• Home
  • Services
    • Managed Detection and Response
    • Security Assessment
    • Phishing Assessment
    • Vulnerability Management
    • CISO as a Service
    • Penetration Testing
    • Outside-in-Security
    • Inside-Out-Security
    • Security Audit
    • Static Code Analysis
  • Insights
  • Contact Us
Menu
  • Home
  • Services
    • Managed Detection and Response
    • Security Assessment
    • Phishing Assessment
    • Vulnerability Management
    • CISO as a Service
    • Penetration Testing
    • Outside-in-Security
    • Inside-Out-Security
    • Security Audit
    • Static Code Analysis
  • Insights
  • Contact Us
Phone-alt Linkedin

Here are some of our musings about the Cyber Security industry.

The real question is the cost of not having a cyber security plan. We all hate paying our insurance policies. Trust me, it’s one of my pet hates each year when they come around, but let me tell you a story.

In 2011, I had an accident … a big one. I broke my neck. When I left my house that morning I had no intention of breaking my neck, and there are many days since I wish I never left the house at all. But what sort of life is that? Never wanting to leave the house because of what ifs is no life at all. Luckily, I have a good and very persistent insurance broker who, to this day, still reminds me of the importance of my income protection insurance because, while I was incapacitated, I had to use my insurance to supplement my loss of income. I look back at those days and I wasn’t complaining about my insurance policy then. I was utterly relieved that I could continue to support my family and it felt like the best decision I had ever made.

I can draw a number of parallels between insurance and cyber security. Both are only necessary if something happens, the only difference is insurance protects you against things that are in your policy (insurance companies are good at inclusions and exclusions!). Unfortunately, hackers aren’t so thoughtful. Taking a conservative approach to your cyber security is now no longer a luxury. The Government has recently introduced new legislation called the Data Breach Notification Bill, which applies to any company with revenues over $3 Million. Essentially this legislation is an extension of the Privacy Act where any company who has a material data breach where customer data is lost, stolen, or leaked have 30 days to investigate the issue and then notify authorities of the breach. Of course, there are major fines if companies are found not to have complied.

The issue I see in front of many companies, irrelevant of their revenue size, is: What constitutes a cyber breach? Let’s go back to my fantastic insurance broker. If he hadn’t put the right controls in place when we were discussing my insurance policy, I might have lost my livelihood. I had no idea what might happen in the future, nor the extent of any potential injury or circumstance. I was at least lucky enough to walk away from my accident. Imagine if I hadn’t and I didn’t have income protection insurance … sends a shiver down my spine, excuse the pun!

So, not knowing what a cyber breach is and not having the right detection controls in place makes it very hard to know if you have been breached (cloud or on-premises – it doesn’t matter – data can reside anywhere). There is an argument in the cyber industry at the moment of what is more important – detection or prevention? Personally, I believe you can’t prevent what you’re unaware of, so really both are as important as each other. But, it all really boils down to this: What is affordable to at least meet the needs of the new legislation and really protect your customers’ data? You at least owe them that, right? Well, this is your mantra – protect for the future and detect for the unknown.

In recent times, the threat landscape has changed. Historically we built fortress models to protect our applications and their associated data stores. We put a firewall in, built a DMZ – make sure you can see and touch all of your IT assets and she’ll be right! Well, guess what? Enter stage left – THE CLOUD!!! Dropbox, Azure, and AWS have broken this antiquated fortress model apart. Traditional controls on which we relied for so many years no longer really work. Hackers get more sophisticated every day, but, when you combine that with the sandpit they now have to play in, it makes it even harder to detect let alone prevent their badness. And lately the application is the vulnerability, applications which have been around for years are riddled with technical debt, long time latent vulnerabilities which are starting to play out today. Sure, don’t leave home without your firewall and anti-virus but don’t be surprised when they still let hackers knock on your front door, and let themselves in. There are vulnerabilities in code today that will become exposed in years to come. The vulnerability just hasn’t been found yet, hackers tend to keep these things to themselves and are good at cleaning up their tracks.

So again, you are trying to prevent something that you and the rest of industry don’t know yet, hence why I still believe that detection is important. You need to monitor your assets 24/7, and in compliment with your preventative controls this will give you confidence that you have done all you can to protect your assets. As of February next year, companies with more than $3 Million in revenue no longer have a choice. The Government, rightly or wrongly, have taken cyber threats and breaches out of the IT departments’ hands and placed it squarely in the board room. That’s right, directors are directly liable if any of their sensitive data is compromised. You can’t detect and therefore prevent everything, there is no silver bullet, and you have to continue to operate and grow revenues. Just make sure you have the right insurance policy in place with as many inclusions as possible, trust me, I’m glad I did.

Recent blog posts

Common Vulnerabilities and Exposures – October 2022

Read More »

Hacks – October 2022

Read More »

Protecting your data – The CIA Triad – Part One: Confidentiality

Read More »

Need help with this?

Enter your details below and one of our team will get in touch

Other Similar Articles

Common Vulnerabilities & Exposures

Read More »

Hacks August 2021

Read More »

Hacks – Authentication

Read More »

Common Vulnerabilities and Exposures

Read More »
View all our blog articles
Linkedin
  • Insights
  • Contact Us
Menu
  • Insights
  • Contact Us

Our Office

Level 2, 157 Walker Street, North Sydney, NSW 2060

Call Us

(02) 9136 6066

Email Address

info@brace168.com