DP World cyber-attack

Late Friday 10 November, Australia’s largest port operator, DP World, suffered a serious cyber-attack. To minimise the impact of the attack, it shut down its connection to the internet, causing considerable disruption to port operations. It is gradually restoring operations, but could suffer additional pain due to industrial action.

“Even if DP World recovers from the cyberattack to full operations shortly, GuardianAustralia understands customers remain frustrated at the prospect of delays due to protected industrial action from dock workers in coming days.”

News item, Cyber Security, Supply ChainPatricia Scheltus17 November 2023November, 2023

APRA getting serious on cyber

CRN reports that APRA is losing patience with regulated entities:

"Three years ago, APRA’s information security standard CPS 234 came into force, and yet many entities are still struggling with foundational issues: ensuring third party controls are effective, making sure that systematic security control testing is in place, and regularly testing incident response plans," APRA Chair Lonsdale said.

"With the potential for serious impact to millions of Australians, our patience has run out."

Don’t forget that APRA not only focuses on regulated entities such as banks, insurers and superannuation companies, but also on the suppliers of material services to these entities.

In July, APRA also announced the new standard “CPS 230 Operational Risk Management”.

Chair John Lonsdale said “We expect regulated entities to be proactive in preparing for implementation, rather than waiting until the last minute to get ready to meet the new requirements. There will be a transition phase for existing contractual arrangements with material service providers for entities that need some flexibility.”

The key to becoming CPS 230 compliant is to start now! There is a lot to do and July 2025 will come around very quickly.

News item, Cyber Security, Regulatory CompliancePatricia Scheltus17 November 2023November, 2023

Lessons learnt from the Optus outage

We reckon that there are two big lessons for all of us that have resulted from the Optus outage.

Lesson 1 - Our dependence on functioning telephony and data networks

The breadth of the impact has been enormous and our dependence on all things digital will increase over time. The use of multi-factor authentication to verify your identity using your mobile phone made the outage even more impactful. Here are useful ideas we have collected in the last few days which will help reduce the impact of the next outage:

Paul Budde’s recommendation that we should be able to roam on the network we normally do not use (pretend you’re overseas during the outage of your BAU provider).
Great Vox article on ensuring you can survive if you lose access to your mobile.

Lesson 2 – Good crisis communications is critical

The importance of clear and effective crisis communications is essential to maintaining your good reputation. Even though Optus last year was subject to a major cyber-attack that impacted many customers, it has not improved its ability to communicate. Madonna King neatly sums up the essentials of good crisis communications management:

Communicate quickly and stay on the front foot.
Be clear and don’t sell.
Be sincere.
Be mindful of the impact on your stakeholders.

Incredibly, telcos are currently not part of the Federal Government’s Security of Critical Infrastructure Act (SoCI) !

Another interesting AFR article comparing the treatment of Optus and DP world in the press.

Crisis Communications, News itemPatricia Scheltus17 November 2023November, 2023

How CIOs can prepare to combat cyber attacks | Network World

If you’re like most chief information officers (CIOs), you may be feeling a sense of uncertainty and unpreparedness when it comes to dealing with cyber threats. And the truth is, you likely have good reason to feel that way.

“Cyber attackers are more organized and sophisticated than ever,” stated KPMG’s Steve Bates. “They’re using better tools and have greater access to funding — be it from competing corporations, rogue nations, or activist groups. These cyber criminals have the commitment and the means to breach and inflict significant damage to almost any company.” Read more

News itemPatricia Scheltus1 October 20182017, November

What's in the fine print of your disaster recovery vendor agreement? | Network World

Disaster-recovery solutions require several complex, moving parts coordinated between your production site and the recovery site. Service-level agreements are ultimately the most accurate way to determine where responsibility is held for disaster-recovery process and execution. It’s important to have SLA documentation around these critical aspects of recovery so that customers have commitments from their vendor. I’s also important that a service provider’s agreements contain service-credit backed SLAs for additional accountability. Read more

News itemPatricia Scheltus29 November 20172017, November

Did cloud kill backup? | Network World

With enterprises rapidly adopting hybrid and multi-cloud infrastructure and migrating traditional workloads to the cloud, distributed architectures have become de-facto standard, but traditional backup and recovery strategies have not kept pace. A new cloud-first approach to data protection is required. Read more

News itemPatricia Scheltus27 November 20172017, November

Data breach hits Department of Social Services credit card system | The Guardian

The Department of Social Services has written to 8,500 current and former employees warning them their personal data held by a contractor has been breached.

In letters sent in early November the department alerted the employees to “a data compromise relating to staff profiles within the department’s credit card management system prior to 2016”.

Compromised data includes credit card information, employees’ names, user names, work phone numbers, work emails, system passwords, Australian government services number, public service classification and organisation unit. Read more

News itemPatricia Scheltus24 November 20172017, November

5 rules for smarter cyber communications | CSO

With the Equifax data breach continuing to make headlines, we're seeing yet further proof that the way you communicate in the aftermath of an incident plays a significant role in determining its ultimate impact. Executives responsible for cybersecurity need to understand how a good cyber communications function works, and they need to make it a regular part of any conversation related to information security or risk management. Read more

News item, Crisis CommunicationsPatricia Scheltus24 November 20172017, November

Workplace Recovery Report 2016 | The BCI and Regus

If adverse weather or system failures mean the workplace is no longer usable, where do employees go to continue working? Whether the incident only affects the organization's facilities or it’s area wide, there should be clear arrangements in place.

This report, in association with Regus, gathers responses from 914 respondents across 78 countries. It looks at how many organizations have workplace recovery arrangements in place, what those are, and how well informed the employees are on how it affects them.

Workplace RecoveryPatricia Scheltus22 November 20172017, November

TCFD Recommendations | Financial Services Board

One of the essential functions of financial markets is to price risk to support informed, efficient capital-allocation decisions. Accurate and timely disclosure of current and past operating and financial results is fundamental to this function, but it is increasingly important to understand the governance and risk management context in which financial results are achieved.

The financial crisis of 2007-2008 was an important reminder of the repercussions that weak corporate governance and risk management practices can have on asset values. This has resulted in increased demand for transparency from organisations on their governance structures, strategies, and risk management practices. Without the right information, investors and others may incorrectly price or value assets, leading to a misallocation of capital. More

Patricia Scheltus22 November 20172017, November

Horizon Scan 2017 | The BCI

Threats. Disruptions. Trends. There’s a lot to consider when putting together a business continuity plan. But what are the biggest risks facing your organization right now? Are we all worrying about the right things?

The Horizon Scan Report 2017 answers these questions and more. Created in association with BSI, it reflects the views of business continuity professionals in 726 organizations across 79 countries. Now in its sixth year, the report delivers insight that helps organizations plan for any challenging conditions coming their way, and to thrive in the long-term.

Emerging RisksPatricia Scheltus22 November 20172017, November

The risk of shadow IT to business continuity | CSO Online

News itemPatricia Scheltus22 November 20172017, November

Strategies to mitigate cyber security incidents | ASD

The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies to help technical cyber security professionals in all organisations mitigate cyber security incidents. This guidance addresses targeted cyber intrusions, ransomware and external adversaries with destructive intent, malicious insiders, 'business email compromise' and industrial control systems.

This guidance is informed by ASD's experience responding to cyber security incidents and performing vulnerability assessments and penetration testing Australian government organisations. Read more

Patricia Scheltus22 November 20172017, November

Using drones in business continuity planning and exercising | Continuity Central

The benefits of drone deployment during disaster recovery are well-known. They have supported emergency response teams around the world many times - providing critical, real-time insight for faster damage assessments and faster recovery decisions. But drones can also be deployed during business continuity planning and exercising to great effect, says Kate Treen.

For businesses with structural assets, such as buildings, powerlines, turbines and physical infrastructure, an incident is far more likely to impact badly when business continuity planning updates for these assets has not been effective or frequent enough. Collecting accurate data periodically (and aiming to reduce recovery times) can significantly improve the effectiveness of business continuity plans.

More

News item, ExercisingPatricia Scheltus15 November 20172017, November