The list of highly regulated industries has expanded in recent times. While such industries as banking, government and medical have always been considered part of critical infrastructure, universities, local government and other industries in the supply chain, such as a certain takeaway food delivery brand, are now included in the definition. Consequently, these industries must also ensure their cyber security practices comply with the requirements of their new status – particularly considering the ever-growing number of data breach incidents and attacks.

Three years ago, the Office of the Information Commissioner introduced mandatory data breach reporting. Statistics are now released every six months and they show that there has been a significant increase in both the number and severity of breaches, says Rob Dooley, director ANZ at VMware’s Security Business Unit. “We’ve never been busier in terms of the amount of incidents that we’re helping our partners and customers deal with,” he says, “both with the consequences of potential nation state breaches and other cyber activity.”

He sees the reasons for this as threefold:

  • the changing nature of how we work and the shift towards remote working
  • changing relationships between Australia and critical nation states around the world, and
  • cyber criminals launching more and more ransomware attacks to take advantage of their proven profitability.
  • Consequently, it is now more urgent than ever that organisations, and especially those in highly regulated industries, ensure that their security is holistic and comprehensive. It is also vital that cyber security is built into the very fabric of an organisation and not simply added as an afterthought or additional layer.

“Applications and data are at the core of everything you do,” says Dooley. “Organisations used to create an app or a database and then think about protecting it. What we’re finding now is that the full life cycle is taken into account, so security is added at the application development stage, not once that application has been put into production.”

Alignment of people, process and technology

With security built in from the ground up, it becomes easier to streamline operations and bring the three pillars of ‘people, process and technology’ together, which is vital in building an impenetrable defence mechanism against cyber attacks.

Siloed teams, however, have always been an impediment to this and, with increased remote working, this has become a more significant problem. Dooley says VMware’s approach to mitigate this is its ‘Anywhere Workspace’ – an end-to-end ecosystem communication tool. It entails looking at using the workspace, the capability of the individual, the identity and the device posture. “We look at the network of how you connect that person to the core critical systems of the organisation,” he says. “Then we’re also writing to the end point where we’re looking for zero day attacks, the new malware, and rather than basing it on signatures, we’re looking at behaviours.”

If the behaviour isn’t typical of what the user would normally exhibit there is an automated response to remediate.

Teamwork

Recent Forrester research shows that the changing nature of security means protecting an organisation’s digital assets and infrastructure can no longer be left solely to the security analysts. “It needs to be a team sport,” says Dooley. “It’s everybody’s responsibility, from the people who manage the infrastructure to the employees who need to be educated not to click on malicious links through phishing attacks.”

The cyber team, however, must also maintain correct security controls to investigate appropriate threats and not employ a scattergun approach. “Getting context of the threat is key,” says Dooley, “and then investigating what really matters.”

Tips and tools

The best advice Dooley can give organisations operating in highly regulated industries and wanting to ensure their cyber security is able to withstand the increasing number of attacks and data breaches is to follow the Essential Eight to the letter. This compliance framework is a list of recommendations that comprise the priority steps to take to prevent malware delivery and execution, limit the extent of cyber security incidents, and recover data and system availability. They were developed as part of the ‘Strategies to Mitigate Cyber security Incidents’ by the Australian Cyber Security Centre (ACSC), which is a part of the Australian Signals Directorate (ASD), and were first published in 2017, with the most recent update in June 2020. ** Strategies to prevent malware delivery and execution:**

  • Implement application control – to prevent the execution of unapproved or malicious programs including .exe, DLL, scripts and installers
  • Configure Microsoft Office macro settings – in order to block macros that may be used to deliver malicious code from the internet and only allow vetted macros
  • Patch applications – to ensure only the latest and most secure versions of applications are being used
  • Use application hardening – disabling unneeded features and configuring web browsers to block Flash, ads and Java removes potential pathways for malicious code to be delivered and executed.

Strategies to limit the extent of cyber security incidents:

  • Restrict administrative privileges – based on user duties and responsibilities to prevent adversaries using accounts to gain access to information and systems
  • Implement multi-factor authentication – to make it harder for adversaries to access sensitive information, and
  • Patch operating systems – including network devices and ensuring any computers with ‘extreme risk’ vulnerabilities are mitigated within 48 hours, with no unsupported versions used to prevent the further compromise of systems

Strategies to recover data and system availability:

  • Perform daily backups – of new or important data software and configuration settings ensures that information can be easily and swiftly accessed following a cyber attack, such as a ransomware incident.

“As a minimum, organisations should comply with this framework,” concludes Dooley.” It’s essentially good cyber hygiene.”