Better prepared: Effective security planning
Head of Security Services at Telstra BTS, Stuart Low, shares his thoughts on the state of Australian security preparation.
Find out more about how we can test the effectiveness of your security preparations with our Cyber Security Health Check.Find out more
Driven by new legislation, headline grabbing data-breaches and explosive malware attacks including NotPetya and WannaCry, research for the Telstra Security Report 2018 found that Australian businesses are undertaking more security preparation programs than ever before.
In previous years, we found that most Australian organisations were undertaking regular security auditing, but put less emphasis on other forms of preparation, such as creating data inventories, running internal risk assessments and security drills. This year however, our survey of more than 1,250 security professionals, revealed that Australian businesses are no longer conducting security audits alone – most are implementing a much broader array of preparation programmes.
This isn’t just because they’re concerned about business interruption or data breaches, however. Organisations are increasingly aware that projects without security built in from the outset have a much higher chance of not running to schedule or even being discontinued altogether.
The security landscape is becoming more complex with legislation like the Notifiable Data Breaches scheme, the rise of convergence and new, more targeted threats. It’s become increasingly common that if you don’t take the time to get security right from the start, you might not have the ability to effectively address that issue further down the track.
As in previous years, the Telstra Security Report 2018 found that security audits remain the most common cyber security preparedness programs undertaken by Australian businesses, with 38% of respondents undertaking an audit in the past year.
“While the report proves the enduring importance of security audits, as everyone knows, they only provide you with a point in time of your security posture,” says Stuart Low, Head of Security in the Business Technology Services team at Telstra.
“The problem is that organisations are continually changing, they are taking on new services, so you have to have a programme in place to be able to analyse those services that you're taking on. A continuous programme will help to underpin that.”
Alongside changing environments, the report found that keeping a plan up to date with today’s rapidly changing security environment is a top challenge for security professionals – with 67% of Australian businesses estimating that as many as 55% of their breaches going undetected.
Companies which conduct regular drills, rehearse their incident response plan and invest in red teaming to test their preparations perform better on average against new threats.
“We find that red teaming helps businesses to expect the unexpected and go through a number of scenarios,” Low says. “The red team can produce the unexpected and then see how an organisation can actually respond to that.”
In addition to highlighting previously unforeseen attack vectors, red teaming can also be an effective way to gauge the preparedness of the overall company – particularly against Business Email Compromise, the most common attack experienced by Australian businesses last year.
“We're able to set up phishing schemes, where we craft emails to impersonate a trusted source and then we're able to provide statistics to an organisation ongoing of how many people have clicked through, and what the uptake is,” says Low. “Over time, you can then start to see a pattern of how awareness training is helping your organisation.”
While improving their preparedness, it will also be important for organisations to identify opportunities to address multiple overlapping compliance regimes at once over the next 12 months and increase the efficiency of their plan rehearsals.