How far should companies go with stress-testing to prove the adequacy of their cyber resilience, asks Courtney Brown, managing director of Millennial Group.
Courtney Brown and Damien Manuel GAICD advise on how directors should consider managing their cyber risk.
AICD position on proposed cyber reforms
Positively, the federal government’s consultation does not recommend a mandatory model or new “cyber-specific” director duties, which had been flagged in earlier debate. The AICD engaged early with Home Affairs and Treasury on these issues and we understand our feedback helped inform the approach. The AICD considers that existing general directors’ duties adequately cover care and diligence obligations on cyber risk. While we continue to consult with members, we see merit in a voluntary governance standard that is developed with industry, recognising that many organisations are grappling with managing the complexity of cyber risk.
This is not a drill
In August 2020, the Australian Securities and Investments Commission (ASIC) commenced their first enforcement action against an Australian Financial Services Licensee, RI Advice Group (RI), for breaches arising from failure to adequately prepare for cybersecurity incidents under s912A of the Corporations Act 2001. With recent amendments to the Act, the civil penalty imposed if ASIC should find against RI Advice could be as high as 10 per cent of annual turnover, capped at $555m.
As the first case of its kind in financial services, this is something of a wake-up call for corporate Australia. Although the outcome of these proceedings won’t be seen for months, legislative reform that could bring cases like this against companies across all industries is already in train.
In July 2021, the federal government released a discussion paper as part of Australia’s Cyber Security Strategy 2020. This is the clearest evidence yet that regulators are serious about ramping up the board-level mandate for actively managing cyber security and resilience. Strengthening Australia’s cybersecurity regulations and incentives points to patchy knowledge and practice in how the boards of medium to large Australian companies are monitoring and managing cybersecurity risk. To address this, both voluntary and mandatory options for meeting compliance standards have been put forward, with some concern that the cost of the latter is unwelcome when our economy is reeling from repeated lockdowns. Perhaps of greater concern is the comment that “currently, there is no regulator with the relevant skills, expertise and resources to develop and administer a mandatory standard that applies to all large businesses”.
Hunter or hunted?
If this is indeed the case, where can Australian companies and their boards turn for advice on meeting best practice cyber standards? Current guidance at a general level from ASIC and in the detailed mitigation measures from the Australian Signals Directorate (ASD) and Australian Cyber Security Centre (ACSC), rests on four main pillars of cyber-strategy — govern, protect, detect and respond. While all four are of equal importance to a complete defensive strategy, it is detection that is most difficult to pin down in the scope and frequency of activities required to meet an acceptable standard. With the constant proliferation and evolution of threats, how can operational and executive teams satisfy directors, shareholders and regulators that their detection framework and tactics are fit for purpose?
In its advice to companies and directors on cyber resilience good practice, ASIC suggests three focus areas for detection. An entire paragraph explains the practice and purpose of “continuous monitoring” and “data analytics”, but “red teaming” is summarised simply as “employing technical specialists to work on breaking into an organisation’s networks”. The ACSC makes no mention of red teaming or even penetration testing as recommended practices in its Strategies to Mitigate Cyber Security Incidents. Instead, it suggests IT security teams should “hunt to discover incidents based on knowledge of adversary tradecraft”.
In 2021, there were cyber attacks on high-profile targets NSW Education and Nine Entertainment Group. Taking an approach that “hunts” for threats that could expose vulnerabilities in a company’s system is unlikely to be effective in keeping up with the growing sophistication and variety of criminal threats in the digital landscape. Instead, companies need to consider picking up the intensity and cadence of their detection regime with red teaming activities or capture the flag (CTF) exercises.
As ASIC describes, red teaming involves hiring a third party to break in to security systems. In 2018, the G-7 defined ethical red-teaming as “a controlled attempt to compromise the cyber resilience of an entity by simulating the tactics, techniques and procedures of real-life threat actors. It is based on targeted threat intelligence and focuses on an entity’s people, processes and technology, with minimal foreknowledge and impact on operations”.
Compared to penetration testing, which can be carried out by internal or external IT security experts, red teaming at regular intervals can deliver a far more comprehensive probe into the adequacy of a company’s cyber resilience. While penetration testing scope and timing is limited and known, a red team attack simulation can happen at any time and seeks out targets unknown to the company commissioning the exercise. The element of surprise in when and how the red team operation will play out provides a true test of protection and detection systems.
Board buy-in essential
In a 2019 research paper from the Financial Stability Institute, Varying shades of red: how red team testing frameworks can enhance the cyber resilience of financial institutions, red teaming is identified as a critical cyber-resilience practice by eight financial authorities across the world, including the EU, Hong Kong, Saudi Arabia, Singapore and the UK. In these territories, red team testing frameworks have been put in place to help financial institutions more effectively identify and remedy weaknesses in their cybersecurity systems.
The paper’s authors also highlight how the outcomes from red teaming can be of significant value in refining scenario planning and protocols for response and recovery. By taking detection practices to the next level, companies are also able to reinforce their other strategic pillars — governance, protection and response. But as the paper points out, realising this value relies on cultural and resource support at board level and throughout the organisation.
The crackdown on cyber is coming. Scrutiny of a company’s resilience from the regulator, shareholders or a criminal attack may be the trigger for better visibility and governance. Regardless of who applies the pressure, boards must be prepared to vouch for the integrity and currency of detection and how this informs risk evaluation and mitigation. With the right support, from both internal stakeholders and external services with appropriate knowledge and credentials, companies can level up their whole approach. Look for Certified Ethical Hackers (CEH) and Certified Information Systems Security Professional (CISSP) as the baseline requirements for a legitimate red teaming provider — but expect to wait at least six months.