Cyber Resilience Assessment Report

Statistics related to Cyber Resilience

Discuss about the Cyber Resilience Assessment Report.

The government of Australia mainly focuses on transforming the country from its dependency on the resource sector to a new economy which is service led and rely on the intellectual capital. Therefore, Australian organizations increase their investments in digital technologies. With the increasing trend of digital economy, risk related to cyber-attack is also increased and it runs through every part of the organization. It is not possible for the company to win its digital battle if organizations of the country are not cyber resilient.

A free and open internet is considered as critical factor in driving the digital economy. Open internet introduce various new challenges for those organization which required protection from the new threat of the cyber-attack. Therefore, awareness related to the risk imposed by cyber-crime is increasing in the organizations of Australia. However, there are number of organizations which are not prepared for cyber-attack and some recent incidents such as Wanna Cry ransom ware attack put the focus of the government on effective IT security.

Dan Tehan, Australian Minister Assisting the Prime Minister of Australia on Cyber Security states that “cyber-crime can be considered as number one threat faced by the Australian organizations, and cost in the context of this issue is almost $ 1 billion in one year to the economy of Australia, and it is necessary for business organizations to be aware that this threat is evolving in the roots of business community.

Therefore, it becomes necessary for organization to be cyber resilience and cyber resilience means ability of organization to resist, react, and recover the cyber threats and also ensure environment in which organization can conduct their cyber operation in effective manner. Those organizations which are cyber resilient do not use traditional technologies and methodologies for avoiding cyber threats. For this purpose, organizations are transforming their capabilities through advanced technologies so that they use the information in better way and avoid cyber-crimes (North, 2017).

Various methods are used by the organizations for getting advantage over other organizations and cyber criminals. Cyber criminals are considered as those criminals who can use any situations such as natural disaster and temporary disruptions for achieving their goals.

It is necessary for organizations to become cyber resilient for achieving their long term goals and addressing the issues related to cyber threat. These attacks are not easy to handle and solutions for responding these attacks are not easy (EY, 2014). In this report importance of resilience is not described, but methods through which organizations can become resilient are described.

Handling cyber risk

Research Company IDC recently issued Maturity Scape Benchmark report in relation to IT security, and as per this report almost 60% of Australian businesses still working with basic approach towards the cyber-crime because of which they find themselves challenged if they become target of any cyber-attack. As per the analyst of IDC, corporate awareness has been strengthen because of the recent incidents, but still organizations of Australia lack in the context of IT security. She further stated that Australian organizations lack of internal skills which are required in the context of cyber security, because of which services related to IT security are not managed. As per the security experts government and private sector both play important role in improving the cyber security readiness (Grayson, 2017).

In 2016, Federal government introduce national cyber security strategy, which states 33 initiatives together worth $231 million and it was considered as positive move by the government. Executive of IBM security solutions, John Vine encourage the establishment of cyber security center, but he also states that it is necessary for organizations to play their role more seriously for meeting this challenge. In other words, it is very necessary for organizations to understand the event occurred in one organization so that they can prevent similar happening in their organization. It is necessary for us to learn from each other’s mistake so that we can improve our position in IT security.

Therefore, it becomes important for companies to understand that cyber security is not something which is only handled by IT department, because assigning the task related IT security to the team of technicians is not the actual solution of this problem. Almost 5 million peoples are affected by cyber-attacks in Australia, and this number is increasing with the passing days.

As per the survey conducted by Australian Cyber Security Centre’s, it is shown that 90% of the Australian organizations face some kind of cyber security issues during the period of 2015-16 financial years. Some high profile cyber-attacks attract the focus of government and organizations on cyber security such as hack of yahoo. This attack was considered as the most costly attacks. When announcement related to US $4.83 billion deal acquisition of the firm, was made by the Verizon then after that yahoo revealed that some years before it was become the target of massive cyber-attack which result in breach of privacy of more than 1 billion accounts. This result in reopening of the negotiations and lastly purchased price was dropped by the yahoo related to that deal by US $350 million.

Role of Board

Some Australian organizations recognize this threat and make investments in cyber resilience, but numbers of these organizations are very less. However, maximum organizations are there which put the cyber security on second preference (CERT, 2014).

It becomes important for the organization to understand the cyber eco system in their organization, so that they can manage the risk related to the cyber-attack. Approaches of organization towards the IT security is completely changed, and now organizations not only focus on their security but also address the issues related to the security of their stakeholders.

For this purpose, various steps are conducted by organizations and some of these steps are stated below:

• Mapping the relationships- as per this, organization analyzes and reviews its position in the cyber-system, and for analyzing their position organization considered its external and internal requirements. Organization must determine its crucial data and information which needs to be protected, and focus on the security of that information rather than protecting the complete information. Crucial information is the information which is necessary for the growth and survival of the business.
• Security limit- security limit must be stated by the organization, and as per this limit organization share its information with trusted organizations and authorities only. In other words, protocols and standards are stated under the security limit for the purpose of sharing the information with other organizations.
• Risk assessment- risk assessment in relation to cyber security must be conducted by the organization by analyzing the information assets, dependency of organization on other institutions, threats, etc. (ASIC, 2016; OECD, 2012).

Board of directors of the company are obliged to help the management in tackling the cyber risk, and for this purpose strategy can be framed by the board which provide broader view point. This responsibility is encouraged by the directors, and as per one report 90% of director’s states that their college considered the cyber risk on serious note (ASX, 2017).

It must be noted that board or any committee of the board is directly responsible for holding the management on this matter, and for this purpose it is necessary for board to understand and evaluate:

• Cyber risk which can be faced by the organization.
• Current risk tolerance power of the organization in the context of organization strategy.
• Considered risk management strategy which directly address these issues.
• Must implement the risk actions and recommendations made by the executive team in this context.
• Other actions which deal with the issue of cyber-crime.

For the purpose of becoming cyber resilient, it is necessary for the organization to develop such strategies which integrate cyber risk and focus on being cyber resilient. For making such strategies, organizations can consider different standards and methodologies which are introduced by the government of Australia.

Government of Australia initiated various processes through which cyber resilience activities of the organization are reviewed and updated by the department. However, these developed strategies mainly focus on the collaboration of different agencies and industries. Some of these strategies, plans, and methodologies are stated below:

• National plan for reducing crime- in 2013, government of Australia develop national plan for reducing the cyber-crime, and this plan states the commitments on the part of the commonwealth, state and territory governments for the purpose of increasing collaboration with each-other and addressing the threat of cyber-crime. Under this plan, almost 6 important areas are addressed by the government of Australia and government mainly focuses on these areas while framing their strategies. All these six areas are stated below:
• Education related to the cyber-crime must be provided to the community for ensuring the community’s protection.
• Government and agencies must collaborate with the industries for the purpose of solving this issue.
• Approach related to Intelligence led and information sharing is encouraged by the government.
• Efficiency and effectiveness of the agencies are increased and government mainly focuses on the area of law enforcement.
• Government must focus on the matters of cyber-crime, and address these issues at international level.
• Government must develop framework related to criminal justice.
• ACORN- Australian government develop ACORN at national level in the year 2014, and it is considered as the online system which provide secure way to the general public and organizations for reporting the issues related to cyber-crime. National plan considered this system important because it was designed for making the things simple in the context of reporting, and this system also recognizes the impact of cyber-crime on citizens of Australia.
• ACSC- ACSC was initiated by the government in the same year in which ACORN was introduced and that was in the year 2014. This window was introduced for the purpose of bring the law enforcement defense, and security capabilities related to the cyber security under the single window. It must be noted that ACSC ensures collaboration between different agencies. Following are the functions of ACSC:
• ACSC is authorized to resolve the issues related to the cyber security on behalf of the Australian government.
• It helps in developing the collaboration in relation to operations and capabilities between different agencies.
• ACSC is authorized to invest the matter related to the cyber-attack.
• Must conduct programs for encouraging the public and organizations to report the matter related to cyber security.
• Must publish reports on the extent of cyber threat.
• Awareness in terms of the cyber security must be raised by the government.

Above mentioned objectives can be achieved by the ACSC, by collaborate the functions and powers of various authorities stated below:

• ASD’s mission related to the cyber security.
• Team of national computer emergency response that is CERT.
• Members who represent the Australian Federal Police.
• For understanding the cyber threat intelligence, Australian crime commission.
• Person who conduct specialization under cyber investigations and telecommunication security, and member of the Security Intelligence Organization in Australia.
• Analysts from Defense Intelligence Organization and Defense Science and Technology Organization for analyzing the cyber threat (AISC, 2015; ASIC, 2016).
• NIST Cyber security Framework- this framework is developed by ASIC for the regulated population. This framework is relevant for the financial service providers which operate their business in a global environment. Generally, this framework is adopted by the critical infrastructure providers in the United States. It is considered as the global benchmark for the financial market.

NIST is supported by both the organizations that are American Bankers Association and the American Insurance Association. It enables the organization to apply existing methodologies and standards. This framework does not introduce any new standards and concepts, but instead of that it encourage existing methodologies and standards related to global security and IT governance (ASIC, 2016).

Some recommendations are stated below, and these recommendations are given after considering the laws of other countries. Board of directors of the company can adopt these principles for the purpose of holding their management in the terms of the cyber resilience. With the help of these recommendations, organizations can integrate cyber risk and resilience in their business strategy and ensures growth and profitability. Some of these principles are stated below which must be adopted by the board of directors for preventing cyber-attacks in their organization:

• It is the duty of the board of directors to ensure the oversight of cyber security.
• Education related to cyber security and cyber resilience must be provided to all the directors of the company.
• It is necessary to make one corporate officer accountable for the cyber security of the organization.
• Board of directors must conduct programs for updating the knowledge related to the cyber resilience.
• Risk assessment must be conducted by the board of directors on continues basis.
• Risk tolerance power must be described by the board.
• Management of the company must be held accountable in case of any breach of cyber security.
• Board of directors of the organization must encourage the inclusion of the stakeholders.
• Cyber resilience must be discussed in the annual report of the company.
• Plans related to cyber resilience must be reviewed by board on continuous basis.
• Review of the performance of the board in the context of cyber resilience must be conducted by board itself.

It is necessary for organization to consider these recommendations, and implement above stated principles in day to day activities of the board.

Conclusion:

After considering the above facts, it is clear that cyber resilience is very important for organizations to survive in this digital world. This report states the role of board and management in dealing with the issues of cyber resilience. In this report, various options are suggested which help the organization in dealing with cyber-crimes in more effective way.

References:

ASIC, (2015). Cyber resilience: Health check. Viewed at: https://download.asic.gov.au/media/3062900/rep429-published-19-march-2015-1.pdf. Accessed on 28^th August 2017.

ASIC, (2016).  Embedding cyber resilience within company culture. Viewed at: https://asic.gov.au/regulatory-resources/markets/resources-on-markets/markets-articles-by-asic/embedding-cyber-resilience-within-company-culture/. Accessed on 28^th August 2017.

ASIC, (2016). ASIC’S corporate plan 2015–16 to 2018–19. Viewed at: https://download.asic.gov.au/media/3338908/corporate-plan-2015_published-31-august-2015.pdf. Accessed on 28^th August 2017.

ASIC, (2016). Building resilience: The challenge of cyber risk. Viewed at: https://asic.gov.au/about-asic/media-centre/speeches/building-resilience-the-challenge-of-cyber-risk/. Accessed on 28^th August 2017.

ASIC, (2016). Cyber resilience assessment report: ASX Group and Chi-X Australia Pty Ltd. Viewed at: https://www.asic.gov.au/media/3563866/rep-468-published-7-march-2016.pdf?utm_source=report-468&utm_medium=landing-page&utm_campaign=pdfdownload. Accessed on 28^th August 2017.

ASX, (2017). Capturing the opportunities while managing the threats. viewed at: https://www.asx.com.au/documents/investor-relations/ASX-100-Cyber-Health-Check-Report.pdf?ecid=O~C~~~~asx-100-cyber-health-check-report~ASX~~201704~~. Accessed on 29^th August 2017.

CERT, (2014). National Cybersecurity Strategy. Viewed at: https://cert.gov.ng/images/uploads/NATIONAL_CYBESECURITY_STRATEGY.pdf. Accessed on 29^th August 2017.

EY, (2014). Achieving resilience in the cyber ecosystem. Viewed at: https://www.ey.com/Publication/vwLUAssets/cyber_ecosystem/$FILE/EY-Insights_on_GRC_Cyber_ecosystem.pdf. Accessed on 29^th August 2017.

Grayson, I. (2017). Cyber resilience. Viewed at: https://www.acs.org.au/content/dam/acs/acs-documents/ACS%20-%20Cyber%20Resilience%20Special%20Report%20-%2021.06.pdf. Accessed on 29^th August 2017.

North, J. (2017). Cyber Resilience: The Role of the General Counsel. Viewed at: https://www.corrs.com.au/thinking/insights/cyber-resilience-the-role-of-the-general-counsel/. Accessed on 29^th August 2017.

OECD, (2012). Cyber security policy making At a turning point. Viewed at: https://www.oecd.org/sti/ieconomy/cybersecurity%20policy%20making.pdf. Accessed on 28^th August 2017.

WEF, (2017). Advancing Cyber Resilience Principles and Tools for Boards. Viewed at: https://www3.weforum.org/docs/IP/2017/Adv_Cyber_Resilience_Principles-Tools.pdf. Accessed on 29^th August 2017.