As predicted in early 2024 another joint advisory was recently released from the Five-eyes intelligence and cyber security community. This time the advice relates to governments and corporations moving to cloud infrastructure and the efforts of a hacking group which has adapted previously successful tactics, techniques and procedures to target cloud-based infrastructures. Unsurprisingly the market is all about supply and demand and so it would seem that as business and governments move to deliver IT services via the cloud, attackers are seeking ways to infiltrate those systems and steal data ..read more

Quick Links 1. Policy definitions 2. So much to do, so little time 3. Operational resilience stretches beyond operational risk management 4. Anticipating the unknown 5. The evolution of operational resilience processes 6. Monitoring and automation to support operational resilience 7. Other considerations in the application of the Policy Background Operational resilience requirements are being rolled out across the UK and beyond. UK finance firms are required to improve their operational resilience in accordance with Financial Conduct Authority (FCA) Policy Statement PS21/3 (the Policy). The ..read more

Quick Links It’s not all gloom and doom Attributing value and expecting returns from cyber security spend Effective cyber risk management needs a framework What you can’t see Determining value using data-driven measurement Use Cases The cost of cyber self-insurance Crown jewel assets Measuring the value of your cyber security efforts A recent KPMG Report1 suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks ..read more

Quick Links 1. Key cyber pressures to be aware of that will impact government departments in 2024 2. The responsibility and burden of guarding Personal Information 3. Solutions with short- and long-term prevention/ containment/recovery benefits 4. Next steps? The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level. The pressure for leaders – with and without a specific information technology or security referen ..read more

As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness. Evidence of your organisation’s adoption of the ACSC’s Essential Eight framework can support cyber insurance renewal, and is now a tool that underwriters are starting to look for to validate your cyber maturity. By better managing cyber security controls, your organisation can better influence the price of risk and the cost of cyber insurance premiums. Cyber risk assessment to support insurance coverage ..read more

Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they both converged at the interface between the security function and the business. One set of challenges sat at the security leadership level in terms of the recognition of the impact of an incident on the security team and its oper ..read more

In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies[1] of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes them hard to ignore. Doing so could be careless, and certainly ill-advised. In this blog, we aim to outline the findings and advice contained in this recent advisory. But the summary is: Patch your systems. Research into breaches in ..read more

The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing status of your security controls. These changing threats mean gaps can quickly erode your cyber resilience. Mitigating those gaps without delay requires empirical, systematic and timely information to review and potentially reset your con ..read more

The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial organisations, listed entities, utilities or organisations more broadly are more or less secure that those in the US or AsiaPac; the regulatory regimes are just different. That said, we are all facing very much the same threats to our business, the maj ..read more

<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the Australian Information Commissioner, for the 6-month period from January to June 2023, a significant 70% of sources of data breaches were from malicious or criminal attacks. Cyber incident breaches from external thr ..read more