{"id":50875,"date":"2019-09-27T13:56:53","date_gmt":"2019-09-27T03:56:53","guid":{"rendered":"https:\/\/www.aspistrategist.ru\/?p=50875"},"modified":"2019-09-28T04:44:03","modified_gmt":"2019-09-27T18:44:03","slug":"cybersecurity-strategy-should-focus-on-corporate-australia","status":"publish","type":"post","link":"https:\/\/www.aspistrategist.ru\/cybersecurity-strategy-should-focus-on-corporate-australia\/","title":{"rendered":"Cybersecurity strategy should focus on corporate Australia"},"content":{"rendered":"<figure><img loading=\"lazy\" decoding=\"async\" width=\"724\" height=\"483\" class=\"alignnone size-full wp-image-50878\" src=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/09\/GettyImages-479801072.jpg\" srcset=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/09\/GettyImages-479801072.jpg 724w, https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/09\/GettyImages-479801072-205x137.jpg 205w, https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/09\/GettyImages-479801072-332x221.jpg 332w\" sizes=\"(max-width: 724px) 100vw, 724px\" \/><\/figure>\n<p>The Australian government is developing the next cybersecurity strategy to protect Australians from cyber threats.\u00a0The current version was launched in 2016 and, while novel for its day, was largely underfunded when considering the task ahead. It\u2019s now time to learn the lessons from that experience.<\/p>\n<p>Every organisation uses technology\u2014in service delivery, product development, manufacturing and a multitude of other instances. However, many organisations don\u2019t fully appreciate how tech-heavy they actually are. One of the cybersecurity sector\u2019s biggest issues is to get organisations to undertake basic risk management processes and develop an understanding of what technology means to them. It is there that the next strategy should focus. Getting corporate Australia to take ownership of detecting and deterring cyber attackers targeting their organisations is where the rubber needs to hit the road.<\/p>\n<p>There are many aspects of the online environment affecting Australian governments, the private sector, non-profits and individuals that could be covered in the 2020 strategy. However, it should focus on doing a few things very well. One of these is get corporate Australia to do the simple things first, and that starts with understanding the cyber risk and taking a strategic view.<\/p>\n<p>The constant rise in ransomware attacks, phishing attacks, and compromises of business email systems is a clear indicator that the corporate sector needs help\u2014Australian businesses <a href=\"https:\/\/www.scamwatch.gov.au\/news\/australian-businesses-hit-hard-by-email-scams\" target=\"_blank\" rel=\"noopener noreferrer\">reported<\/a> more than 5,800 such scams in 2018, a 53% increase compared with the previous year. The government should put its resources into assisting Australian businesses to harden themselves against being targeted, with the view to other jurisdictions becoming the \u2018low-hanging fruit\u2019 for international cyber criminals.<\/p>\n<p>Fortunately, we have the opportunity for a running start. The most recent <a href=\"https:\/\/www.cyber.gov.au\/sites\/default\/files\/2019-09\/Australian%20Government%20Information%20Security%20Manual%20%28September%202019%29.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">version<\/a> of the <em>Australian government information security manual<\/em>, released earlier this month, uses a risk management framework based on the <a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-37r2.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">guidance<\/a> issued by the US National Institute of Standards and Technology. The manual focuses on implementing cybersecurity principles in a maturity model\u2014a concept that relies on continuous improvement to obtain a desired state.<\/p>\n<p>Too often, organisations see cybersecurity as binary, with a focus on achieving compliance with a particular standard or framework. The next strategy should focus on providing resources (and by that I mean holding their hands) for corporate Australia to implement the recommendations in the information security manual that are relevant to their business requirements and to their sector (with guidance from the appropriate regulatory authority for that sector).<\/p>\n<p>A good first step is to determine the organisation\u2019s risk appetite and level of risk tolerance. Without this strategic overview it\u2019s hard to put meaningful resources into tactical and technical cybersecurity measures. Cyber risk should be a category assessed by a company\u2019s risk and audit committee just like all other risks, and the relationships between risks should be recognised. Responsibility for managing cyber risks should be clearly defined, and reporting should be done through a chief risk officer, not the chief information officer role that many organisations opt to assign it to.<\/p>\n<p>As the Australian Institute of Company Directors <a href=\"https:\/\/aicd.companydirectors.com.au\/-\/media\/cd2\/resources\/director-resources\/director-tools\/pdf\/05446-5-11-mem-director-rob-rcc_a4-web.ashx\" target=\"_blank\" rel=\"noopener noreferrer\">suggests<\/a>, organisations should establish a formal process to ensure cyber risk is regularly monitored and reviewed, so that it remains relevant to the company\u2019s needs and reflects current regulatory requirements and risk committee best practice.<\/p>\n<p>An important input to the risk management process will be resources to help organisations defend their staff and networks through \u2018blue teaming\u2019, which aims to identify malicious tactics, techniques and procedures and execute response strategies for them. This needs to be a combination of technical capabilities, such as intrusion-detection systems, and human capabilities, such as analysing intelligence. While it\u2019s important to conduct penetration testing, putting too much focus on \u2018red teaming\u2019 to imitate attacks against an organisation is not the answer.<\/p>\n<p>The 2020 cybersecurity strategy shouldn\u2019t seek to boil the ocean. Ransomware, phishing and business email compromises are remarkably untechnical cyberattacks, yet pose the greatest issue for Australian businesses. Creating and providing resources to make Australian organisations resilient to cyber threats will be key to success.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Australian government is developing the next cybersecurity strategy to protect Australians from cyber threats.\u00a0The current version was launched in 2016 and, while novel for its day, was largely underfunded when considering the task ahead. &#8230;<\/p>\n","protected":false},"author":1022,"featured_media":50878,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[17,2138,484,35],"class_list":["post-50875","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-australia","tag-cybersecurity","tag-private-sector","tag-risk","dinkus-cybersecurity-strategy"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v19.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Cybersecurity strategy should focus on corporate Australia | The Strategist<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.aspistrategist.ru\/cybersecurity-strategy-should-focus-on-corporate-australia\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cybersecurity strategy should focus on corporate Australia | The Strategist\" \/>\n<meta property=\"og:description\" content=\"The Australian government is developing the next cybersecurity strategy to protect Australians from cyber threats.\u00a0The current version was launched in 2016 and, while novel for its day, was largely underfunded when considering the task ahead. ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.aspistrategist.ru\/cybersecurity-strategy-should-focus-on-corporate-australia\/\" \/>\n<meta property=\"og:site_name\" content=\"The Strategist\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ASPI.org\" \/>\n<meta property=\"article:published_time\" content=\"2019-09-27T03:56:53+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-09-27T18:44:03+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/09\/GettyImages-479801072.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"724\" \/>\n\t<meta property=\"og:image:height\" content=\"483\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Nigel Phair\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:site\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Nigel Phair\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\",\"url\":\"https:\/\/www.aspistrategist.ru\/\",\"name\":\"The Strategist\",\"description\":\"ASPI&#039;s analysis and commentary site\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.aspistrategist.ru\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-AU\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/cybersecurity-strategy-should-focus-on-corporate-australia\/#primaryimage\",\"url\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/09\/GettyImages-479801072.jpg\",\"contentUrl\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/09\/GettyImages-479801072.jpg\",\"width\":724,\"height\":483,\"caption\":\"An abstract design of a terminal display, warning about a cyber attack. Multiple rows of hexadecimal code are interrupted by red glowing warnings and single character exclamation marks. The image can represent a variety of threats in the digital world: data theft, data leak, security breach, intrusion, anti-virus failure, etc...\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.aspistrategist.ru\/cybersecurity-strategy-should-focus-on-corporate-australia\/\",\"url\":\"https:\/\/www.aspistrategist.ru\/cybersecurity-strategy-should-focus-on-corporate-australia\/\",\"name\":\"Cybersecurity strategy should focus on corporate Australia | The Strategist\",\"isPartOf\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/cybersecurity-strategy-should-focus-on-corporate-australia\/#primaryimage\"},\"datePublished\":\"2019-09-27T03:56:53+00:00\",\"dateModified\":\"2019-09-27T18:44:03+00:00\",\"author\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/2709da5bac1eec80dcbb6af867877b8f\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/cybersecurity-strategy-should-focus-on-corporate-australia\/#breadcrumb\"},\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.aspistrategist.ru\/cybersecurity-strategy-should-focus-on-corporate-australia\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.aspistrategist.ru\/cybersecurity-strategy-should-focus-on-corporate-australia\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.aspistrategist.ru\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity strategy should focus on corporate Australia\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/2709da5bac1eec80dcbb6af867877b8f\",\"name\":\"Nigel Phair\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d0f0cd088ce8bd58e3cb7029eccd85f4?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d0f0cd088ce8bd58e3cb7029eccd85f4?s=96&d=mm&r=g\",\"caption\":\"Nigel Phair\"},\"url\":\"https:\/\/www.aspistrategist.ru\/author\/nigel-phair\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cybersecurity strategy should focus on corporate Australia | The Strategist","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.aspistrategist.ru\/cybersecurity-strategy-should-focus-on-corporate-australia\/","og_locale":"en_US","og_type":"article","og_title":"Cybersecurity strategy should focus on corporate Australia | The Strategist","og_description":"The Australian government is developing the next cybersecurity strategy to protect Australians from cyber threats.\u00a0The current version was launched in 2016 and, while novel for its day, was largely underfunded when considering the task ahead. ...","og_url":"https:\/\/www.aspistrategist.ru\/cybersecurity-strategy-should-focus-on-corporate-australia\/","og_site_name":"The Strategist","article_publisher":"https:\/\/www.facebook.com\/ASPI.org","article_published_time":"2019-09-27T03:56:53+00:00","article_modified_time":"2019-09-27T18:44:03+00:00","og_image":[{"width":724,"height":483,"url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/09\/GettyImages-479801072.jpg","type":"image\/jpeg"}],"author":"Nigel Phair","twitter_card":"summary_large_image","twitter_creator":"@ASPI_org","twitter_site":"@ASPI_org","twitter_misc":{"Written by":"Nigel Phair","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.aspistrategist.ru\/#website","url":"https:\/\/www.aspistrategist.ru\/","name":"The Strategist","description":"ASPI&#039;s analysis and commentary site","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.aspistrategist.ru\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-AU"},{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/cybersecurity-strategy-should-focus-on-corporate-australia\/#primaryimage","url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/09\/GettyImages-479801072.jpg","contentUrl":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/09\/GettyImages-479801072.jpg","width":724,"height":483,"caption":"An abstract design of a terminal display, warning about a cyber attack. Multiple rows of hexadecimal code are interrupted by red glowing warnings and single character exclamation marks. The image can represent a variety of threats in the digital world: data theft, data leak, security breach, intrusion, anti-virus failure, etc..."},{"@type":"WebPage","@id":"https:\/\/www.aspistrategist.ru\/cybersecurity-strategy-should-focus-on-corporate-australia\/","url":"https:\/\/www.aspistrategist.ru\/cybersecurity-strategy-should-focus-on-corporate-australia\/","name":"Cybersecurity strategy should focus on corporate Australia | The Strategist","isPartOf":{"@id":"https:\/\/www.aspistrategist.ru\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.aspistrategist.ru\/cybersecurity-strategy-should-focus-on-corporate-australia\/#primaryimage"},"datePublished":"2019-09-27T03:56:53+00:00","dateModified":"2019-09-27T18:44:03+00:00","author":{"@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/2709da5bac1eec80dcbb6af867877b8f"},"breadcrumb":{"@id":"https:\/\/www.aspistrategist.ru\/cybersecurity-strategy-should-focus-on-corporate-australia\/#breadcrumb"},"inLanguage":"en-AU","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.aspistrategist.ru\/cybersecurity-strategy-should-focus-on-corporate-australia\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.aspistrategist.ru\/cybersecurity-strategy-should-focus-on-corporate-australia\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.aspistrategist.ru\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity strategy should focus on corporate Australia"}]},{"@type":"Person","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/2709da5bac1eec80dcbb6af867877b8f","name":"Nigel Phair","image":{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d0f0cd088ce8bd58e3cb7029eccd85f4?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d0f0cd088ce8bd58e3cb7029eccd85f4?s=96&d=mm&r=g","caption":"Nigel Phair"},"url":"https:\/\/www.aspistrategist.ru\/author\/nigel-phair\/"}]}},"_links":{"self":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/50875"}],"collection":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/users\/1022"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/comments?post=50875"}],"version-history":[{"count":8,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/50875\/revisions"}],"predecessor-version":[{"id":50907,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/50875\/revisions\/50907"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media\/50878"}],"wp:attachment":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media?parent=50875"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/categories?post=50875"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/tags?post=50875"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}