StrategicRISK spoke to Cynch Security’s chief wayfinder, Susie Jones, about her reflections on 2018 and what risk managers need to know going into 2019.
With a new year comes new challenges as well as new opportunities for risk managers and cybersecurity professionals alike.
When it comes to cyber risks, 2018 was in many ways a year of transition with the introduction of new privacy legislation around the globe and renewed focus on compliance. Based on this, 2019 is unlikely to bring drastic change, but rather consolidation of recent trends across these four areas:
Back to basics
There has been a focus in recent years around exploring and implementing new and shiny technologies to combat niche cyber risks. There is no shortage of new point solutions out in the cybersecurity market. For the risk managers involved, these pose a much more stimulating and note-worthy outcome than the day-to-day tasks of simply managing good technology hygiene.
This experimentation has, however, left some basics under-resourced, and in 2019 there will be a renewed push to forget the point solutions and focus on getting the basics in place first. Businesses should focus on identifying which systems require protection and which adversaries are most likely to target their systems. Once they know this, implementing the Australian Signals Directorate’s (ASD) Essential Eight will work to bring a baseline protection to their most valuable assets and information. The key takeaway should be that whilst AI and blockchain are fun distractions, it’s really only those that have the basics right that can afford to chase these shiny opportunities.
Increased focus on supply chain
As large enterprises have been generally improving their cybersecurity defence capabilities over the last few years, focus towards softer parts of the supply chain has been increasing. Combined with the tendency of enterprises to outsource activities in the pursuit of efficiencies during the 21st century, and the risk of a supply chain cybersecurity incident has greatly increased. Regulators are also starting to take notice of this risk, with APRA recently releasing the new Prudential Standard CPS 234 which forces businesses to take ownership of their supplier risks.
Risk managers should be focussed not just on assessing their supply chain partners and identifying where they need to improve their security, but also on renegotiating contracts so that they adequately deal with the risks associated. Legacy contracts with third party suppliers often do not include any mention of cybersecurity, so it’s vital these be updated along with conducting assessments.
Shift to cloud
It’s hard to find software vendors that aren’t switching to cloud-based products (eg MYOB), and non-cloud oriented developers are getting harder to find as a result. This will mean businesses are going to be increasingly forced to adopt cloud solutions or risk being left behind, changing the risk exposure of their environment in the process. Ensuring you keep an eye on your changing risk posture will be a challenge, but with it comes great opportunities for increased efficiencies if managed well.
To stay on top of this, risk managers should make sure they consider risk scenarios that cover availability and integrity, not just confidentiality, as there are countless examples of misconfigured cloud solutions leading to the wrong people gaining access to systems, and naturally having to rely on continuous internet connections for basic services can also present new risks that require pre-planning in disaster recovery plans.
2018 saw the introduction of mandatory data breach notification legislation here in Australia and others around the globe (e. GDPR), but to date we haven’t seen the Office of the Australian Information COmmissioner (OAIC) come down particularly hard on any of those who have suffered from a breach. This soft approach can only last so long, and businesses should be working hard to ensure they comply with the laws so they don’t find themselves being made an example of in order for teeth to be added to the legislation.
By knowing where you store personally identifiable information (PII), protecting those systems, and writing and testing your response plan, risk managers can ensure they are positioned well in the event they still find themselves the centre of a data breach.