Raising cyber maturity by adopting a robust cybersecurity framework
The push for a digital future has gathered speed and force, with key technology able to improve and transform business models. New and emerging technologies such as the Internet of Things (IoT), artificial intelligence (AI), augmented reality (AR), blockchain, and the metaverse provide significant opportunities for businesses. However, despite the benefits of these transformative technologies, there are also challenges that businesses must overcome to thrive in the new digital era.
Tackling the growing and evolving digital attack surface involves more than a preventative approach. As it stands, organisations can no longer afford to simply guard against cyber threats; instead, they must reduce operational risk by increasing the cyber maturity level of the business. Cybersecurity maturity has become a crucial component in identifying, protecting, detecting, responding, and recovering in a way that goes beyond compliance to meet the unique security vulnerabilities posed to an individual organisation. Achieving cybersecurity maturity helps IT security teams within an organisation report on the status of their security posture with confidence.
Currently, organisations face significant challenges when it comes to detecting and remediating breaches. According to Fortinet's Networking and Cybersecurity Adoption Index 2022, less than 49% of the organisations surveyed could detect a breach in less than 30 days, suggesting that most organisations are at risk of advanced, persistent threats that could go unnoticed for longer than 30 days. Moreover, 23% of businesses take between two and three months to detect a security breach, significantly impacting the security of the affected individuals and any financial and reputation loss that the organisation incurs.
The limited focus on procedures and policies suggests that the cyber maturity levels for many organisations are not as high as they should be. Although businesses have procedures and policies in place, this lesser focus, which includes not building a culture that is focused on IT security to support them, means they are not integrated into a holistic cybersecurity strategy. Therefore, the focus for organisations must be on reducing operational risk through increasing cyber maturity levels. This requires businesses to assess their current maturity level to identify current gaps in compliance and risk management of assets. From there, they need to decide where they want to be in the future and implement a framework that provides a path to a higher level of maturity.
For the finance sector, the Australian Prudential Regulation Authority (APRA) is continuing its heightened focus on operational and technological resilience by delivering on its cybersecurity strategy. APRA-regulated industries must ensure they are adhering to best practices for IT security and are making informed decisions for the long term.
However, cyber resilience isn't limited to financial institutions. Businesses across all industries must apply frameworks applicable to zero trust. A zero trust network architecture (ZTNA) assumes that breaches are inevitable and likely already occur. People trust people, but data is not people. The intent of zero trust is to remove the human emotion out of what people think should be trusted and put controls in place that can help people trust the data and identity they expect to see.
Zero trust isn't just about trust and verification; it's also about understanding what it means for business outcomes. Adopting zero trust is an organisation-wide journey that is as much about how a business manages risk across the organisation as it is about evolving technological capabilities. With ZTNA in place, it becomes easier to define the processes and procedures an organisation must take to assess, monitor, and mitigate cyber risk.
Organisations also need to consider other security frameworks that can help them increase their cybersecurity maturity. There are many that businesses can choose from; however, there are a few that dominate:
- NIST Cybersecurity Framework: the National Institute of Standards and Technology (NIST) cybersecurity framework is a powerful tool to help businesses of all sizes understand, manage, reduce risk, and protect their networks and data. The framework provides a common language that ensures all employees within an organisation develop a shared understanding of their cybersecurity risks.
- ISO 27001: formally known as ISO/IEC 27001:2013 Information Security Management, the ISO 27001 standard framework considers all aspects of security, including business continuity planning and incident response. It provides best practices for risk-based, systematic, and cost-effective information security management. ISO 27001 certification demonstrates an organisation's commitment to following information security best practices to protect sensitive information.
- MITRE ATT&CK Framework: as a curated knowledge base, the MITRE ATT&CK Framework tracks adversary tactics and techniques used by threat actors across the attack lifecycle. The framework is more than a collection of data; it is a tool for organisations to enhance their security posture by testing their current security technique, identifying gaps in their environment, and implementing mitigation strategies to reduce the attack surface.
- CORIE Framework: the Australian Council of Financial Regulators recently introduced the Cyber Operational Resilience Intelligence-led Exercises (CORIE) regulatory framework to improve cyber resiliency of financial institutions against threat actors. CORIE is a program of exercises that uses a threat intelligence to model and execute an adversary attack simulation and demonstrate an organisation's cyber resilience level.
- CIS Controls: the CIS Critical Security Controls (CIS Controls) are guidelines, more focused on technical controls, that provide organisations with a prioritised set of safeguards for defending against the most common and significant cyber attacks. The recommended defensive actions provide a starting point for improving cyber defence and resilience and improve organisational decision-making.
In addition to adopting a framework, organisations must also consider including cyber training and awareness for all employees in their approach to reaching cybersecurity maturity, bridging the knowledge and skills gap by creating a shared language that fosters cyber resilience.
The push for digital services and scattered work pools in an increasingly digital and connected society has expanded the attack surface and left businesses susceptible to cyber threats. In recent times, there has been an increase in attacks on Australia's critical services and infrastructure, including within the telecommunications and transport industries, which has resulted in system outages, sensitive data breaches, financial loss, and reputational damage.
While there has been significant progress in the level of cyber maturity over the past few years, more work still needs to be done. Organisations can improve and sustain cyber resilience by adopting ZTNA, cybersecurity and resilience frameworks, employee education programs, and the best-of-breed networking and security solutions.