4 minute read
Key themes from 2022 taking us forward
MARISE ALPHONSO
by Marise Alphonso, Information Security Professional
KEY THEMES FROM 2022 TAKING US FORWARD
You may have heard that the only constant in the information security industry is change. 2022 ushered in some major changes and trends in the Australian and global landscape that can be leveraged to improve cyber maturity and create a safer cyber environment for individuals and organisations.
THE APPROACH TO CYBERSECURITY AT A NATIONAL LEVEL
The Albanese government sworn in earlier this year sent a strong signal to the information security community by appointing Clare O’Neil as Minister for Cyber Security. With a dedicated minister for cybersecurity, Australians can be optimistic about Australia becoming a cyber-resilient nation with a trusted and secure digital economy. Cybersecurity has certainly been given the prominence and visibility to help achieve this. The needs for greater diversity and inclusion and a larger cyber workforce are topics much discussed. Government, industry and academia must pull together if these needs are to be met. The appointment of a woman as minister for cybersecurity is an encouraging sign to other women working in, or aspiring to work in, the information security sector.
AustCyber’s Sector Competitiveness Plan 2020 highlights five key industries becoming increasingly digitised, and hence with growing cybersecurity requirements. Key components of this digitisation are the shift to online infrastructure, the increase in digital payments and fintech, the proliferation of IoT and smart devices, remote access to operations technology (OT) and the expansion of AI and quantum computing.
It is projected that future cybersecurity products and services will be required to focus on these five areas in response to the increased attack surfaces they will create and the expanded regulatory requirements that will be imposed on various sectors of the economy.
In discussions about digital trust and in the announcement of a planned review of Australia’s
2020 cyber security strategy there is growing mention of ‘sovereign capability’ and the need for Australia to have the cyber capability to protect the digital economy. The rise in geopolitical tensions has cybersecurity implications, as was seen with Russia’s invasion of Ukraine in February and with cyber attacks on the Taiwanese government and Taiwanese businesses following Nancy Pelosi’s visit in August. Developing and maturing a local cyber capability is a necessity.
CHANGING WORK ENVIRONMENT
Practices accelerated by the Covid-19 pandemic— including remote working, digital transformation and cloud services usage—have led to changes on the cybersecurity front that are here to stay. An organisation’s network no longer represents a logical perimeter where protection can be deployed. Neither do its premises represent a physical perimeter to its operations that can be protected. Therefore, it has never been more important for employees to be cognisant of their key role in protecting their organisation’s data. Customer personal information is now visible on screens in a staff member’s home. Connections into an organisation’s network are via a home network WiFi router. Staff are more reachable via email or messaging applications and hence more prone to phishing attacks. An organisation’s security awareness initiatives will continue to be critical to addressing cyber risk and fostering a cyber aware and cyber safe workforce.
LEGAL, REGULATORY AND INFORMATION SECURITY STANDARDS LANDSCAPE
Australian consumers and businesses are awaiting the results of the review of the Privacy Act being conducted by the Attorney General’s office. The Office of the Australian Information Commissioner (OAIC) indicates this review will strengthen requirements for protecting personal information, empower consumers, hold businesses accountable and ensure the OAIC can provide effective privacy regulation in line with community expectations.
The Security of Critical Infrastructure (SOCI) Act has introduced new obligations on 11 sectors of the economy. Two new positive security obligations (PSO) require organisations bound by the SOCI Act to (a) provide ownership and operational information to the Register of Critical Infrastructure Assets and (b) notify the Australian Cyber Security Centre (ACSC) of cybersecurity incidents within certain timeframes. A third PSO, yet to be ‘switched on’ by the government, requires organisations to maintain a risk management plan and uplift security practices that relate to the management of critical infrastructure assets.
The new version of ISO/IEC27002:2022 has ushered in changes to existing organisational security control frameworks. These include a consolidation of controls with additions and deletions as well as the introduction of attributes to allow for categorisation. The updated version of ISO/IEC27001:2022 is expected in October and organisations certified to ISO/IEC27001 will have to review the changes and make adjustments to their governance processes that facilitate the running of an information security management system.
DRIVING INCREASED SECURITY MATURITY
The journey towards cyber resilience tends to be cyclical rather than linear with several checkpoints along the way. To be successful and stay on the path, organisations need:
• their board and executive leadership teams engaged and asking the right questions of the security team; • clarity on their legal, regulatory and contractual obligations for data and system protection; • to embrace the changed work environment and use security practices to enable the organisation; • a baseline of operational security practices so they are able to benefit from cyber insurance policies; • to provide evidence demonstrating effective security practices that will satisfy auditors; • a culture of preparedness for security incidents that enables them respond and recover effectively.
