A message from Chief Information Security Officer (CISO) - QLD
As we find ourselves approaching June already, agencies are turning their thoughts to compiling their IS18 Annual returns and their assurance processes. The finishing touches are currently being placed on the 2020 report, which shows improvement in some agencies from the previous year, but still leaves many not meeting the desired levels of maturity and minimum requirements. This journey towards a risk based IS18 policy has been underway since 2017. The ASD Essential 8 controls form part of the minimum requirements. These controls are still not fully implemented in all agencies.
Over the weeks we read of a ransomware attack against UnitingCare Queensland who run the Wesley and St Andrews Hospitals here in Brisbane along with many aged care facilities. The disruption and upheaval that this sort of event causes cannot be underestimated. Think for a moment you or your loved one could be diverted away to another hospital for critical medical care in the hour of greatest need.
The motivation and tactics of these cyber-criminals are well known, and they have continued to develop. In a modern-day ransomware attack, significant disruption and data loss is inflicted to solicit the payment of a ransom demand. Cyber criminals continue to exploit the weak links in our environments. The disruption inflicted by COVID has only made their lives easier, while we are stretching our resources as we cope with the changes. Their business model is to turn our assets (data, systems, capability, reputation) into their money by turning those very things against us.
It is naïve to think your organisation is not a target of these cyber-criminals. It is also naïve to think that your preparedness for these attacks is sufficient if you have not tested your ability to prevent, detect and respond to these scenarios.
Some key protections against ransomware attacks are application whitelisting and timely patching. We are now routinely seeing new bugs being weaponised and exploited on a global scale within 24hours of critical vulnerabilities being disclosed. The ability to assess and remediate critical vulnerabilities is now a core competency for all organisations.
Ask yourself:
How many critical vulnerabilities does our organisation currently carry?
How long have they been there?
What are the consequences of them being exploited?
Who is responsible for addressing them
We constantly need to build rigour and agility into our security controls and processes to ensure they continue to address these changing threats. The annual IS18 return process is a time to reassess how well you are placed to deal with these threats