ..read more

In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies[1] of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes them hard to ignore. Doing so could be careless, and certainly ill-advised. In this blog, we aim to outline the findings and advice contained in this recent advisory. But the summary is: Patch your systems. Research into breaches in ..read more

The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing status of your security controls. These changing threats mean gaps can quickly erode your cyber resilience. Mitigating those gaps without delay requires empirical, systematic and timely information to review and potentially reset your con ..read more

The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial organisations, listed entities, utilities or organisations more broadly are more or less secure that those in the US or AsiaPac; the regulatory regimes are just different. That said, we are all facing very much the same threats to our business, the maj ..read more

<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the Australian Information Commissioner, for the 6-month period from January to June 2023, a significant 70% of sources of data breaches were from malicious or criminal attacks. Cyber incident breaches from external thr ..read more

Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the mini-bar – this is a multi-purpose tool that can fix just about anything. The multiple purposes of a multi-purpose tool The advantage of a penknife, aside from the fact that it folds up for safe storage, is that it’s like having a small “tool box” in your pocket. You can reach for one device to very effecti ..read more

Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations must consider their suppliers and the cyber security risks they pose. The UK’s Cyber Essentials scheme and the Australian Essential Eight framework both aim to enable organisations to improve the basic levels of cyber hygiene across supply ..read more

The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report is here: https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2023/cyber-security-breaches-survey-2023 The long-running longitudinal study of some 4000 UK organisations provides concerning information about how, while ..read more

It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure?  Clearly the common practice of unsubstantiated risk assessment and anecdotal reporting is inadequate and can only lead to misplaced confidence and hidden cyber gaps. Recent reports have emerged suggesting that Australian financial organisations may be wil ..read more