It’s becoming more and more apparent that both business and government are getting serious about data security and protection as cyber attacks and information leaks become more common.
PricewaterhouseCoopers (PwC) recently released the 2016 Global State of Information Security Survey, and one of the key takeaways shows that an astonishing 91 per cent of organisations have adopted a risk-based framework or frameworks. But what exactly are these frameworks and are they appropriate for government as well as business?
This post looks at embracing a risk-based cybersecurity framework in government to help ensure your agency can:
- Keeps its data more secure
- Enable better internal and external communication
- Identify threats quickly
- Expose potential security gaps
- Develop security standards
Is compliance enough?
Across the globe there are many industry standards that have been developed to protect organisations from the threat of an attack. However, simply going through the motions of compliance and ticking boxes may not be the best way to ensure your department’s information is safe.
The reason for this is that compliance may not cover all the risks associated to a government department, especially when there is sensitive information on citizens or national security at risk.
Rather than focusing purely on compliance, government departments need to understand the difficult details of what kind of impact a data breach could have on the organisation and any stakeholders involved. Having a risk-based approach will allow your department to better prepare itself in the long run.
Where to start when it comes to a risk-based approach?
A good place to start would be to familiarise yourself with international standards such as the US National Institute of Standards and Technology (NIST) Cybersecurity Framework, SANS Critical Controls and ISO 27001.
Data breaches are indiscriminate, and getting to know the risks and approaches to mitigating these risks should be the first step in your framework.
The Information Security Manual released last year refers to this as having a strong security posture. It’s essential that potential intrusions are detected and responded to, rather than just trying to secure your organisation from specific attack threats as they may occur. The quicker and more effectively you can deal with an incident, the better the position you will be in when it comes to data loss or a security breach, and that is the essence of developing a risk-based approach to cybersecurity.
Collaboration is more powerful than ever
Two minds are more powerful than one — and this especially rings true in IT security. 65 per cent of the survey respondents said they collaborated with similar business and partners to improve cybersecurity and reduce cyber-risks by sharing data. These collaborative efforts are up by 15 per cent from 2013.
Organisations who collaborated said data information from industry peers was more actionable and improved threat awareness. Those organisations not collaborating said it was because of system-misalignment or updates being unable to be communicated at network speed.
This may prove especially handy for government, as recently, Turnbull announced his investment into the digital marketplace to ensure more start-ups and SME have access to government tenders.
Final thoughts
Technology alone cannot secure your department from the risk of a devastating data leak, however, implementing the right risk assessment policy and standards will definitely aid to protect your organisations data.
Further, taking a collaborative approach to cybersecurity in which intelligence is shared between external partners in the public and private sector will help yield greater knowledge on threats and the appropriate response techniques.
If you want to learn more about mitigating cybersecurity risks, register your pass for Cyber Security conference powered by CeBIT Australia today. CeBIT Australia will be taking place on the 2-4 May at Sydney Olympic Park, get your free visitor pass here.
More on CeBIT