Australian government and businesses organisations need to move beyond a mindset that achieving compliance with security standards will save them from attacks, and instead focus their efforts on a customer-based approach to cyber security risk management.
This is according to Mike Burgess, former head of security at Telstra, whose warning closely follows a similar theme broached by Telstra’s general manager of security advice and assistance, Berin Lautenbach, at a recent public sector cyber security forum hosted by The Mandarin.
Additionally, Burgess says government should spend more time helping smaller businesses think about their own security needs, especially as the risks and consequences of cyber espionage and warfare become intertwined with corporate security concerns.
“People who say if you just get compliant with this security standard, you’re going to be fine – that’s just rubbish,” Burgess says, pointing to recent compromises at Target and Home Depot in the United States.
“They all had compliance with the payment card industry data security standard, but they still got hacked. Compliance doesn’t equal security.”
“The tech industry has to tone down it’s rhetoric over buying more stuff, and the compliance industry has to actually bring itself back to think about what we’re trying to achieve here for the business or the consumer.”
Security strategies need a facelift
Burgess’ caution bolsters a strongly emerging theme that both public and private sector organisations now need to start thinking about the major steps to validate their security strategies.
As Lautenbach recently told public sector leaders the forum hosted by The Mandarin, imperatives now include the need to:
- Know the intrinsic business value of what you are protecting
- Understand who has access to that information
- Know who is protecting the information
- Understand how well that information is protected
“Once you get up to a CEO or a C-suite level, the board level, they’re actually very good at thinking about and managing risk as long as you can articulate it to them,” Lautenbach said.
“They’re not scared to make risk decisions. But you need to be able to help them through that concession. It gives them a framework that they can understand.”
This systematic, risk-based approach to cyber security is a better choice than simply advocating for a greater emphasis on hardware.
“We’re headed in the right direction, but just don’t get distracted by shiny toys or quick fixes because there are none in this business,” Burgess said.
Within this Burgess maintains valid concerns still remain. In particular, the rise of cyber espionage and cyber warfare may have greater negative consequences for businesses as the prevalence and stakes of illegal cyber activity continue to grow.
“We’re now starting to see red lines being pushed when it comes to manipulation through cyber activities or in cyberspace. So the way the alleged activity, that some governments were interfering in US elections, that is a worrying concern.”
“Because if countries can do it, then protest groups can do it, and then disgruntled individuals could start doing that. That is kind of a worrying development.”
“So they could steal data, they could deny you access to the data, they could delete data like happened with Sony previously. Or they could start changing data, so manipulating the data … all sorts of nefarious things that could start happening in that space.
Open government a positive sign for security
Although the rising number of attacks against both private businesses and government agencies is a concern, Burgess notes increasing transparency in the public sector is an encouraging sign.
“When Malcolm Turnbull announces a security breach, he’s sending a message: ‘I’m doing this – and I expect you to as well.’”
That optimism is less pervasive in the SME sector.
Burgess says the majority of the economy still isn’t receiving enough support for protecting their own businesses – and suggests there is a role for government to step-in.
“What I fear is that the people in the Attorney General’s department want to talk to the big end of town. It’s useful, but it’s not where the focus is required,” he says.
“The focus is on those small and medium sized businesses.”
Along with supporting small and medium businesses, Burgess says the government needs to put more focus on ensuring its key services – those accessed by citizens online – remain protected.
“I kind of think the focus needs to be in the private sector. But actually, I would expect government to continue to provide services to us, the taxpayers, the citizens, through digital means.”
“It will do so in a way that protects our privacy, and our valuable data from exploitation by criminals.”