Cyber Security: Lessons learnt in 2022

The threats posed by cybercrime have significantly evolved over 2022. Cybercrime continues to pose a global threat to economic and social prosperity, causing wide-ranging harm to its victims and broader society. This includes financial losses, emotional and psychological impacts, and the disruption of essential services. 

Cybercriminals are resilient, opportunistic and borderless. While cybercriminals are increasingly sophisticated in how they pursue their illicit activities, advanced technologies, anonymising, and darknet marketplaces also mean it takes less skilled actors to engage in cybercrime.

Five key takeaways should be addressed by looking at what we know about cybercrime throughout 2022.

1. Lack of communication with employees

Employees are generally unaware of an organisation’s cyber controls and information security practices.  They take little or no ownership of the issue. 

2. Outdated ICT

Outdated IT hardware and software platforms are everywhere. Many organisations or individual users probably do not know whether their systems are outdated or current. This level of ignorance is a risk. 

3. Lack of IS risk assessment 

Failure to undertake a risk assessment of security systems and practices. Many organisations or individuals do not know the top five information security risks within their organisation, nor how or if they are being managed.

4. Cloud services not understood

Data assets usage, sharing or storage unknown. Ask an executive where their data is stored, and they’ll probably refer to the ‘cloud’ or name a SaaS provider. That’s only saying who they have passed the responsibility to, not actually the address or storage system holding masses of PII data. 

5. IT role not understood

Information security is seen as an IT issue. However, it’s not the IT systems themselves that are the issue; it’s the people using them. Users who are uninformed and untrained are often one of the top five information security risks of an organisation. 

When dealing with cyber security risk, there is no simple answer. Treat these five risks as a priority for 2023.

Include the following:

• ICT Communications Plan for employees and outsourced providers. Test this plan frequently.
• Structured Asset Management Plan, including every software platform, hardware assets (fixed or mobile) and audit for currency. 
• Undertake a risk assessment against the 93 risk controls in ISO 27002:2022. Prioritise these in order of risk and work toward mitigating or reducing each risk. 
• Review cloud and other storage arrangements with suppliers or in-house (whichever is your model). Check the SLAs in place with providers and seek evidence that the provider is delivering against the committed security levels in the formal agreement. 
• Develop an Audit and Test Plan that tests IT Systems resilience and policy / procedural compliance. This will find weaknesses that can then be addressed.

For further information or advice, please get in touch with ADIA at 0460 012 092 or ADIA’s Quality Consultant, Norine Cruse, at 0418 541 041.

Source: Securely Done (Jan 2023)