Implementing Cyber Security

Technical updates (such as patches and using MFA authentication) will make it difficult for cyber criminals to successfully attack a business. However, unless cyber security policy is followed by staff there will be gaps opened in a business’ cyber security.

To ensure that cyber security is adhered to, a cyber security manager must:

• Provide regular awareness training to all staff
• Communicate in cyber security
• Compliance check to ensure that staff are working within the policy guidelines

We will look at these three components now.

Provide Regular Awareness Training to all Staff

It is typical in a business that when new staff join the workforce, they are inducted. The induction provides the new staff member with all the information they need as background on their new role. Included in the induction will be a briefing on cyber security.

While an induction is typical, ongoing activity to keep staff aware of cyber security issues may not be. It is critical to a business’ cyber threat protection that staff are refreshed on their cyber security responsibilities.

A strategy to provide awareness training is a critical component of any business’ cyber security framework. Training can be formal (such as in an e-learning system or from a circulated PowerPoint) or informal (such as using an email to advise staff of emerging threats).

A simple communication, such as an email, may be sufficient to refresh staff understanding. Various techniques can be explored to provide awareness training. Consider your workplace and select techniques that suit your environment. Some examples are as follows:

• Schedule regular time efficient training to ensure staff remain focused.
• Provide regular (weekly) short emails updating staff on emerging threats so they have current knowledge. Case studies and examples from the business community on cyber-crime activity is also valuable. Any weekly email should be concise and contain interesting information that grabs the attention of readers. By its nature, cyber security is interesting to people. Using stories of hacking activity to highlight the dangers will lift cyber security awareness in a business.
• In cases where training is needed to respond to a high-level threat, custom formal training is required with follow-up communications. If the threat needs to be acted on quickly, do not wait for formal training to be developed. Emailing and meeting staff in person should be considered as an ASAP approach. This will be an uncommon occurrence and such a reaction is typical of a response to a Zero Day threat.

Always ensure that training keeps a record of participants to provide a registry of when the last training on a particular topic was covered. Refer to this registry to schedule refresher courses.

Work with training managers in the business and team managers. In this way:

• training (formal and informal) will be informed by training experts
• cyber security training is part of an overall training schedule. In a typical company, there are numerous training requirements that are ongoing. Cyber security training should be scheduled to avoid date conflicts and loading staff up with too much training at any given time.

Communicate Changes in Cyber Security 

Communicating changes appropriately is critical to gathering the support of staff and ensuring that changes are adopted.

When implementing any workplace cyber security changes, a clear procedure should be written and circulated. To ensure that staff are aware of the proposed changes:

• liaise with the managers of teams affected by the cyber security changes early and gather their input to ensure minimal disruption.
• provide managers with a draft procedure that is simple to follow and is concise. Gather their input to ensure the procedure uses appropriate text.
• discuss with managers the communication requirements. Is it sufficient to send an email with the new security requirements included? Should the manager meet with staff? Is specific training needed?

Changes in cyber security requirements occur when:

• the business changes their business workflow or the digital assets they use
• cyber threats emerge requiring changes in workplace behaviours
• gaps are identified in cyber security that the business decides must be closed. 

Compliance Checks

Cyber security managers have a key role in ensuring that cyber security compliance is maintained across a business. Compliance checks are conducted to correct behaviour that is outside expected cyber-safe norms by:

• informally observing practices in the workplace that are non-compliant with expected cyber safe behaviours.
• formally conducting reviews in a business using a specific compliance checklist. A checklist can assess processes undertaken and ensure that staff are working within a business’ cyber security policy.
• Audit applications and networks to ensure technical requirements for cyber security are being met.

When a comprehensive technical, formal and informal compliance check is conducted across a business or business team, this is called a cyber security audit. Sometimes audits are conducted by external companies to ensure objectivity.

Watch 

Learn more about the scope of a cyber security audit. Watch the video below:

In the cases where a compliance check finds non-compliance, a cyber security manager should act as follows:

• Seek to address the non-compliance with the relevant areas of management where it occurs. Depending on the co-operation provided, senior management outside the area in question may not need to be informed. Escalation in the event of non-compliance occurs when the non-compliant staff or management do not act in a timely way to correct the non-compliance.
• Depending on the severity of the non-compliance and the risk it presents, the action taken should reflect the potential risk that it exposes the business to. For example, staff storing company data including personal details on unauthorised external storage (such as google docs), exposes a business and, in many cases, contravenes the Privacy Act. In this case, immediate action should be taken to delete the data, provide direction to all staff on data storage practices (many companies rely on secure cloud-based storage), and consider if a data breach has occurred.

Compare the example above to some staff attempting to browse non-business websites. In this case, the staff were unable to access the non-business websites as the firewall allows only a limited number of websites to be accessed. In effect, staff were non-compliant, however the risk to the business was mitigated. In this case, an informal email will be sufficient to reinforce the policy to the staff in question, along with continued monitoring (see next page for monitoring techniques).

The requirement that all staff comply with a business’ cyber security policy must be a condition of employment and policy should exist describing:

• The role of a cyber security manager in compliance
• The steps a cyber security manager can take in cases of non-compliance

The Importance of Feedback

Communication is not one way traffic. Cyber security in a business is enhanced when staff and other knowledgeable parties (contractors, external clients, and security experts) provide input that:

• enhances cyber safety in a business
• identifies risks and non-compliance with policy

Cyber security managers should take any opportunity to discuss and consult with other people in the field of cyber security. Cyber security in any business addresses the same problem – attempts by internal or external agents to commit cyber-crime. Cyber security managers should consider networking with cyber security online forums (such as on LinkedIn), subscribing to active and topical news groups (the ASCS offers free memberships to Australian business that allows for access to topical education and information) and consider undertaking penetration testing.

Penetration testing is typically undertaken by external third parties who are paid to ‘attack’ a business’ cyber defences. The concept is that by attempting the latest and most common attacks, a business can be advised if they have gaps that require closing. In effect, a penetration test report identifies weaknesses (physical, technical and workplace driven) that the business finds before hackers can exploit them.

Feedback Channels

Cyber security managers should always put in place a way for employees and other parties to inform them of breaches in security, gaps, and non-compliance with cyber security policy. This typically takes the form of an email and phone number that is published to allow information to be provided to the cyber security manager. Importantly, it should be possible for the information to be provided anonymously and that it should be treated as confidential. In Australia, information dealing with cyber-crime and the person making the report are protected by the Enhanced Whistleblower Protections Act of 2019 for companies with greater than 25 million dollars in revenue per year, or otherwise 50 million dollars in assets.

Activity 1

Monitoring of cyber security in a business takes two forms:

• Monitoring the effectiveness of cyber security in protecting a business
• Monitoring emerging risks.

Collectively, both types of monitoring provide insight to improve cyber security. We will now examine these two formats.

Monitoring the Effectiveness of Cyber Security in Protecting a Business

If a business indicates it has never been the subject of a cyber-attack does this mean the business has an effective cyber security approach? It may be that the business:

• has been lucky
• does not have a risk profile making it attractive to hackers
• has been the subject of numerous attacks and but has sufficient cyber security to stop simple cyber-attacks
• has inadequate monitoring and reporting and is unaware there have been cyber-crime attempts.

A less happy possibility is that the business has been the subject of attacks and they have been successful. The business is unaware the attacks have been made.

Unless a business monitors activity on its digital platforms (devices, software, workflow), the effectiveness of cyber security cannot be measured. The term ‘effective’ means more than just recording that a hacking attempt was stopped at a business’ network boundary. Businesses with effective cyber security have:

• staff that comprehend and work within cyber security policy
• systems that pass penetration tests and vulnerability scans
• the appropriate levels of software to reduce exploitable software bugs
• cyber-attack detection software that is tested and records attempts to ‘hack’ a business’ system
• physical security and staff monitoring in place and uses malware detection. 

Let’s now consider how the four points above can be monitored.

Staff that Comprehend and Work Within Cyber Security Policy

The results of training, compliance audits and checks speak to the cyber security awareness of staff in a business. A cyber security manager can look to the results of such evaluations to identify the preparedness of staff to resist cyber-crime.

When deficiencies are detected in staff behaviour and comprehension, aside from correcting the issue, the root cause of the lack of awareness should be identified. Is the method of training inadequate? Does policy reflect the reality of the workplace? – it may be that staff simply cannot work the way policy requires. By addressing the root cause, there may be a remedy that can be applied broadly across the business to improve cyber security.

Systems That Pass Penetration Tests and Vulnerability Scans

As we have discussed, penetration tests provide reporting to assess the ready status of a business’ digital systems to resist cyber-attack. A further method is to run software that is called a vulnerability scan (VS). A VS is software that can be directed to check network, system, and digital devices to ensure that these resources are using software versions that do not contain known exploits – bugs that when exploited allow hackers to access a computer network illegally.

Both penetration tests and vulnerability scans provide monitoring, but not in real time – these methods are not running all the time and checking for cyber security issues. Run regularly, they provide a business with a valuable way to gather information on what technical steps should be taken.

Cyber-Attack Detection Software That Records Attempts to ‘Hack’ a Business’ System

Detection software is real time and runs in the background on the servers and other devices across a business’ network.

The software provides monitoring of activity and is designed to trigger reporting to cyber security management and can be in some cases, instructed on the steps to take to stop a cyber-attack.

This software is sometimes called Intrusion Detection and Intrusion Prevention Software (IDPS).

Sophisticated hacking techniques are designed to break into a business. In some ways, a hacking attempt can be compared to cracking open a safe. Consequently, IDPS software is complex and operates on various levels:

• On a business’ network to identify unusual traffic or data traffic with a ‘fingerprint’ that indicates a hacking attempt
• On a business’ applications to look for unusual requests for services such as large data copy request and amendments to databases from suspicious sources.

Any activity on a business’ digital platform creates a log entry. A log is a file that lists all the changes, access requests and any read/write activity. A business will have multiple logs being written to at any one time: the network router receives a request and writes a log entry that a certain IP address attempted to access the network. The database writes to its log file that a user changed the address details for a client.

By reviewing all these log files, a cyber security manager could trace and find unusual activity. But this will be after the fact. Using an IDPS provides real time monitoring and protection that acts in the moment.

The CIS framework refers to IDPS software as a requirement for threat Level 3 (IG3 highest level) businesses – in effect, businesses that have a risk profile that warrants more investment in cyber security.

The NIST framework in the Detect set of activities identifies that first: a baseline of typical/expected activities on a business’ system are identified, then abnormalities can be identified using network monitoring (DE.AE-1,2,3,4,5 and DE.CM.1).

Note: Detect is one of five types of activity the NIST framework identifies – Identify, Protect, Detect, Respond and Recover in that order.

Has Physical Security and Staff Monitoring in Place and Uses Malware Detection

• Physical devices such as data centres or server rooms require physical security to ensure that only authorised personnel are allowed access. DEF of expensive computer equipment is as much a cyber attack as any other form of cyber crime.Theft of expensive computer equipment is as much a cyber-attack as any other form of cybercrime.
• All digital devices require anti-malware software to be running to intercept attempts to install malicious code. The anti-malware software monitors for hacking attempts and locks it. In a business, all the digital devices running anti-malware software should provide reporting understand us back to the cyber security manager.

Watch

Learn more about intrusion prevention and detection systems. Watch the video below:

Activity 2

Monitoring Emerging Risks

The monitoring of developments in cyber security can drive changes in policy and technical delivery as threats emerge. The CIS framework in Control 7 (continuous vulnerability management) states that:

“New security vulnerabilities are identified using industry-recognized sources for security vulnerability information …”

Cybercrime is a global phenomenon. Reliable and insightful information can be gathered from many sources online. These sources will disclose what businesses globally are discovering by monitoring their systems and networks.

Cyber security managers should schedule time to regularly research for emerging risks. Sources of information include:

• identity software vendors such as SAP, IBM, Microsoft
• peak bodies such as the Australian Prudential Regulatory Authority (APRA)
• government agencies such as the Australian Cyber Security Centre (ACSC)
• security focused groups such as those found on LinkedIn.

Visiting online websites provided by reputable sources (e.g., ACSC) provides research insight. Often, online cyber security portals also provide memberships. Members receive cyber security updates on key developments over email.