Morey Haber, Chief Security Officer, BeyondTrust, says Australian financial services organisations need to take stock of their cybersecurity operations – again.
Australia’s banks are on the receiving end of attempted cyber-attacks every minute.
In raw numbers this equates to tens of millions of attacks per large institution per month. Each of these attacks is not only a test of the banks’ cybersecurity preparedness, maturity and strength of its layered defences, but also acts as a constant test of resilience – to the uptime of banking services and to the ability of customers to always have access to their money.
Past cybersecurity incidents have put a spotlight on banks, insurers and other financial services firms – specifically around their ability to weather a storm that might impact their critical infrastructure.
Fortunately for Australians, most incidents that have impacted banking and payment systems to date have been largely caused by hardware or software failures, rather than due to a cyber or information security related breach.
But operating on the ASD readiness principle – that “critical infrastructure organisations should adopt a stance of ‘when’ not ‘if’ a cyber security incident will occur – Australia’s financial industry cannot afford to lower its guard on the threat to resilience that evolving cyber threats continue to pose.
For the finance sector, there is an ongoing need and requirement to build resilience that is ready for future attack vectors based on increasingly sophisticated threat actors. This implies the implementations need to adapt to changes in the threat landscape, without increasing the workload on defensive teams or causing resiliency risks to move outside of acceptable thresholds.
Another court action invites scrutiny of security
Recent civil proceedings filed by ASIC against a wealth management provider underscore this importance of remaining resilient to cyber risks. It’s not the first time that the financial overseer has felt compelled to intervene when it comes to cyber security posture and resilience. As with a previous intervention, this latest case offers lessons and detailed guidance for other industry participants about what is expected of them from a cyber resilience perspective, including around what the regulator deems to be “adequate cybersecurity measures”.
In the context of the latest case, the ability to prevent “ network-based lateral movement and privilege escalation” is called out as a specific base requirement. This is further detailed as a set of hygiene expectations: including that “separate administrative accounts are used for privileged access and tasks and are not used for non-privileged activities”; that privileged accounts have “more complex password requirements”, both around length and storage; and that access to systems and applications is proactive managed and “revoked when users no longer require access.”
These kinds of privileged access controls will no doubt be familiar to any organisation that aligns with the Essential Eight, the Australian Government’s Information Security Manual (ISM), or other security control standards and frameworks. But as has long been the case, meeting these requirements can be complex.
The path to security maturity and operational resiliency
This latest case demonstrates that the need for vigilance and proactive measures around privileged access remains as real as ever.
Privileged Access Management (PAM) products have long been a significant aid in helping organisations to prevent lateral movement and privilege escalation: managing, monitoring and auditing every privilege and privileged session – and providing visibility, control and protection over pathways that could lead to elevated access.
Meeting heightened privileged access and other security requirements also requires a robust, defensible security posture that adapts to the changing threat landscape and conditions. An organisation’s progressive maturity in this space – whether achieved through PAM implementation or other measures – should ideally be tracked against a structured maturity model that acts as a “guided journey” to take the organisation from basic security measures up to having an advanced, adaptive security program in place.
We often recommend that financial services firms make use of a five-level maturity model, where each level represents a progression in the organisation’s ability to manage risk.
- At level 1, organisations define roles and responsibilities, document basic information security policies, and start classifying their information assets by criticality and sensitivity.
- At level 2, they move from reactive to proactive security measures, implementing and testing systematic controls, evaluating the risk of third-party assets and drawing up incident management plans.
- At level 3, an organisation’s information security capabilities are well-defined, constantly updated and consistently applied across the vast majority of the organisation.
- t level 4, the organisation’s information security program is dynamic, evolving in response to changes in the business environment and the threat landscape at large – with security policies, controls, and incident management processes aligned to the organisation’s strategic goals and objectives.
- Finally, at level 5, information security capability is fully integrated, adaptive, and self-improving. Real-time threat intelligence enables the organisation to anticipate and respond to security events before they occur; mature incident management is automated, and all decisions – human or machine – are data-driven; and security policies, controls, and incident management processes are regularly revised based on lessons learned from previous events and emerging threats, ensuring resilience is maintained.
With the latest court case, Australian financial services organisations are once again reminded to take stock of their cybersecurity operations and posture, and to implement a baseline set of privileged access controls in order to achieve a level of operational maturity and resilience that meets the expectations of regulators, customers and the community.
By selecting the right model, making targeted improvements to privileged access management and consistently measuring their progress against industry best practice, participants will be best-placed to mitigate against some of the key threats to their resilience today.
