The essential eight steps to cyber threat mitigation

The cyber security threat to Australian businesses has never been higher – but adhering to a set of eight key data breach mitigation strategies could reduce the likelihood of successful cyber attacks against you by 85%.

Those are figures supplied by the Australian Signals Directorate (ASD), which has prioritised eight control measures from a total list of 40 which focus on patching, application whitelisting and restriction of access. They are listed here in order of priority:

  1. Application whitelisting
  2. Patch applications
  3. Restrict administrative privileges
  4. Patch operating systems
  5. Disable untrusted macros
  6. User application hardening
  7. Multifactor authentication
  8. Daily back-up of important data

Some of the steps can be onerous or difficult to apply. However, it is worth the effort. Shipping firm Maersk found this out the hard way in 2017 after they fell victim to a ransomware attack.

The breach exploited a known vulnerability in the Microsoft operating system for which patches had been available for some years. Maersk estimates that the breach has cost the business between US$200-300 million.

Supply chain risk

Digital communications with business partners tend to be areas of cyber risk for organisations, so it is critical to be very clear about (i) how much of a business’s operations their partners are able to access, (ii) restricting their access to essentials only, (iii) continually monitoring the vendors’ activities in relation to their business and (iv) tracking these through an auditing process that recognises these vendors as part of the organisation’s scope of operations.

Organisations should approach this by firstly defining who their key vendors are, then specifying the primary contacts for each, establishing guidelines and controls to ensure consistent risk management processes and integrating the vendors’ protocols with their assessment and audit practices.

Once an understanding has been gained of where the risks are and what exposures are involved, an organisation must decide how it should approach managing them. There are three options: (i) developing the requisite capability in-house, (ii) outsourcing the responsibility to an external service provider or (iii) laying off, through insurance, risk that cannot otherwise be managed.

Cyber risk insurance essentials

Mandatory reporting drove the purchase of cyber insurance products in the US and the same trend can be anticipated in Australia, but ‘cyber insurance’ is a coverall term. There is no single insurance policy designed to cover the expenses incurred by unauthorised access to a business’s information systems. Some brokers offer ‘off-the-shelf’ products or put together their own solutions, but gap analysis and integrating insurance cover into your existing program is critical to obtaining an optimised outcome.

According to the Australian Government, approximately 53% of the cost to a business of an information breach is understanding how the hacker gained access. Cyber insurance can cover that expense. Other first and third party expenses include recovery and business interruption costs.

Business interruption triggered by a non-tangible event, such as a malware virus, is not covered by conventional insurance and that’s where cyber insurance comes into play: it fills the gaps in traditional cover. Human error, programming error, power failure and fines are other exposures that standard policies won’t cover.

Other liabilities to consider insuring against include cyber extortion, data asset loss, privacy liability and security liability – and the costs resulting from breaches, incident response and misuse of media, with associated legal expenses.

Needs that you might overlook

Responding effectively to a cyber attack demands more than just fixing the network. In order to fulfil mandatory reporting requirements, an organisation needs an instant response manager who is capable of coordinating the response to a breach and conducting ensuing forensics.

They will need to pinpoint how the network was breached and what data has been stolen or compromised. In a ransomware attack, a business will have to be able to establish if the threat is genuine. This calls for dedicated resources and skills.

Legal advice is also essential – and if the company does business internationally this advice must also apply to foreign jurisdictions.

Extortion negotiation, identity protection and credit monitoring are other services that may prove valuable in the event of a cyber security breach.

Need advice on cyber security for your business?

Gallagher is ACAPMA’s insurance partner with a team of specialist brokers for the convenience stores and petrol retail sectors. Request a cyber insurance quote, or more information on Gallagher’s products range here.

Gallagher has also released a guide to developing a data breach response plan for your business. This is available as a free download here.