Is it time to reboot your approach to security?

Author: Brendon Taylor

Cyber attacks on Australian businesses are rising
With our increasingly fast-paced lives it is hard enough to stay on top of our personal cybersecurity let alone protecting the information assets of the companies we work for.  From ransomware, malware attacks and mobile phone hacks to advanced email phishing attacks and social engineering threats, the variety and volume of security risks we are facing is growing. In 2016 we have seen the big 4 banks targeted with an incredibly sophisticated malware play, major data breaches that included consumers private information, hospital systems denial of service attacks and dedicated cyber attacks on high profile government entities.  There has even been a report of pirates targeting a global shipping company using cyber espionage to target high value goods.  And for all the security breaches we know about, many more go unreported. Even if you limit the cost to your reputation by not publicly exposing a breach, the costs to your bottom line can be severe.  A 2015 Ponemon Institute study found that the average cost of a cybercrime attack is US$7.7 million.

As a consequence we are seeing increasing boardroom level awareness, and serious questions asked, about cybersecurity protection and controls. Traditional security solutions are based around technical controls - perimeter firewalls, access control, logging and monitoring. These responses are mainstream and mature and when combined with advanced analytics solutions they present a hefty corporate level defence against cybersecurity threats.  However, in an environment where an employee’s or customer’s ability to access information at any time, from any device and any location is no longer a competitive edge but a mandatory requirement, the traditional traffic cop role of the security function needs to be reassessed.

With today’s increasingly mobile workforce and distributed IT footprint, a more data-centric approach to security is required. Security experts have been preaching for decades that the biggest risk to cybersecurity is the human factor.  This remains true – and an organisational culture where every employee is responsible for cybersecurity needs to be applied.

Rethinking Security

Business Aspect believes that aligning security planning with organisational change and culture principles is key to delivering effective cybersecurity management. As cybersecurity practitioners and advisers we:  

  • Work with our clients to understand the true requirements of their staff and customers.
  • Translate these requirements into a security profile that is as multifaceted as the organisation for which it is being built. One size fits all solutions are no longer practicable or workable.
  • Provide input into the strategic business planning process – not just the technical planning. Effective cybersecurity requires more than technical solutions; we are developing a strategy that needs to be understood by and embedded with every staff member.
  • Talk to the business – to be able to answer the ‘why’ questions with something other than ‘just because’.  
  • Work with the change specialists within your organisation to develop a strategy for developing, implementing and embedding the security strategy; and
  • Prepare for future threats with an adaptable plan that can respond to the challenges ever-present in the modern corporate culture.

Cyber-attacks against corporate environments are the new normal, yet we need to continue running our businesses. Technical controls go part of the way but people, behaviour and culture need to do the rest.

Related content
Read more about some of the governance and cybersecurity work that Business Aspect has been involved in:
Case study - Retail and wireless analytics governance and security
Case study - Major educational facility security assurance and testing

For more information about how Business Aspect can help you with your organisation security please contact us.

About Business Aspect
Business Aspect assists customers with the execution of their business strategy through either large-scale business transformation or by addressing smaller challenges in specific areas of the business. It focuses on the business first, and then identifies technology needs as an enabler of required business outcomes.
It has skills, experience and expertise in; business and technology strategy, architecture, risk, control, planning, design and governance. Through its services, Business Aspect addresses all layers of the business, including people, organisational change, process change, information management, information and communications technology applications and technology infrastructure.
Business Aspect solves complex business problems through the collaborative efforts of its team of highly experienced personnel, and the application of proven intellectual property. A key strength is the diversity of the background and skills its senior consultants bring to planning initiatives involving people, process and systems.