Why leaders need to take a risk-based approach to data security

Few organisations apply a risk-based approach to security and privacy, and hence put themselves at risk. Management asked cyber-security expert Jatinder Oberoi to outline the best strategies organisations can take to protect their data and that of their customers.

What are the most common cyber-security breaches your company sees arising in  NZ’s corporate and government sectors?

What we have seen as the most common forms of breaches here in New Zealand are cybersecurity and privacy breaches – mostly in the form of ransomware and breaches of personal information.

The hackers mostly use phishing emails to get into the organisations. We have also seen CEOs/CFOs email accounts being compromised. These attacks could be easily mitigated or reduced by providing more awareness of the importance of cyber security among all staff.

We all know that the incidence of cyber breaches is growing, but what are the most easily made mistakes that larger businesses make in their cyber-security approaches?

Most organisations don’t put the money where the mouth is when it comes to cybersecurity. What I mean by that is few organisations apply a risk-based approach to security and privacy, and hence – put themselves at risk.

Having a risk-based approach to security helps organisations mitigate the real risks to the business – which is mostly lack of vigilance from people and processes, rather than just relying on technological solutions.

This takes us to the next point – organisations should aim to work with well-known security standards or frameworks like ISO27001 or NIST Cyber Security Framework to protect the privacy and security of their assets. 

What are the type of legacy security issues that NZ organisations have?

Time and again, the biggest legacy security issue we find in New Zealand is old unsupported software running on old hardware or mainframes. This is especially the case in finance and insurance sectors. Legacy industrial control systems (SCADA) in the utilities sector also come into that category.

The cost of upgrading these systems is very high so organisations keep on living with those legacy systems. These software and systems are critical to those organisations and at the same time, present a huge risk because they are unsupported, non-resilient and mostly insecure.

Another legacy issue is the thinking that security is just the IT department’s responsibility rather than everyones.

Could you explain the affect New Zealand being part of Five Eyes has on organisations’ cyber approaches?

New Zealand gets access to a massive shared cyber intelligence capability by the virtue of being part of Five Eyes. Currently we are not taking full advantage of this capability. By utilising this cyber intelligence optimally, New Zealand organisations can get greater strategic, tactical and operational visibility into the current threat landscape.

This will not only bolster our strategic risk evaluation capability, we will also be able to detect threats early and prevent the cyberattacks. If we could utilise this better collectively, I can only envisage how this will open up immense opportunities for New Zealand organisations to become a safe technology innovation hub.

On the other hand, we have also seen many New Zealand organisations aligning with US Privacy and Cybersecurity Frameworks and Standards like NIST 800-53 and Cyber Security Framework, as a result of being part of Five Eyes. This trend is also strengthening New Zealand organisations and showcasing their security capabilities to their customers, employees, shareholders and other businesses.

What do you believe are the best strategies organisations can take to protect their data and their privacy and that of their customers?

Unfortunately, there is no silver bullet to protect the organisational data and customer privacy. But the first step is to create awareness at the board and CXO level to get management commitment for the long term and not just a single shot. And sometimes it is a cyber incident which creates that awareness, which is not ideal as the damage has already happened.

I would always recommend that organisations get an audit done by an independent party to be aware of the risks that organisation is actually living with each day. The board might not be aware of how much the organisation is actually exposed. And once you have the audit done, then the organisation can make informed decisions on how to deal with those business risks.

Even with the best will in the world and the very best security measures in place can organisations actually stop an attack from occurring?

No, I firmly believe that if you are not yet hit by a cyberattack, you will soon be.

Which is why it’s so important to use a layered security approach (defence-in-depth). It’s like in the war where you have many lines of defence: when the first line of defence fails, the second one takes over and when the second one fails, the third one protects.

Organisations need to establish a software-defined perimeter that creates a Zero Trust environment.

Through the power of micro-segmentation, encryption, and dynamic isolation, they can thwart most of the attacks – even sponsored, sophisticated ones – in their tracks.

And, should an attacker get inside, these approaches prevent data exfiltration so that they can contain the breach. This is why we have added Unisys Stealth to our portfolio.

I would also suggest investing in the organisation’s resilience and incident response, because if something hits the final wall and you have a security incident, at least you know how to deal with it.

Are you able to outline any recent attacks on any of your clients, that our readers may not have heard of.

One of the recent breaches we dealt with occurred because a privileged user opened a link from a phishing email on their personal computer which was connected to the company network.

Within a few hours, the organisation’s email infrastructure stopped working and the enterprise document repository got encrypted by ransomware.

Thankfully, the organisation had a disaster recovery plan in place, which was thoroughly tested a few months back, so the company had access to all its data as it had been backed up only few hours back.

This helped the organisation be back in business sooner than expected and the risk investment paid well.

Once an attack has occurred what is the first and second thing the leadership team should do/and or consider?

First thing to do is to ensure that the incident stays contained, and it doesn’t amplify any further. Although for evidence purposes, sometimes you want to let a breach persist, without cascading damage, so that you can monitor and find the root cause or even the hacker.

It seems strange advice to keep the breach or the attacker going but sometimes it’s better to keep it contained so that we can trace the root cause while the hacker is at it. At the same time, you are containing it and not letting it do any further damage.

You would need to balance these two tasks by bringing in an outside incident response and forensic investigation company as soon as possible.

Is there anything else you would like to add in the way of advice?

If an organisation says that they have a security certification and they are secure, it means that they comply with a certain standard and are on a continuous improvement journey. I would still advise you to check what extent they comply to, as without independent audit report or certification, it’s difficult as an outsider to assess an organisation.

The best way for an organisation to showcase their cybersecurity practice is getting an independent audit done and preferably getting certifications like ISO27001 and SOC2.   M

Jatinder Oberoi, is the CEO at SeComPass, an Auckland-based consulting company that specialises in privacy and information security management, audit, assurance and certification. It serves the telecommunications, insurance, utilities, education, research, health, advertising and marketing sectors as well as artificial intelligence, big data, analytics and SaaS organisations.

Visited 21 times, 1 visit(s) today

A focus on culture

Rabobank’s 520-plus New Zealand employees work from 27 locations – places like Ashburton, Pukekohe and Feilding and from a purpose-built head office in Hamilton. Its employees are proud of the

Read More »
Close Search Window