Building an Effective Cyber Security Plan
Building an effective cyber security strategy is no longer optional for medium to large businesses in today’s digital world. Businesses face an increasing threat to their systems, their data and criminal behaviour. Australian companies face not just local threats but a global spectrum of cyber risks, including data breaches, malware, ransomware, and phishing attacks. A well-developed cyber security strategy protects sensitive data, ensures compliance with regulations, and maintains the trust of customers and stakeholders.
The threat landscape in Australia means all business are targets for a variety of cyberattacks, ranging from ransomware and phishing to sophisticated supply chain breaches. According to the Australian Cyber Security Centre (ACSC), cyber incidents have been on the rise, with a reported increase in ransomware attacks targeting Australian businesses. This surge underscores the need for organisations to be proactive in defending their digital assets. Given the rapid evolution of cyber threats, relying solely on basic security measures is no longer sufficient.
Cyberattacks on Australian businesses have significantly increased in frequency and severity over the past five years. In 2023, nearly 94,000 cybercrime incidents were reported, reflecting a 23% increase from the previous year. This marked a consistent rise in cyber threats over the last five years, with an increasing number of businesses across various sectors being targeted. The most commonly targeted sectors in 2024 include Tech/IT, Industry/Energy/Utilities, and Healthcare, with data breaches and ransomware attacks being the predominant forms of cyberattacks. In the first nine months of 2024, there were 63 significant data breaches and 45 ransomware incidents reported. This rise reflects both the increasing sophistication of cybercriminals and the expanding attack surface due to digital transformation.
This post discusses some critical aspects of developing an effective cyber security strategy. We will look at password requirements, zero-trust policies, incident response plans, and adherence to Australian cyber security regulations. Ultimately, the complexity of implementing a comprehensive strategy means that engaging a professional cyber security service can be invaluable in ensuring a robust security posture. Many businesses who believe they have effective systems in place are continuing to make these common mistakes or have instances where non-technically minded employees or employees who fail to understand the ramifications of non-adherence fall outside best practice.
Passwords are often the first line of defence against unauthorised access. Unfortunately, weak or reused passwords remain a common vulnerability for many businesses. A strong password policy is fundamental in securing user accounts and sensitive data. It is critical for organisations to have policies and the technical systems in place to enforce the following best practices;
- Complexity: Encourage the use of complex passwords, combining uppercase and lowercase letters, numbers, and special characters.
- Length: Passwords should be at least 12 to 16 characters long. Longer passwords significantly reduce the risk of brute-force attacks.
- Avoid Reuse: Implement policies that prevent the reuse of old passwords. Regularly changing passwords can help mitigate the risk of credentials being compromised.
- Multi-Factor Authentication (MFA): To enhance security, MFA should be enforced across all critical systems. MFA requires users to provide two or more verification factors, making it more difficult for attackers to gain access with just a password.
- Password Management Software: Expecting employees to correctly remember longer that do not include common names or predictable text without accompanying storage software will lead to other poor practices, such as, plan text storage and handwritten notes. Establishing and enforcing the use of password management software, with the correct training, will mitigate these potential exposures.
While password policies are vital, managing them effectively can be challenging. Businesses with multiple departments, users, and access levels may find it hard to enforce and monitor password policies without proper tools. This is where a cyber security professional expert can assist by implementing centralised identity and access management (IAM) solutions to automate and enforce password policies.
The prevalence of work from home and hybrid work arrangements means the traditional approach of securing the perimeter is no longer sufficient. The rise of remote work, cloud services, and BYOD (Bring Your Own Device) policies has blurred the lines of corporate boundaries. As a result, adopting a zero-trust security model has become essential.
Zero trust is a security framework based on the principle of “never trust, always verify.” Under this model, all users, devices, and applications are treated as potential threats, regardless of whether they originate from inside or outside the organisation. Access to resources is granted based on strict verification and continual monitoring, minimising the risk of insider threats and lateral movement within the network. The fundamental tenants of a zero trust framework can be defined as;
- Identity Verification: Before granting access, verify the identity of users through multifactor authentication, biometric verification, and other methods. Utilise multipoint and or multi-device verification processes to harden the security position.
- Least Privilege Access: Limit user access to only the resources necessary for their role. This minimises the potential damage if an account is compromised.
- Network Segmentation: Divide the network into smaller, isolated segments to prevent the spread of threats. Even if one segment is compromised, it limits the attacker’s access to other parts of the network.
- Continuous Monitoring: Continuously monitor user activity and network traffic for unusual behaviour. Advanced threat detection solutions can alert administrators to potential threats in real time.
Implementing a zero-trust policy requires a comprehensive understanding of an organisation’s infrastructure and assets. It involves reassessing existing network architecture, deploying new technologies, and changing organisational culture around security. Expertise and specialisation in cyber security is critical to tailor and implement a zero-trust model effectively, ensuring a seamless integration with business operations.
Despite the best preventive measures, cyber incidents can still occur. Therefore, having a robust incident response plan (IRP) is essential to minimise damage and recover quickly from an attack. An IRP outlines the steps an organisation should take to identify, contain, eradicate, and recover from a cyber incident. The key elements of an effective incident response plan (IRP) are;
- Preparation: Develop an incident response team and provide regular training to ensure readiness. Define the roles and responsibilities of each team member and establish communication protocols.
- Identification: Implement monitoring tools to detect potential security incidents. Quick identification is crucial to minimising the impact of an attack.
- Containment: Once an incident is detected, contain the threat to prevent it from spreading. This may involve isolating affected systems, restricting network access, or shutting down compromised services.
- Eradication: Remove the threat from the environment by applying patches, updating configurations, and removing malicious software. Conduct a thorough investigation to identify the root cause and address any security gaps.
- Recovery: Restore affected systems and services to normal operation. Ensure that backups are clean and that all systems are secured before bringing them back online.
- Lessons Learned: Conduct a post-incident review to evaluate the effectiveness of the response. Use this information to improve the incident response plan and prevent similar incidents in the future.
Similar to building a zero trust strategy, a tailored incident response plan requires an in-depth understanding of the organisation’s assets, processes, and potential threat landscape.
Organisations have other cyber security considerations beyond protecting their IP, systems, data and customer records. Australian businesses are subject to a range of cyber security regulations, including the Privacy Act 1988 and the Australian Privacy Principles (APPs). The Notifiable Data Breaches (NDB) scheme requires organisations to report data breaches that are likely to result in serious harm to individuals. Furthermore, the Australian Government has published guidelines such as the ACSC’s “Essential Eight,” which provides strategies to mitigate cyber security risks.
A robust cyber security strategy must align with these regulations and guidelines to ensure legal compliance and safeguard customer trust. Failure to comply can result in hefty fines, legal ramifications, and reputational damage. It is critical to ensure the right support and expertise is available and included when building and or reviewing an organisational cyber security strategy. Expert oversight could mean the difference between regulatory compliance and non-compliance, or presenting an incomplete security posture.
By focusing on key aspects such as password requirements, zero-trust policies, and incident response plans, organisations can build a robust defence against cyber threats. The complexity and evolving nature of cyber security make it challenging to implement and maintain a comprehensive and relevant, up-to-date strategy in-house.
If your business is ready to take the next step in building a comprehensive cyber security strategy, consulting with a professional cyber security service will provide the expert guidance and support needed to provide the peace of mind and ensure the security of your organisation’s digital assets.
Data Sources:
- https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/asd-cyber-threat-report-july-2022-june-2023
- https://www.cybernode.au/blogs/insights-from-cyber-attacks-on-australian-businesses-in-2024/
- https://www.aon.com/australia/newsroom-2024/cyber-attacks-top-business-risk-australia