teissTalk: How much will your next breach cost?

On 13 July, teissTalk host Tom Langford was joined by Tiago Rosado, Chief Information Security Officer, Confidential; Paul Watts, Distinguished Analyst, Information Security Forum; Syed Ubaid Ali Jafri, Head of Cyber Defense & Offensive Security, Habib Bank Limited (HBL).

Views on news

 

Recent major cyberattacks on Australian organisations that were followed by ransom requests have given Australians a taste of just how much personally identifiable information (PII) can cost. Over 65% of entities use cloud storage for personal information which relies on third-party IT service providers, and this has become a big problem.

 

Another issue identified regarding third-party providers is that 31% of entities did not require their providers to notify them of cyber incidents, which is non-compliant with the SOCI Act that universities have also become part of.

 

If you have no fundamental controls in place, such as IT asset register, robust controls around privileged access, and your policies are unreviewed, you’ll be vulnerable. No matter whether it’s a state actor or a hacker gang, they will use the same shortcomings in cyber security hygiene to breach a system – poor password and identity management, flat networks etc.

Shifting from tick-the-box compliance and securing software supply chains

Both the UK and Australia have a Cyber Essentials programme in place, which is a good entry level cyber security scheme that can lead on to ISO certifications. The root cause of the vulnerabilities is legacy systems are the human factor or wetware. Security professionals also need to distance themselves from the technology element.

 

Universities that were testing employees had an up to 70% click-through, which is impressive. Phishing testing and simulations should form part of a broader security culture. There’s no point in getting staff to read 70-page-long policies as it will only result in TLDR. On the other hand, gamification and rewards can serve as nice incentives. Near-miss reporting, and the reporting of failures are also key. It encourages people to call out their own or colleagues’ errant behaviour.

 

An IdP storing users digital identity is a useful tool for IT asset registration. Also, if a company has a mail system nowadays, it is the most likely to have some sort of an IdP. It’s also a good idea to start with questions such as what is the process we’re trying to improve and what relationships are we trying to understand: data-hardware, data-software, assets in a data centre or critical processes. CISOs sometimes don’t have a technological background and rely on vulnerability officers, who do. To help your people identify near misses, you have to train them by discussing breaches with them, so their perception of cyber threats becomes more acute. In the first 6 months of this year, ransomware alone cost companies $500 million globally, which equals 90% of what happened last year.

 

Paying a ransom is never an easy yes/no choice. It always depends on the scale of the effort to restore business continuity. For big tech, fines are the cost of doing business. If the company loses nine million a day, there’s no point in keeping on negotiating to reduce the ransom beyond a certain point. Although a firm can take out cyber insurance, it can’t transfer compliance and reputational risk. Recently, insurers and reinsurers have been reconsidering covering cyber attacks and they tend to regard it now as an act of war. Even if ransom attacks sinking the ship may sound like scaremongering, it’ll take months to get the company back on track after a breach.

 

Maers still hasn’t fully done with the ramifications of not-Petya after having spent millions on the breach. Whenever a cyber attack happens, the cost for the company to fully recover from it are in the millions. 

 

The panel’s advice

90% of breaches are down to process not technology failure. 

Security discourse must go beyond compliance.

Don’t create fear in your people about clicking on anything.

Take care of your employees too and deal with the anxiety they experienced during a breach.