Insights • 5 minutes read

Cyber Security maturity: 4 key focus areas in 2022

By Michael Dowling

Head of Cyber Security

The cyber threat landscape is moving at such a fast pace. We have never seen any other external factor changing and evolving so rapidly for businesses.

In fact, the Australian Cyber Security Centre (ACSC) recorded a 13 per cent increase in cybercrime reports in FY21 compared to the previous financial year, with self-reported losses totalling more than $33 billion.

To help combat this acceleration, cyber security maturity will be key for all organisations in 2022.  With that in mind, here are four key areas to which businesses should turn their attention.

1. Getting the Board on board

How we communicate threats to the Board of Directors is now an essential part of the cyber puzzle and they need to be across what’s happening in your company.

If you’re a CIO, CISO, or Head of Cyber, you need to communicate in a language the Board is going to understand. Everyone needs to be clear and aligned on what your cyber threats are, and your current capabilities to prevent, detect and respond to these threats.

Importantly, if you’re a Board member, you need to understand what your senior leaders are talking about.

As a senior leader, your reporting should translate what’s happening in the cyberspace and tie it back to how it impacts the business.  You need to think, ‘what is the actual risk to the business?’ Sure, you can report that you’ve detected and patched 50 critical vulnerabilities and blocked 100 emails with malware in the last month. That’s a good measure of activity, but what threats and risks to the business have you mitigated? 

 Try telling a story about the potential impact that any of these vulnerabilities or malware could have caused the business if they weren’t detected or blocked. Talk about how each time you’ve blocked a malicious email or patched a vulnerable device, you’ve reduced the likelihood of a risk event happening or at least kept the risk within an acceptable tolerance level.

2. Focus on your supply chain

There’s been a significant increase in supply chain focused attacks which can obviously create problems for your company, but it can also create potential downstream implications for your customers, or make you more vulnerable to attacks on your suppliers and business partners. For example, if one of your suppliers or partners suffers a  ransomware attack that takes their services offline, consider how this is going to impact your business.  Do you have a Business Continuity Plan in place that takes these impacts into consideration?

These types of attacks affect every industry or ecosystem so it’s essential that your view on supply chain matures.  Most organisations now do a  security risk assessment on all their suppliers and have expectations on them to maintain  a minimum baseline level of security maturity. So, for many organisations establishing and being able to demonstrate that baseline level of security maturity is becoming table stakes for doing business in most sectors. 

3. Cyber insurance and your obligations

Most organisations rely on cyber insurance to get them out of trouble if a  cyber incident occurs. However,  the claims may not always cover the financial damage associated with reputational cost  and loss of  business.

Key Insight Cyber insurers are placing increased obligations on businesses seeking insurance around what level of cyber maturity they have. Being unable to meet these expectations may result in larger renewal premiums, or rejection of claims due to lack of hygiene around cyber security.

So,  organisations need to balance their investments, between transferring risk to a cyber insurer and building up their security controls.

With that said, maturity is not just about tools. It’s also about processes and culture. You could have the best tools in the world and all it takes is for someone to click a link they’re not supposed to, which could result in a security incident. I believe the most successful organisations have an embedded cyber security culture across the organisation and that starts at the Board level.

4. Legislation changes for critical infrastructure

In FY21, approximately one quarter of cyber security incidents reported to the ACSC affected entities associated with Australia’s critical infrastructure. The new amendments to the Federal Government Critical infrastructure Act is broadening the scope of industries that are considered critical infrastructure. It will include sectors such as data storage and processing, food and grocery, transport, higher education and more. These changes will place increased obligations on these industry sectors to maintain a baseline level of security maturity, which include reporting into the Australian Signals Directorate (ASD) when a cyber-attack occurs, and even needing to allow the government to step in during cyber-attacks. 

So, your ability to demonstrate a level of cyber security maturity will become increasingly important. The NIST framework is a common one to measure against. Pick a framework that suits your industry and do a self-assessment to measure what level of maturity you’re at against each of the relevant criteria. Your assessment will help you understand what stage of maturity your organisation is at, what your target level of maturity needs to be,  and what needs to be done to bridge the gap and demonstrate that compliance. 

You can certainly do that assessment internally, but you need to understand what the right landing point is, and how to get there. Where do I start? What order do I do things in? What type of solutions are out there? That’s where you can save a lot of time and effort by working with someone that’s done this before and can help with a pragmatic and incremental roadmap to get you to where you need to be. 