Who is monitoring the monitors?

Ever since the notion of cybersecurity as a ‘thing’ burst through the radar of Small to Medium Businesses (SME’s) in 2015 with the revelation that major organised crime gangs and state-sponsored cyberattacks were utilizing the Dark Web, Crypto Currencies and the BlockChain to ply their craft, SME’s have been struggling to come to terms with the impact that it will have on their businesses.

If your organisation is struggling to make sense if it your not alone. 

Cyber Crime is continuing to evolve and now presents as a major ‘industry sector’ just like “transportation” and “hospitality” etc. Cybercrime, however, fosters international criminal activity which is not going away. Experts predict it will rip US$6 Trillion out of the world economies by 2023 and the low hanging fruit are SME businesses worldwide.

Malicious hacking for ‘profit’ has grown so quickly over the past 4-5 years that it seems to ‘grow another face’ every week. That rapid escalation has overwhelmed many with the predictable reaction that they throw their hands in the air, convince themselves that it will only happen to someone else and stick their heads in the sand waiting for it to go away. 

In its totality, Cyber Security IS such a BIG issue its hard for SME’s to know where to start. Confusion in the market place is fostered by hardware & software vendors scrambling to get a piece of the action by launching new ‘tech tools’ and fallout in the vacuum created by the critical shortage of formally trained cybersecurity personnel.  

Many SME owners, understandably, who have not “grown-up” with computers don’t understand (and don’t want to understand) the whole cyber ‘thing’. They just want to pass the buck off to someone else to manage cybersecurity so they don’t have to think about it.  

Governments around the world see cyber crime as a sovereign risk to their societies and their economies and turn to the only leaver they have - regulation and legislation. 

Many governments and government departments now require that companies in their supply chain must prove that they meet essential cybersecurity standards before they will purchase goods or services from them. This is now filtering through to Large Companies and so on down the supply chain to the SME Sector. 

Many don’t know where to start - Think of it like the dam of a mighty reservoir - where are the cracks in your wall both on the inside and outside, and how do you plug those cracks? 

Right now you could be thinking I’m OK, I’ve got a great IT/MSP team looking after my cybersecurity, and that’s great, but who is Monitoring the Monitors? With such a critical issue you need a Certified Audit completed by an independent 3rd Party to validate your status. Cyber Risk is about much more than IT infrastructure.

It is essential to look at your overall Cyber Risk from a ‘holistic’ viewpoint in the same way that a doctor looks at your body when you book in for a full health check. They don’t just take your blood pressure, temperature, pulse and a quick physical and send you home - they will do blood and urine tests, x-ray, ultrasonography, lung function test, cardiac test, check your mental state, medication and many more tests to determine your overall health and wellbeing.  

To be validated as 'independent', a Cyber Security Audit Report must be completed by an organisation that is unrelated to the client and has some 'cred' in the space (preferably by registration from a licensing authority). The investigation and report should look at the ‘whole of business’ risk, not just the IT risk.  in 2020, IT risk is only part of Cyber Security Risk.

The 4 Pillars of Cyber Security Risk that needs addressing are :  

• Operational Risk
• Legal Risk (both Local, State, Federal & International.
• Reputation Risk and
• Recovery Risk

The Risk most companies and IT departments focus on is the Operational Risk and whilst this is an important component of overall risk its not the only area of risk that can bring your organisation down. 

In addition to the Operational Risks (the 'IT' stuff) Ask yourself these questions:

• What is my legal exposure if a Client/Customer of mine gets hacked and suffers a loss due to my organisation’s negligence?
• Do I have proof that my organisation or the organisation that manages our Cyber Security complies fully with the “Essential 8”** 
• Have any of my employees been guilty of stealing information/data from previous employers?
• Is my Cyber Insurance policy that I took out 3 years ago “fit for purpose” today?
• Can I prove that my organisation is in complete compliance with the Companies Code and other crossover legislation?
• If my organisation is not compliant or cannot demonstrate by fact, will it be worth more, or less if I need a Valuation or want to sell?

**The Australian Cyber Security Centre’s ACSC ‘Essential 8’ mitigation strategies is a prioritised list of security controls organisations can implement to protect their systems against a range of adversaries. The Australian Government Signals Directorate (ASD) found that when operating effectively, the Essential 8 mitigates 85% of targeted cyber-attacks and is currently in place in many government organisations. 

A Comprehensive Certified Independent 3rd Party Cyber Security Audit of the 4 Pillars of Cyber Security is the first step towards transparency for Suppliers, Customers and Regulators and will to make your organisation one step closer to becoming truly Cyber Resilient. 

Paul Nielsen is Managing Director of Avantia Corporate Services Pty Ltd and lead for the companies Cyber Security division based in Brisbane, Australia. Paul is a 2018 Graduate of Harvard Universities Office of The Vice Provosts Advancement in Learning program ‘Cyber Risk in the Information Age’. His team of IT Technicians; Lawyers; Social Media Auditors; Insurance Executives and Cyber Risk Experts provide Independent Cyber Security Audits with detailed Audit Reports and recommendations for remediation. He can be contacted on +61 7 30109711 or at [email protected] More on Cyber Audits: www.avantiacybersecurity.com