Protecting Australia: How CISOs can implement the ACSC's Prevention and Protection Guide

Driven largely by the disruption caused by the pandemic, along with several high-profile success stories, cyber criminals are targeting Australian organisations at an unprecedented level.

The Australian Cyber Security Centre (ACSC) received almost 5,000 reports of Business Email Compromise (BEC) in the 12 months up to June this year, with estimated losses totalling over $80 million. It’s clearly a lucrative pastime for cyber criminals.

As a result, Australia's CISOs are understandably on high alert: over 70 per cent of them feel at risk of suffering a material cyber attack within the next year. To compound the issue, most do not feel prepared for such a fate. Over half do not believe their organisation is ready for a cyber attack, while 50 per cent are more concerned about the repercussions of an attack this year than they were in 2020.

The long-term shift to hybrid work in response to COVID-19 is only making matters worse. Almost half (47 per cent) of Australian CISOs agree that remote working has made their organisation more vulnerable to targeted cyber attacks, with 45 per cent revealing they had seen an increase in targeted attacks in the last 12 months.

In a bid to raise awareness and action, the ACSC recently issued the next stage of its 'Act Now Stay Secure' cyber security campaign. Spanning nine key areas, it lays out the steps Australia's businesses can take to mitigate, deter, and recover from cyber attacks.

Implementing the ACSC Prevention and Protection guide requires the intersection of technologies, tools, policy, and a people-centric approach. Beginning with protecting staff inboxes, to ongoing vigilance and cyber-training, creating a robust cyber-posture up to the standards of the ACSC, not only protects organisations but creates critical opportunities for growth and education – here’s how you do it.

Protecting staff’s inbox

With email as the number one point of entry for cyber attacks, any additional layers of protection such as multi-factor authentication (MFA) are highly recommended. However, MFA is by no means foolproof, and cyber criminals are increasingly finding new ways to bypass its protection.

VIEW ALL

What's more, attempted email account compromise requires ongoing detection beyond preventative measures. Cyber security teams must be able to monitor and identify suspicious activity and prioritise response accordingly.

Domain and email authentication

When defending against domain spoofing and hijacking, it's always best practice to renew any domains previously used by your organisation. At the same time, you must regularly monitor for newly registered lookalikes. However, anticipating and spotting every potentially spoofed domain is incredibly challenging, with numbers potentially running into the thousands.

CISOs should consider implementing DMARC authentication to protect their organisations against these threats. DMARC, which stands for Domain-based Message Authentication Reporting and Conformance, is an open email authentication protocol, providing domain-level protection of the email channel.

It is the first and only widely deployed technology that can make the header “from” domain trustworthy. Organisations who fully implement DMARC authentication protocol can block threat actors and can dramatically reduce the risk of domain and email spoofing, business email compromise (BEC), phishing and other forms of scams.

Simply put, DMARC represents the cornerstone of technical controls to rebuild trust and retake the email channel by nullifying an entire class of email threats.

The privacy problem

All organisations are aware of the importance of privacy. Cyber criminals target your most sensitive and highly prized information, and it's vital that you ensure it is protected and stored in line with regulations such as the Australian Privacy Act and the EU's GDPR.

However, your privacy controls must go far beyond this. A modern privacy strategy should encompass more than customer data, spanning your email, cloud, endpoints, and entire ecosystem. Organisations need to implement solutions designed to combat email and cloud threats and offer comprehensive information protection.

Policing policies and procedures

So far, we've covered many of the tools that help you protect your organisation in line with the ACSC's Prevention and Protection Guide. But tools alone are not enough. Any effective cyber defence strategy must be backed by clear policies and procedures governing everything from basic password hygiene to BYOD (bring your own device).

Of course, just as important as implementing these policies is policing them. A comprehensive security orchestration, automation, and response platform can help analyse malicious and suspicious activity and prioritise response.

Delivering people-centric awareness training

People-centric attacks require a people-centric defence. It is your users who are on the frontline facing tenacious cyber criminals, and you must train them to defend your organisation accordingly.

Comprehensive Security Awareness

Training must go beyond jargon definition and multiple-choice tests. The goal is to build a security culture throughout your organisation – in which every member of your team knows not just how to detect and deter cyber threats but how their behaviour can limit and indeed increase an attack's chances of success. This needs to be multi-faceted; it can’t be a one size fits all approach to make sure positive behaviour changes occur.

Creating a culture of making sure users are encouraged to report anything erroneous should be a CISO imperative. When your users genuinely understand that a single errant click or weak password can expose your organisation to vast financial and reputational consequences, behaviour changes – and we are all safer as a result.

Vigilance is vital

Finally, staying informed of the threat landscape and your current risk level is key. Your security training program should put cyber threats at the forefront of everyone's minds, creating an environment in which vigilance is the default setting.

But as well as visibility into the threats you face, you also need a complete picture of your networks – who is accessing your data, when, from where, and why. As well as gaining a thorough insight into the level of people risk posed to your organisation.

As this breakdown of the ACSC guide goes to show, there's no short answer to cyber security. And there's certainly no silver bullet. The only effective cyber defence is broad and multilayered, spanning tools and technology, policies and procedures – and most importantly, your people.

Yvette Lejins is the resident CISO, APAC at Proofpoint.