Being sure of which controls to invest in is often one of the biggest challenges for organisations. Do you start with standards, technology, security awareness training or organisational change? Is physical security more important than logical security? Which threats are affecting your industry and which ones are actively targeting your company? How much money do you need to spend to reduce cyber risk? There is an overabundance of advice telling companies what they need to think about, but what should they really focus on if they are unsure as to what first steps to take?
The Australian Cyber Security Centre (ACSC) publishes a portfolio of cyber guidance documents on all manner of controls and threat mitigation strategies. One such publication, known as the Essential 8, covers eight of the most fundamental security controls organisations can deploy.
These eight security risk mitigation strategies are not ordered by risk mitigation value, as that is something the implementer needs to determine; rather they are offered as basic security hygiene advice that all companies should be following. Take patching, for example. The Essential 8 contains two separate entries for patching: for applications and for operating systems. Interestingly, patching has been a requirement of ICT services since the 1990s, yet companies still struggle to do it well. The infrastructure to help with operating system patches is better than ever, but organisations are still failing to install them. A legacy service management mindset forces infrastructure teams to push patches through a complicated release process, which holds back deployment. When other operational priorities get in the way, patching often drops off the work-plan altogether. Furthermore, application patches are in an even worse state, since vendors often don’t auto-update their clients in the way Microsoft and Apple do and ICT managers don’t know their applications are vulnerable.
From a patching perspective, gaining a reasonable level of maturity is a complicated process. Businesses need to change the way they handle deployment of patches into the production environment, trusting vendors to have done the regression testing needed to make sure the patch doesn’t break the application. The risk of being exposed to a critical vulnerability is more than the risk of the patching causing harm, and with a staged roll out and a back out plan, there is no reason why critical patches can’t be rolling out within 24 hours of receipt.
Interestingly, one such back out plan for failed patch deployments might be to restore from a previous backup. This is also one of the Essential 8 controls. Having quality, validated backups that can confidently be restored is, like patching, a fundamental ICT service management capability that has been done since the nineties. But again, like with patching, it’s not something that organisations are doing well. Neither of these control sets are security operations, rather they are basic common sense. Often, it’s process that’s getting in the way, rather than technology, so to mature in security posture, it’s this legacy thinking and outdated governance processes that should be fixed.
Next week we’ll talk further about the remaining five Essential 8 controls and insourcing vs outsourcing managed security service providers.