In just the last weeks, major cyberattacks have hit farming concerns, nation- and state-wide communications conglomerates, health departments, and more. The Australian Cybersecurity Centre, for its part, is warning of significant threats, as incidents climbed by 15 per cent with cumulative losses hitting AUD 33 billion. With the likelihood of cyberattacks increasing as fast as the cost, what can your clients do?
Best-practice information security measures to stay resilient
Well, remaining resilient to cyberattacks entails maintaining an information security capability commensurate to an organisation’s information security vulnerabilities and threats. Easier said than done, though.
Indeed, the key client requirements to minimise the likelihood and impact of information security incidents on the confidentiality, integrity, and/or availability of information assets, including information assets managed by related parties or third parties will have to be broad based.
Clients shouldn’t despair, however. Here are some good places to start:
- Define the information security-related roles and responsibilities of the Board, senior management, governing bodies, and individuals
- Maintain an information security capability commensurate with the size and extent of threats to their information assets – one which enables the continued sound operation of the entity
- Implement controls to protect their information assets commensurate with the criticality and sensitivity of those information assets
- Undertake systematic testing and assurance regarding the effectiveness of those controls
- Notify key regulators of material information security incidents.
Complying with best-practice information security measures
Requirements are one thing. Implementing best-practice information security measures is quite another.
Simply maintaining an information security capability commensurate with threats will tax client resources. Further, clients will also have to ensure that information assets managed by other parties are protected, by assessing the information security capabilities of those parties, as well.
Nor do threats remain static. Clients will have to actively maintain their information security capabilities in the face of changing vulnerabilities as well as changes to their own business environment.
What measures might help? To meet the challenge, clients should get into the habit of parcelling out information security practices into competencies, including asset identification and classification, implementation, and cyber incident management.
Beyond that, the following measures should form a starting point for your client’s information security practices:
- Information asset identification and classification. Classify information assets, including those managed by other parties, by criticality and sensitivity. This classification must reflect the degree to which an information security incident affecting an information asset has the potential to affect, financially or non-financially, the client or the interests of its stakeholders.
- Implementation of controls. Have information security controls to protect information assets, including those managed by other parties, that are implemented in a timely manner and that are commensurate with:
- Vulnerabilities and threats to the information assets
- The criticality and sensitivity of the information assets
- The stage at which the information assets are within their lifecycle
- The potential consequences of an information security incident
- Incident management. Have robust mechanisms in place to detect and respond to information security incidents in a timely manner; Maintain plans to respond to information security incidents that the client considers could plausibly occur (information security response plans); Plans must include mechanisms in place for:
- Managing all relevant stages of an incident, from detection to post-incident review
- Escalation and reporting of information security incidents to senior management and the Board, other governing bodies, and individuals responsible for information security incident management and oversight, as appropriate
Annually review and test information security response plans to ensure they remain effective and fit-for-purpose.
Finally, despite the implementation costs, adhering to best practices in information security and incident management is beneficial to clients in and of itself.
What’s more, digital security management technology can help clients plan and manage their information security-related information, operations, and communications, cutting down some of the start-up costs. To learn more about how solutions, such as Noggin Security, can help your clients, request a demo today.