Search Results

Share Article:

Facebook Twitter Linkedin Mail

Tag: security

Breach expectation: the new mindset for cyber security success

Business and Enterprise

Posted on April 16, 2019

4 min read

While security is now firmly on the agenda for senior leaders across Australia and businesses are better prepared than ever to address cyber-attacks, the threat of data breaches is accelerating and new legislation requires even greater vigilance according to the findings of the 2019 Telstra Security Report.

Based on interviews with 1,298 security decision makers across 13 countries, the report found that Australian businesses are set to increase their security budgets beyond their $900,000 average spend for 2018 in response to mounting cyber security challenges.

In its fourth year, the report also found that one in two Australian businesses had been fined for being in breach of new legislation in the past two years, and two-thirds of Australian companies surveyed had been the victim of a security breach in the past year.

What has become clear is that cyber security is no longer about trying to prevent breaches, it’s about accepting that they will occur and managing them carefully to minimise their impact.

Human error and data breaches persist as major hazards

While new threats continue to emerge, the research found that traditional challenges facing Australian businesses remain key concerns.

Human error – often caused by inadequate business processes and employees not understanding their organisation’s security policies – was the highest risk to IT security identified by 36 per cent of respondents.

The number one challenge for Australian businesses in managing security, however, was the ability to detect and effectively respond to data breaches in a timely manner.

Australian businesses are faster at detecting breaches than their international counterparts – 62 per cent of respondents said they can do this in minutes or hours compared to 50 per cent globally – but organisations still take too long to detect and contain a breach.

One concerning finding was that 19 per cent of Australian businesses estimated that more than half of all data breaches went undetected altogether in the past year, despite 74 per cent of respondents believing they have systems in place to detect a breach as it occurs.

Ransomware remains an ongoing threat

Ransomware attacks were just as prevalent this year as last, but it is encouraging to note that most potential victims have adopted safeguards against such attacks.

The frequency of attacks continues to cause significant disruption for some businesses – 32 per cent of Australian businesses that reported a security incident in the past year said that interruptions from ransomware occurred on a weekly or monthly basis.

More than half of the businesses that reported a ransomware attack also reported that they paid the ransom, up from 47 per cent of respondents in the previous year.

Increasingly, however, paying the ransom does not guarantee a retrieval of data. Of those that paid the ransom, 77 per cent were able to retrieve the data, compared with 86 per cent the year before.

Customer privacy concerns increase

Against a backdrop of more frequent and sophisticated attacks and the introduction of new regulations that force the public disclosure of breaches, companies are now more aware of the threat of reputational damage and the erosion of customer trust caused by cyber breaches.

It is no surprise that our research found that customer concern around data privacy is also on the increase in Australia and globally.

As more devices become connected and new technologies and use cases are implemented across businesses, managing cyber and electronic security now has a much broader scope than in past years.

Cybersecurity isn’t just about selling technology, it’s also about process management and educating employees. That’s why Telstra helps organisations carry out vulnerability testing, compliance and risk assessments, and has opened purpose-built security operations centres in Sydney and Melbourne to meet the special security requirements of our customers.

With the continuance of traditional challenges, and the increase in regularity and sophistication of security threats, leaders have had no option than to shift to an expectation of breach mentality. This means they must continue to step up to ensure they have the technology and practices in place to protect themselves and their customers as they operate in this increasingly connected world.

Download the 2019 Telstra Security Report below.

Cyber risk – a view from the Boardroom

Business and Enterprise

Posted on April 18, 2017

7 min read

Cyber-security and cyber risk are no longer on the periphery and are (or should be) occupying the minds of every company director as attacks increase in number and sophistication and the potential damage, when internal processes are not properly followed, can be catastrophic.

A problem for Board members though can be penetrating the tech-speak so common in the cyber world so they can look squarely at the risk, ask the right questions and ensure they are making the right decisions.

With so much at stake, I wanted to share a framework that may help company directors think about what is a critical issue.

An (un)clear but very present danger

Not long ago I was enjoying a conversation with a senior policy maker when he asked me how many attempted cyber-attacks we had on our networks in the course of an average month. He hazarded a guess: might it be two or three attacks a month? No I told him, we had probably had two or three attacks since you started asking the question!

I share that story to make two points. Firstly, cybercrime, hacktivism and online espionage are happening every day, every hour, every minute, and every second (our recently released Cyber Security Report found that most Australian businesses have their security breached every month). The second point is that even among very senior leaders – government, community and business – there is often not a good level of understanding around the scale, tempo or sophistication of cyber risk and cyber-crime.

Why is cyber risk such an issue?

Cyber risk is a big issue and it is getting bigger all the time because accelerating technology innovation means the number of digital applications and services we use, either as individuals or organisations, is increasing rapidly. Moreover these applications and services are now (almost without exception) connected to a network. That means the barriers to entry for those that would do us harm – whether they are criminals, terrorists, activists, nation states or otherwise – have come down dramatically. A digital world means it is now possible to potentially rob a bank from the other side of the world and undertake all manner of illegal activities without detection.

The challenge with cyber risk is its intangibility. In a physical world it is easy to form a firm opinion about levels of security because you can see it with your own eyes. We know Fort Knox is more secure than a suburban bank branch because we can see the relative levels of security in the form of armed guards, security cameras, surveillance equipment, safes, strong rooms and so on.

It is much harder to do that in a cyber world when the threat is invisible and often intangible. Put another way, you would not think of walking down a dark alley at 2 am in a dodgy neighbourhood in a city you have never been to before but how do you know that, metaphorically speaking, you are not already doing just that when you go online?

Too tactical or too technical

The challenge for Directors (and particularly Directors who do not have a good grounding in technology) is that too often discussions and briefings on cyber security are overwhelmingly technical.

Cyber experts and oracles by necessity come from deeply technical backgrounds and their views and advice can get very technical and very tactical very quickly. Complex briefings on issues like denial of service attacks, hacking, phishing and malware are not always easy for Directors to understand much less form an informed opinion about the relative impacts, implications and appropriate responses.

To be effective, Directors need a real sense for what the whole landscape looks like so they can anchor their thinking about an issue. They need to be able to interrogate the strategic thinking and decision making and be certain in their own minds that the risk is being managed appropriately. But if you cannot translate the tech-talk into plain-speak it is very difficult to know if you have done everything you can to mitigate cyber risk within your organisation and whether you have appropriate rectification strategies in place when issues arise, because one thing which is almost guaranteed is they will arise.

How to anchor Boardroom thinking around cyber risk

Notwithstanding these challenges (and the fact that the methods and technique of cybercriminals constantly change), cyber risk in reality is just like any other risk a Board considers. Behind the complexity, cyber-crime is just crime, cyber espionage is just espionage and hacktivism is just activism all by another name.

The key is to be able to cut through the technical language and get an understanding of the whole cyber landscape.  We think there are three elements to the cyber risk equation:

1. Understand your context. Whether you are bank, a telco, a government agency or otherwise, context is important because it determines where you need to focus your risk management activities. One important aspect of this is your data, which is ultimately the asset which is at risk from a cyber attack. At Telstra we have developed what we call the Five Knows of Cyber Security, a series of key questions to focus our thinking. We have found this useful in bringing a down to earth approach to a complex issue and that has helped improve understanding from the Board down. The Five Knows are 1) knowing the value of our data, 2) knowing who has access to our data, 3) knowing where our data is, 4) knowing who is protecting our data and 5) knowing how well it is protected. When you can answer these five questions you are in a better position to effectively assess and manage cyber security risk.

2. Manage cyber risk like any other risk. At Telstra we use the traditional three lines of defence risk model. The first line of defence are the processes, technologies and people within the core business that have accountability for protecting against risk. Ultimately accountability for risk management has to be embedded with the relevant line management. The second line of defence is typically the policies and standards that define risk appetite and approaches. The Chief Information Security Officer (CISO) plays a key role here. The third line of defence is typically some form of audit conducted from time to time to ensure the controls that are in place are working. This means a new set of skills for the internal audit function to develop. Like any risk it is also important to think about cyber risk through the process in which it occurs.  The better you understand the environment which creates the risk, the better positioned you will be to predict, prevent, detect, respond and remediate it should it occur and data analytics can also play an important role in each stage of the process.  This includes the discipline of a post-event remediation and rectification process to ensure we learn everything we can from the experience and use that knowledge to continually improve our processes, our people and our technology, to stay ahead of the risk.

3. Managing cyber risk is not just about technology. It is also about people and process. You can have the best technology in the world but if your people inadvertently give away their passwords or do not follow processes, you are likely to be exposed to cyber risk. Too often cyber security and cyber-risk management strategies focus on deep technology solutions and not enough on people and process.

An example I often use to highlight this point is the common cyber criminal ploy of dropping malware infected USB sticks at the location of a target and waiting for an employee to pick one up and plug it into a desktop somewhere on the network.

A Board challenge

The days when cyber security and cyber risk were an ‘IT issue’ are long gone. Today they have the potential to ruin businesses, wreck reputations and compromise customer data and as such belong in the Boardroom. The challenge for Directors is peeling back the layers of complexity and being able to manage it like any other risk. The ability to do that will define the future success of the companies they lead.

This article originally appeared on Linkedin.

Tags: Security,

Cyber security: Towards greater collaboration

Cyber Security

Posted on February 24, 2017

2 min read

Today marks the launch of the government’s inaugural Joint Cyber Security Centre, an initiative identified in Australia’s National Cyber Security Strategy.

This private-public intel-sharing centre is designed to co-locate government, business and academic cyber experts to facilitate working together, the sharing of information and the development of new approaches to cyber security.

The launch of Australia’s Cyber Security Strategy in April 2016 by Prime Minister Malcolm Turnbull was a significant achievement. A key theme throughout the strategy was the need for the government and businesses to work together in partnership to drive strong cyber security and ensure our ongoing growth and prosperity in a global economy.

That need is becoming more pressing. New threats and attacks are being seen on an almost daily basis now and the cyber security industry needs to be working together to share and innovate in ways that protect our community.  We have some fantastic Cyber Security capability in Australia – if we can bring together that knowledge, expertise and talent it will have a noticeable impact on our capacity to deal with the threat.

At the same time we need to be finding better ways to share data and intelligence in near real time.  We see this happen well in industry sectors (the finance industry is traditionally very good in this area) but we need to extend that across all parts of government and industry.

There is a therefore tangible need and appetite for the government and businesses to work more closely and share threat information in a timely and actionable way and we welcome the establishment of the first Joint Cyber Security Centre, located in Brisbane, as a strong step towards greater collaboration between businesses and government.

Telstra, as operator of Australia’s largest telecommunications network, understands that the internet and connectivity are fundamental to the lives of all Australians and the ongoing prosperity of our economy, and strong cyber security capabilities to protect this connectivity are critical.

We are excited about the opportunity the Joint Cyber Security Centre presents to share expertise with other big industry partners and government, and are looking forward to contributing to initiatives through the centre that will make a real difference to the online safety of Australians, proactively strengthen Australia’s cyber defences and make Australia a safe place to do business online.

Enhancing data security on our international network

Telstra News

Posted on January 17, 2017

2 min read

Our international subsea cable network carries a huge amount of international data traffic and keeps millions of people – and thousands of businesses – connected around the world. We’re working with leading technology providers to take data security to the next level, with a recent trial showing positive results.

We recently demonstrated the ability to successfully encrypt data securely while in transit between Los Angeles and Melbourne at 10Gbps. This demonstration was done in partnership with Ericsson using Ciena’s ultra-low latency 10G wire-speed encryption solution.

While encryption solutions exist today to protect data when it is ‘at rest’ (i.e. at the start and end points), this trial demonstrates the advanced security that can be delivered while data is ‘in transit,’ that is, being transmitted beyond the walls of a data center across large networks, without any impact to performance.

With the digitalisation of business processes and data consumption rising at a rapid rate, the need to keep data secure without compromising integrity or increasing latency is essential at both the application and network layers.

Darrin Webb, Executive Director of International Operations and Services, Telstra, says: “Our market-leading subsea cable network is the largest in the Asia-Pacific region and this innovation continues our commitment to providing customers with a world-class network experience. The outcome of this test shows that data can now be encrypted while in transit across a long distance, while maintaining the speed and reliability our customers have come to expect from our international network. We will continue to work with Ericsson and Ciena to take this trial to the next level with a 100Gbps encryption test.”

Emilio Romeo, Head of Customer Unit Australia and New Zealand, Ericsson, says: “This time last year Telstra and Ericsson achieved an encryption trial between Melbourne and Sydney. We have now extended the distance from Melbourne to Los Angeles with data in transit encryption at 10Gbps, which is the typical speed used today over these distances without encryption. Ericsson brings our optical network systems expertise to progress these tests and support Telstra’s path toward commercialisation of this enhanced security capability.”

Next up we will demonstrate 100Gbps encryption between Los Angeles and Melbourne with Ericsson in the first half of 2017.

2016 Telstra Cyber Security Report

Telstra News

Posted on February 23, 2016

3 min read

There is no doubt that connectivity and technology provide great benefits for society and the economy today, and the full potential and benefits are yet to be fully realised. However, with this benefit comes some risks and as more of the world embraces technology and connectivity the risk increases. It is critical that individuals and organisations need to be able to manage this risk.

In the intangible world of cyber space, where neither the assets we value, nor the threats, are visible, it can be a struggle to understand how to manage these risks.

The continual increase in connectivity and the rapid uptake in new technologies means that crime, espionage, protest and even mistakes can happen at a pace, scale and reach that is unprecedented. That makes cyber security a significant issue, one of global importance that no individual or organisation can handle alone.

Telstra today released its 2016 Cyber Security Report, which aims to assist organisations in the Asia Pacific region to better manage and mitigate their business risks by sharing our knowledge of the evolving security landscape.

This report shares our knowledge and insights about the cyber security risk identified by businesses in Australia and the Asia Pacific region. Among our findings are:

• 23.7 per cent of Australian organisations surveyed detected a business interrupting security breach during an average month. This is more than twice as often as 2014 (10 per cent);
• The Asia Pacific region experienced an even higher level of security incidents with 45.5 per cent of surveyed organisations impacted by a security incident during an average month;
• Organisations that attribute responsibility to C-level or business line managers and conduct frequent cyber security briefings are better positioned to handle security incidents;
• Ransomware and particularly phishing emails continue to rise in Australia and disrupt business operations; and
• Nearly half of Australian organisations have not yet put in place the tools to track and monitor shadow IT which is leaving organisations exposed to potential valuable data loss.

Businesses who approach cyber security as an IT risk rather than a business risk will struggle and in many cases fail to appropriately manage the risk. A business risk view with the right mix of people, processes and technology is essential for companies to manage the risks and reap the benefits of the digital world.

It is our hope that the report will improve awareness about the nature of the cyber threat and help organisations make vital cyber security decisions that minimise the cyber security risk to their business.