The Cybersecurity lessons your business MUST learn from the Optus hack

I recently listened to a live stream event from Cyber Security Connect, discussing what businesses should do and know following the Optus Data breach.

The event was streamed live from the Land Forces Exposition in Brisbane and was chaired by Phil Tarrant – Director of Cyber Security Connect. His two guests were Major General (Ret’d) Marcus Thompson, AM, PhD, who is the Inaugural Head Information Warfare for the Australian Defence Force and Adam McCarthy, CEO of Paraflare.

During the 1 hour and 12 minutes, they discussed several topics relating to the Optus Hack and what businesses should focus on. There were many key takeaways from the stream, which I believe are essential to focus on.

If you have time, I recommend watching the stream here.

For those that don’t, I’ve provided the key points below.

Organisation Cybersecurity Resilience

Marcus Thompson makes a point about the initial areas a business should focus on

The first is organisational resilience, how might we respond in the event of a cyber incident? How good is our incident response plan, our crisis management plan, our business continuity plan? When was the last time it was rehearsed and revised? That’s where organisational resilience comes from, your ability to fight through, the ability to continue to operate during a crisis.

Our take: It appears that Incident Response is becoming more of a requirement than Disaster Recovery planning. We recommend all our clients undertake some level of incident response documentation and preparedness.

 

Who is Ultimately Responsible for your business’ Cybersecurity?

Again, Marcus responds to Phil’s question, ” Can the CEO be held to account?”

Well, I think the CEO’s accountable for everything that happens in an organisation. Recognising that a CEO is accountable to the board and ultimate governance responsibility sits with the board. But I mean, so the short answer is yes, of course. Yes, of course.

Our take: Cybersecurity cannot be left to your operational team alone. Your executive team, management team or you as a director need to take an active role in ensuring your organisation’s security is well managed. This doesn’t mean you need to be actively involved in the day-to-day, but make it a priority for others to act.

Managing your APIs

With any cloud-based organisation, APIs are vital to sharing data efficiently and in an automated way. Adam believes the CIA has the right idea regarding securing your API connections.

…API security, it’s complex issue because you want usability. There’s the CIA triade confidentiality, availability, and integrity. So you want availability in systems and APIs can provide that, but you also want them confidential. So that’s where I think they’ve fallen down.

Adam continues…

understanding the risk and being informed on the risk is the most important thing I think. So a business can’t operate in a vacuum and assess their own risk. They’ve got to actually consult industry professionals, peers, chief information security officers talking to other chief information security officers about how they secure APIs. “How do you do it? Oh, we do it this way. Oh, that’s interesting. Maybe we should implement that.” So talking with peers and the community, leveraging experts.

Our take: See the next section below.

 

Non-Technical CEOs. What should they do?

Phil asks a very relevant question:

I’m a director of a company or I’m a CEO, I’ve heard about this thing API, I know I’ve got them. How do I make sure my team knows that they should be protected and whether or not they’re doing a good enough job?

Adam’s answer:

Understanding your assets and understanding the software that operates within your environment, two of the most fundamental things. If you don’t understand those two things, get really, really familiar with them really quickly.

Once you identify your assets and the software, you can then start to extrapolate how those applications and how that software communicates across your assets, and the APIs that potentially may be used there as well.

So again, it starts with fundamentals. I know Marcus talks about it, self-defence, passive defence, and active defence. Understand your systems, understand the way in which they communicate, then you can go about protecting them.

Adam goes on, later in the stream, saying…

…it’s a challenge when we talk about CEOs for example of organisations that don’t have a technical background. Where do they get their information from and how do they make a decision based on that information?

So if you have a CIO or a head of IT, really pick their brains and try and get to the bottom of exactly the way in which their corporate environment works and how it’s connected. And if you have any doubts, always ask your peers. Again, ask people within the industry, ask your fellow directors, board members for that extra verification if you feel there’s more to that.

Phil adds to Adam’s comment, saying…

Trust the people who are charged with ensuring your organisation’s protected.

Our take: A risk assessment is an essential first step to understanding what would be involved in reducing your Cybersecurity risk. Use your internal resources if they have the skillset, or outsource to professionals.

Financial Penalties. Are GDPR changes coming to Australia?

GDPR is the General Data Protection Regulation is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. Failing to adhere to the regulations can result in fines of up to €10,000,000 or up to 2% of the total worldwide annual revenue of the preceding financial year, whichever is higher.

So is Australia heading to something similar? Minister for Home Affairs Claire O’Neil is talking about the potential for legislative change. Here are Phil’s thoughts on that

So take away from that, be connected with changes to policy legislation, be prepared, be nimble, be able to react and to do it quickly.

Our take: You don’t want to scramble once this legislation passes through parliament. Undertake that risk assessment now so you can be ready once that day arrives.

 

Securing your environment with Multi-factor authentication

Adam shares our thoughts with this comment.

2FA, second factor authentication. It still challenges me and really boggles my mind as to why it’s not the default these days. And I think it comes down to commerciality and costs. There’s potentially an overhead to having multiple factors and people resetting passwords. I don’t quite understand it, but it should be out of the box 2FA, not a configuration setting that’s added later or optional.

Our take: I’ve lost track of the number of times we’ve spoken about MFA. This is as low as low-hanging fruit gets. Enforce it today.

 

Are there any guarantees in Cybersecurity?

A question from the audience lays out the cold hard truth.

Even if Optus employed the best systems, won’t there always be a hacker determined and or smart enough to get through? How can a biz be expected to 100% protect data?

Marcus responds with

Well, you can’t do 100%. It is just not possible to reduce the risk to zero. And that’s why a robust risk-based approach with a comprehensive approach that addresses self-defence, passive defence, and active defence gives you the best chance to not only withstand an attack, but to respond quickly and to detect, contain, and respond to a breach. Because the attack is going to come, the attack is going to come and it can happen to anyone.

Our take: Yes, this is unfortunate, but there are no guarantees in life. The latest thinking is to assume you have already been infiltrated. So the question becomes, how do you limit the damage? You need to ensure you have walls within your organisation and surrounding it.

 

What can businesses do to reduce their risk? Implement Essential Eight.

Phil asks a convenient question that all businesses should pay attention to.

What is the one thing that you recommend businesses implement to reduce the risk?” Well, in my generous view Essential Eight is where you should start, Adam?

Adam

Yep. Essential eight, definitely. The passive controls as a start. Always my simple brain goes back to, from military days, you can’t defend what you don’t know. If you don’t know what assets you have, how are you going to defend them? So just simple asset inventories and software inventories. If you can’t define those two things, then you’re going to have a real hard time.

Marcus adds the two key Essential Eight items he believes will make the most difference.

…if we just start with patching our systems and multifactor authentication, that goes a long way there. That goes a long way.

Our take: We had 5 of the 8 in our monthly report and added the remaining three after our AUSCERT event in mid-2019. Essential Eight is very important for any size organisation to implement to reduce that risk.

How do SMEs and Sole Traders protect themselves?

Mark from the audience asked this question

How can an SME like I’ve just spoken about, or sole trader, protect themselves when they are not tech experts and don’t have in-house tech experts. What do we need? Where do you start with this?

Marcus tells it straight

If you don’t have expertise in your organisation, I think in this day and age you need to find it. Either by hiring it in or renting it in, sorry, buying it in or renting it in. And having the right advice so that you can address your risk and balance your investment, balance your investment to put your risk where you are comfortable. But I think in this day and age, there’s no burying your head in the sand here. If you don’t have the experts, if you don’t have the expertise, you don’t have the knowledge, then I think you need to find it.

Our take: Find a professional or a team of professionals to help you. And do it today.