Hide this message

It looks like you are using Internet Explorer .

insight.telstra.com.au may not display correctly and some of the features may be unavailable to you.
If you are not using this version, please check that compatibility mode is turned off, otherwise you may need to update your browser.

Protection in the connected era

Driven by the demand for greater agility, flexibility and enablement to connect to the world, customers are embracing the cloud en masse. This month we explore what this connected era means for cloud security and protection.

Explore
3 min

Cyber security: Are your people the problem?

Expand

  

Cyber security: Are your people the problem?

Chief information officers typically take a high-tech approach to cyber security, unwisely ignoring a crucial, familiar presence: staff.

Australia has a remarkably high cyber-attack rate. From 2014 to 2015, the frequency almost tripled that of the rest of the world, according to a PwC survey, which revealed that despite strong investment, “Australian businesses still face significant cyber challenges”.

Complicating matters, organisations are struggling to accept that cybercrime is a people problem, as much as a technology one, PwC cyber czar Steve Ingram says. Heavy investment in technology is futile, he adds, if staff error amounts to sabotage, no matter how accidental.

Ingram’s own-goal take is echoed by the Australian Cyber Security Centre (ACSC), which found in a 2015 report that the “trusted insider” was of most concern to respondents. No less than 60 per cent worried about the threat of internal incompetence. Cited factors contributing to security incidents included staff errors or omissions, misconfigured systems, and poor security culture.

Alas, the ACSC also says, more and more investment is going into technical controls while the risks arising from people get overlooked.

 

Get staff on side

The chief information security officer (CISO) at security firm Blue Coat ANZ, Damien Manuel, suggests that some of the issue lies with the aggressive gatekeeper-style approach that CISOs have traditionally taken – without bothering to explain the hows and whys to staff.

“No employee wants to be the source of damage to a business or responsible for a data breach that hits the headlines,” Manuel says. “But unfortunately, many employees see CISOs and their teams as disciplinarians who issue arbitrary rules – or worse, as an obstacle to be bypassed in order to ‘get work done’.

“Outright banning of cloud-based technology won’t work, so CISOs must make a case for good security practices that appeal to busy employees who don’t necessarily understand IT, and that balance security with employee productivity.”

Security consultant Corch X, founder and managing director of Shogun Cybersecurity, echoes Manuel’s point about poor understanding. “A successful cyber security strategy has to recognise that the people in an organisation have vulnerabilities, just like IT does, and that, like IT, people need frequent security updates – training and awareness programs – to be resilient in the face of constantly evolving threats.

“It’s not enough to make people sit through a web-based training course when they sign up with the company – it takes continuous effort to maintain current cyber security skills,” says Corch, whose experience spans federal government, banking and finance.

Like a server that never gets patched once deployed, an employee without regular training in spotting and responding to cutting-edge threats becomes easier to exploit over time, he says. Despite huge security budgets, organisations struggle to lift their game because they overlook how falliable people can be – information security is still seen by executives as purely an IT problem with purely IT solutions, he adds.

“Moreover, the IT solutions they favour are overwhelmingly focused on perimeter defences and the idea that hackers can be kept out with firewalls and fancy algorithms,” Corch says, “not enough attention is paid to training staff how to recognise and respond to a cyber incident”.

The failure of the purely technical approach to cyber security is demonstrated by today’s threat landscape, Corch says, citing phishing, malware and “browser exploits” including malicious JavaScript execution.

“What do all these threats have in common? They infiltrate secure networks by leveraging the very services that businesses have come to depend on every day, email and web browsing. They succeed because they understand a fundamental principle of cyber security: people are easier to exploit than computers.”

 

What do all these threats have in common? They succeed because they understand a fundamental principle of cyber security: people are easier to exploit than computers.
– Corch X, founder and managing director, Shogun Cybersecurity

 

Train staff, report trouble

Corch’s advice: train staff to avoid clicking links they do not recognise or trust. In fact, they should refrain from opening emails from untrusted senders at all. Across your organisation, use browser plug-ins, or web content filters to disable JavaScript by default. Skip installing Flash unless you have a specific business need. A versatile plug-in such as Flashblock can be used to block by Flash default but allow click to play for users that need it.

Another option is simulated phishing programs that mimic real phishing attacks and train users to spot and dodge phishing ploys. The fake phish programs indicate employees’ baseline susceptibility and their room for improvement through training.

It’s crucial to avoid taking a carefree attitude to in-house browsing because the tendency to sink more investment into technical solutions only gets you so far.

“It doesn’t matter how much you spend on technology if your suppliers are doing the same or if your people don’t understand their role in cyber,” Ingram says in the PwC report.

If, despite your best efforts, your people stuff up and you are hit by hackers, make life easier for everyone by reporting the breach to the main contact point for cyber security issues dogging big Australian businesses: CERT Australia, the ACSC says. Or get in touch with the Australian Cybercrime Online Reporting Network (ACORN), which aims to make it easier for people to recognise, report and avoid common kinds of cybercrime.

“Reporting helps develop a better understanding of the cybercrime affecting Australia,” the ACSC says. “By understanding the enablers, we can make it harder and less rewarding to commit cybercrime, therefore making Australia a safer place to do business.”

 

Idea in brief

Cybercrime begins at the frontline. Here’s how to minimise risk:

  • Focus your attention on your staff
  • Upskill your team
  • Ensure everyone has a grasp of what not to click
  • Continue the training to keep pace with new threats
2 min

With big data comes great responsibility

Expand

  

With big data comes great responsibility

As customers grasp just how much organisations value their data, trust becomes key to retaining their loyalty.

Big companies are capturing ever more user data – petabytes of the stuff that end up stowed in the cloud. The question now is how leaders can cultivate trust amid widespread concern about prying and data loss.

First, get the basics right – ensure your terms-and-conditions are clear. “Most people never read them unless they are in plain English,” the chief executive of feedback-sharing platform Pay Compliment, David Perks, says.

Also ensure that your application architecture meets industry standards. This means having strong security and data encryption at every layer, from the user interface to the storage system.

Besides, you need responsible backup-and-recovery measures in place to prevent data loss. You might even want to empower clients with the ability to obtain and re-home their data, should they wish, Perks suggests.

According to the director of analytics and insights at digital agency Deepend, Dan Taylor, the key to reassuring your clients is transparency and being totally open about capturing data.

“Explain to your customers how data collection benefits them – your customers are smart, and many accept that contributing data generates a more streamlined experience,” he says.

The final tip comes from thought leader Rachel Botsman, an expert on trust and the collaborative economy, who advises avoiding cosmetic solutions. Establish a deep, close connection, Botsman says, because focusing on the efficiency of apps only gets you so far.

What people want is “human essence”, she says. “I’m more forgiving of someone I actually know and trust.” Botsman urges leaders to view dealings with clients not so much as a transaction but as a relationship or “emotional journey”.

In line, be open and positive – spell out your data capture methods, citing the advantages that disclosure brings, so clients buy into the bargain. Strive to connect with them personally, on a first-name basis, aiming at a sustained relationship.

This sort of effort is vital because, according to Botsman, today’s clued-in consumers have no time for sloppy service. If your organisation disappoints, be ready to make amends, she says, showing that leadership takes both guts and humility.

 

People want the human essence – I’m much more forgiving of someone I actually know and trust.
– Rachel Botsman, global thought leader

 

Idea in brief

  • Get the basics right – make terms and conditions clear
  • Be transparent – explain how data collection benefits customers
  • Establish a connection – build a sustained relationship

Ask your Telstra AE about how to use security and privacy strategies to protect customers and improve your business.

 
2 min

The white hats: Three ways hacking improves security

Expand

  

The white hats: Three ways hacking improves security

Who knew hacking could be the answer to rising concerns about cyber security?

There’s a secret to corporate security that may surprise you – get a “white-hat” hacker to expose vulnerabilities in your company’s systems.

A white-hat hacker is a digital security specialist who attempts to break into protected systems and networks to test and assess their security. It’s all about intention: black-hat hackers have a similar skill set, but break into systems to steal data or do damage.

Forward-thinking organisations are recruiting white hats to discover and repair any vulnerabilities – by hacking the systems first.

Needless to say, it’s crucial to find professional white hats your company trusts before granting permissions for network tests. But the results may surprise you – and save your company from disaster.

Here are just three of the ways hacking can improve cyber security:

 

Hacking exposes holes

White-hat hackers use a combination of vulnerability and penetration-testing techniques to gauge a business’s IT system and flag liabilities – in much the same way a criminal hacker would. Security staff can then analyse results to remediate weaknesses, develop stronger defences and lower overall risk.

Every year since 2012, an alliance of Australian government, business and academic professionals known as CySCA has run a 24-hour hacking competition designed to test technical skills and foster local cyber-security talent. Competitions such as this deliberately target an organisation’s online infrastructure to determine the possibility of malicious activities and system weaknesses.

 

Hacking adds value

Integrating ethical hacking into existing security initiatives such as internal audits and compliance checks can have the added advantage of providing clients with in-depth security assessments at the same time as recruiting highly skilled individuals.

In early 2016, France’s national state-owned rail company, SNCF, made headlines when it used an online hacking game called The Impossible Challenge as a targeted recruitment tool for white hats to hack its own mainframe. The challenge was a success with just six of the 11,256 competitors completing all stages.

 

Hacking is proactive

Hacking allows organisations to get ahead of the problem without inciting panic. Awareness of issues allows IT leaders to make level-headed, long-term security decisions rather than resorting to temporary fixes under pressure in the wake of an attack.

Many websites and software developers offer “bug bounty” deals where participants receive payment and recognition for finding and reporting system vulnerabilities. This year Facebook paid 22-year-old Anand Prakash, a software engineer from India, $US15,000 for informing the company of a bug that allowed access to messages, credit/debit card details, and photographs.

In a report earlier this year, Facebook security engineer Reginaldo Silva said: “Since it launched in 2011, our bug bounty program has received 2400+ valid submissions and awarded more than $US4.3 million to 800+ researchers around the world.”

 

Cyber security has become a business risk, not just an IT risk. Discover the latest security trends for Australian and Asia Pacific businesses and get insights to help reduce these risks. Download the Report.

Speak to a Telstra Security Specialist, we can discuss your high-level security posture and help you manage the risk.

 

What's next?

You might be interested in

Related articles

1 min

Clear air: Jurlique moves to the cloud

Expand

  

Clear air: Jurlique moves to the cloud

The adoption of cloud technology can have enormous business benefits, extending well beyond the bottom line and into workplace culture and brand perceptions.

For Australian-based organic skincare company Jurlique, sustainability is just as important as the high-quality products it makes and sells in more than 20 countries around the globe.

In 2012, when the company hit a crossroad, the choice was clear: update ageing IT infrastructure to eradicate communications issues and connect staff globally, or risk being left behind.

Consistent with the company’s eco-philosophy, Jurlique also wanted to find a cleaner and greener way of working. “Our dream was to connect people back to nature,” said Jurlique co-founder Ulrike Klein. “The connection, that’s the really important thing for us as human beings.”

 

The perfect solution

The company settled on upgrading to cloud technology, shutting down two dedicated large servers and 15 smaller servers that had previously been located in-house. The flexibility, environmental benefits and added utility of cloud technology were a perfect fit for Jurlique’s needs.

In making the move, the company made a net saving of 79 tonnes of carbon a year, as well as saving $24,000 a year in energy costs. As part of its five-year sustainability plan, Jurlique also aimed to reduce carbon emissions by 20 per cent through its migration to the cloud.

The move to the cloud has improved workplace efficiency, and helped keep Jurlique agile and flexible as it competes in the global skincare market. Through the use of advanced video conferencing, staff are contactable regardless of where they are in the world. This, in turn, has cut down on staff travel, further reducing Jurlique’s travel related carbon emissions by 16 per cent.

With the cloud offering new data-driven insights into Jurlique’s customer base, the company is fostering stronger relationships with customers along with a minimised environmental footprint – bringing the company ever closer to realising its founders’ vision.

 

Contact your Telstra AE to find out how you can transform your business using the power of the cloud.

 

What's next?

You might be interested in

Related articles

2 min

Cyber security begins in the C-suite

Expand

  

Cyber security begins in the C-suite

Keeping data and processes secure is not just an IT issue – it’s a business issue, and it needs company-wide engagement.

The digitalisation of the economy is only increasing – if anything, at great speed – meaning cyber risk is also here to stay. Not surprisingly, business surveys consistently show that cybercrime, and its impact on brand and reputation in particular, ranks among the biggest concerns for chief executives.

Companies can harness technology to contain costs, improve business processes, sharpen product and service offerings, and deepen their knowledge of customers. But there’s a flipside to this digital Eden: heightened exposure to potentially catastrophic cyber-breaches.

The frequency of cyber-attacks and internal cyber-bungles, coupled with their potential to cause companies deep and perhaps permanent harm, is prompting a rethink of how companies respond.

Telstra’s chief information security officer, Mike Burgess, and chief risk officer, Kate Hughes, believe the key to creating an effective cyber-risk management response starts with recognising that cyber security is not just an IT risk, but a business risk.

“Cyber risk should not be seen as something separate to be managed differently,” Hughes says. “We’ve developed an overarching governance framework which recognises that cyber risk exists alongside other business risks.”

 

Cyber security is a business risk first and foremost, which makes it a leadership issue. That starting point is absolutely key to an effective cyber strategy.
– Mike Burgess

 

A seat at the table

When wise heads gather at the table to discuss the growing problem of cyber risk and data security, that table is located not in the IT department but in the C-suite.

Burgess insists that as long as cyber risk is considered an “IT issue” company-wide buy-in and even C-suite buy-in will be difficult to achieve.

“People will say ‘this is a computer problem therefore it’s not my responsibility, we’ll leave it to the IT department’; that’s the biggest challenge organisations face when it comes to cyber security,” he says.

The way to address this, according to Burgess, is “the constant drumbeat of engagement”.

“Cyber security is a business risk first and foremost, which makes it a leadership issue,” he says. “That starting point is absolutely key to an effective cyber strategy.”

For cyber risk issues to be rigorously canvassed in the C-suite, Hughes adds it is essential to speak the language of the C-suite. This, apparently, is a skill Burgess has down pat.

“Mike engages in a truly commercial way with our leadership team – by that I mean he gets away from the technical jargon and doesn’t treat it as some kind of rare specialisation – he talks about it as a serious commercial business risk,” she says.

“It’s taking cyber risk out of the technical sphere and getting it to a place where we can talk about it in the same way we talk about privacy, business resilience or safety.”

Hughes says the challenge is no less real for her as chief risk officer. “CROs should not let cyber-security risk become something special and different,” she says.

“Risk is risk. Whether it’s digital or real-world, the trick is to apply the same thinking and rigour we do to other significant risks.”

 

Idea in brief

  • Any company with stored data is at risk of potentially disastrous hacking
  • Companies need to think about both prevention and response strategies
  • Cybercrime, and its impact on brand reputation, is a big concern for any CEO
  • Managing cyber-risk requires company-wide engagement

What's next?

You might be interested in

Related articles