The large-scale data breaches we’ve seen in Australia in the last year have been devastating for consumers and businesses alike.
The Federal Government’s Cyber Security Strategy—now at an advanced state of development—sets the ambitious goal of making Australia “the most cyber secure nation in the world by 2030”.
It’s a tall order, although not impossible and we’re already seeing a stronger focus on corporate accountability with tougher penalties coming for avoidable security failures.
So, it’s a good time to revisit cybersecurity fundamentals.
Risk management
The cornerstone of cyber security is risk management. It’s important to understand what adverse effects operate in a business environment, and the steps you can take to avoid them, deflect them, or lessen their impact.
The best cybersecurity starts with a clear organisation-wide inventory of information assets. Crucially, this does not mean just information stores and data sets, but it must include business records, operational data, software, and intellectual property. They key question is what is it about a business’s information that really makes it valuable — and hopefully a competitive advantage? Is it the information’s accuracy? Completeness? Timeliness?
The answers to these questions become your asset inventory which in turn enables a tailor-made Threat and Risk Assessment (TRA). I.e., what events threaten the value of your assets? And what is the likelihood and impact of those threat events?
These questions need to be tackled in a cross disciplinary way, engaging a business’s line managers, subject matter experts and ideally the executives too. The particulars should be tabulated and maintained by a regular risk committee process. There are standards for gauging threats and estimating resulting risks, so that countermeasures can be prioritised in an orderly way.
Risk assessment is not a formality – all managers should get involved in information asset inventories and TRAs as a routine part of the business.
Rush Gold: cyber-security led
Rush Gold was built on these principles of cybersecurity- information assets were the first item of business and the TRA written before any code!
We used our threat and risk picture as a design tool, to guide product and operational requirements, and we allowed the TRA to truly inform the organisation’s security policy.
But of course, it didn’t end there – we regularly review the TRA, accounting for new threats as they arise, we have a live security policy, and we conduct quarterly risk reviews with our risk committee.
There is no such thing as perfect security, but if disaster strikes, the time to prepare has passed.
Steve Wilson has been Rush Gold’s CISO since inception. He is a researcher, innovator, and analyst in data protection. He has been a lead digital identity adviser to the governments of Australia, Hong Kong, Indonesia, Kazakhstan, Macau, New Zealand, and Singapore, and has been awarded 10 patents.
In 2018, he was described by digital ethnographer Tricia Wang as “one of the most original thinkers in digital identity in the world today”.
