More boards and business leaders have focused their attention on cyber security initiatives in recent years. This is partially a result of increased reports on threats, including breaches that impacted some of Australia’s largest and most well-known companies. Leadership has also become responsible for understanding and overseeing cyber security initiatives, which has contributed to an increased focus on cyber security from the top-down. For example, a PwC survey found that 22% of respondents believed the CEO should be responsible for managing data governance and privacy.
If you are among the leaders looking to address these challenges, you need more than basic, reactive approaches. To get your organisation to a more proactive state, a focus on cyber security maturity is needed.
Mature vs robust cyber security
Robust cyber security refers to the strength of your defences against threats. Robustness means that the organisation has incorporated people, processes and technology into the strategy, matching the business’ specific risks and potential threats.
Mature cyber security represents a business’ comprehensive efforts and evolving security capabilities. It emphasises continuous adaptation to the changing cyber landscape, ensuring the organisation anticipates and evolves with threats.
But what are the key characteristics that mark a mature cyber security strategy?
Adherence to cyber security frameworks
Cyber security frameworks are excellent starting points for shaping and standardising security practices. They offer a structured approach to improve cyber security maturity and ensure the organisation maintains compliance with regulations.
Two common frameworks that guide your cyber security maturity strategy include:
The NIST CSF: The National Institute of Standards and Technology Cyber Security Framework, soon to become the CSF 2.0, provides a comprehensive guideline for managing and reducing cyber security risks. Its core components encompass identifying, protecting, detecting, responding, and recovering from cyber threats. Using the CSF, your organisation benefits from systematic risk management that enhances resilience against cyber threats and promotes consistent response to incidents.
Essential Eight Maturity Model: The Essential Eight Maturity Model, developed by the Australian Cyber Security Centre, outlines eight fundamental strategies to mitigate cyber security incidents. These strategies include application control and hardening, regular backups, multi-factor authentication (MFA), and patching operating systems and applications. The model uses three levels to measure a company’s maturity in the eight areas. It provides a systematic approach for strengthening cyber security controls and minimising the risk of data breaches and their impact on operations.
Team training and a cyber security culture
While technology offers some measure of protection from cyber security threats, human error can undo all of that effort. From January to June 2023, 26% of data breaches reported to the Office of the Australian Information Commissioner (OAIC) resulted from human error. The causes included sensitive information sent to the wrong people, lost data storage devices, and unauthorised disclosure of information.
Reducing the chances of human error starts with embedding a cyber security culture. This initiative begins at the top. Leadership must set an example by engaging in and promoting best practices. Their commitment sets the tone for the entire organisation, signalling that cyber security is not just an IT issue but a company-wide priority.
Regular team training sessions are also essential to building a cyber security culture. These sessions raise awareness and instil best practices, ensuring every team member has the knowledge and tools to protect the organisation. They can identify and act on suspicious activities with knowledge of threats and consistent training. Every informed employee contributes to the business’ overall cyber defence.
A multi-layered approach to defence
In the first six months of this year, malicious or criminal activity still accounted for the majority of reported data breaches – 70% – in Australia. No single security measure can adequately protect your organisation from these attacks.
For this reason, you need a ‘defence-in-depth’ approach to cyber security. This approach uses multiple tactics to make it harder to breach your organisation. For example, your organisation might enable a VPN for accessing sensitive data remotely and require MFA measures for logging into devices using the VPN.
As more people work in a hybrid model, traditional, perimeter-based defences no longer suffice for protecting organisational data. Your team’s devices must have adequate protection to prevent unauthorised access. In addition, the organisation must protect any systems accessible via the device with good passwords and MFA where possible.
The principle of least privilege takes this a step further. It ensures that individuals can access only the data and systems necessary for their roles and minimises the potential damage from any single point of compromise. This is where the zero-trust architecture comes into play.
Instead of the traditional ‘trust but verify’ approach, zero trust operates on the premise of ‘never trust, always verify’. This, combined with access management policies, ensures that even if a threat actor gains access, their ability to move laterally or view sensitive data is severely limited, further bolstering the business’ cyber defence.
Regular cyber security assessments and audits
Organisations should evaluate their key cyber security functions at least annually. CrowdStrike’s 2023 Global Threat Report found a 95% increase in attacks exploiting cloud environments with threat actors using more sophisticated techniques to gain access. As the landscape changes every year, your organisation must review and update security measures regularly.
A cyber security assessment evaluates your business’ preparedness against potential attacks. A thorough review of your incident response plan highlights areas of improvement and pinpoints gaps that may have appeared as your business has expanded.
The assessment goes beyond just spotting risks; it also measures the threats your business might encounter. Examining your assets in detail offers insights into how a threat actor would exploit them and the potential repercussions for the organisation. This holistic approach informs your organisation of threats to address them effectively.
Cyber security maturity focuses on strengthening your company’s defences across several areas. The NIST CSF and Essential Eight Maturity Model are excellent foundations for improving maturity. In addition to these, cultivating a cyber security culture, taking a ‘defence-in-depth’ approach and undergoing regular cyber security assessments and audits ensure your organisation can meet threats as they arise.
recon can improve your company’s cyber security maturity
Creating and maintaining an in-house cyber security team involves significant investment. Our managed cyber services provide industry-leading knowledge and skills to enhance your business’ digital assets and achieve continuous outcomes, all for a fraction of what you would spend on the same in-house capabilities. Visit our Managed Services page for more information.