What is the biggest problem with Cyber Security right now?
David Burkett - Working Mouse
(article
on website - click here)
ISO Standards
So, what is the Standard?Well, it’s high. ISO 27001 Information Security Management is commonly accepted as the industry standard. We are undertaking this process ourselves, which takes several years and costs a significant upfront investment in audits.Pete explained that he had also started the process for CyberMetrix. But after 18 months with little progress and not much to show for it, he canned the project.
Third-Party Cyber Risk Management
Next on the list is a TPCRM (Third-Party Cyber Risk Management). TPCRM equates to a ticket to trade with the organisation and can make it VERY hard for an SME to supply to an enterprise.I’m not sure if you’ve ever received a government cyber audit during the tender process… The audits usually equate to a spreadsheet with thousands of tables, of which you have to confirm compliance and, if not, explain why.Even as an I.T. company, I’ve seen the pain in our CTO’s face trying to answer these. Let alone anyone who isn’t running a tech business.So, also high.
ASD Top 8
The next option is to look at government advice.The Australian Federal Government focuses on the ASD Top 8, and this model has different maturity levels but doesn’t address Cyber as a whole-of-business risk.The last option Pete suggests is changing the way the SMEs look at Cyber. Traditionally the entry point was I.T., and therefore, this was a function of an I.T. managed service provider. Pete Suggests this is the wrong approach as the problem comes down to people and governance.
People & Governance
There are a few essential things that every business can do.Good governance can save the company by having an incident response plan and training people on good cyber hygiene.Regarding the models above, Pete recommends a simplified downstream TPCRM approach for enterprises, focusing on the long tail of suppliers in 2 steps:
1 - Categorise
This is about discovering the level of certification you require your suppliers to retain using a categorisation matrix.
2 - Certify
Follow the Cyber Security Certification Australia (CSCAU) process for SME suppliers to meet your defined level.To achieve a strong supply chain, the process needs to lead from the top down.If enterprise customers request this from their vendors, and from their vendor’s vendors, in an easy a fair manner, this will improve the maturity of most SMEs.In short, it comes down to asking yourself one crucial question; how are you validating your vendor’s cyber resilience and those that support them?
For further information please visit website: www.workingmouse.com.au
| ph: Ph: (07) 3606 0230 |
e: info@workingmouse.com.au
