Why are regular Security Reviews so important?

It really is a very good question, and most often the question we are faced with is why should I pay for a security review now that I’ve never had to pay for in the past?  Put simply, the world has changed and the prospect of cyber-attack is more prevalent than ever before.  The proceeds from Cybercrime is nearing 1% of the global GDP increasing from $445 billion in 2014 to as much as $600 billion according to reports released earlier this year.  It certainly doesn’t appear to be slowing down and we are at a stage now that all business have either experienced or heard of an attack at some level.  The UK’s National Health System was crippled by a crypto attack last year labelled as ‘WannaCry’ and reports indicate that the attack could have simply been avoided.  In Australia, we were very fortunate in this instance as the attack wasn’t widespread to our region until enough time had passed for patches to be released and anti-virus vendors to intervene on the attacks.  This is only one example of the hundreds of thousands since.

We often look to analogies in life to provide a relatable comparison to these situations and in this instance, we think about purchasing a car.  Let’s say you’ve purchased a brand new vehicle back in 2015.  At the time, that car had all of the latest safety features, air-bags, predictive braking etc.  Fast forward to 2018, a few years later and the same car manufacturer is now selling an even safer car and better safety features to protect you from risk on the roads.  It’s not dissimilar when thinking about your business cybersecurity.  Back in 2015, the latest and greatest security was surely providing an adequate level of protection but today the same vendors that supply you with your corporate firewall or cloud operating platform have now had to innovate and add improved security mechanisms to provide better protection to your business.  Similar to the car analogy, these improvements don’t just appear and start protecting you, you need to review what they are and what is the best fit for your business.

Sure, there are certainly some best practice elements which are applicable to all businesses and that is a large part of the picture but there are also many compliance and legislation requirements which are specific to your industry which you should take the time to review.  The Notifiable Data Breach Scheme which came into effect in February applies to all Australian businesses.  Many insurance companies and industry bodies also require members to take reasonable actions in relation to cybersecurity and threat awareness.  So it is no more simply ‘nice to have’; in most cases, it is a mandatory practice which each business must undertake to comply with these regulations.

As a business, we’ve spent a considerable amount of time putting together a review process to aid our clients by reviewing their cybersecurity resilience.  Whilst nobody can ever provide a 100% protection guarantee, this process goes a long way to mitigating a considerable amount of risk.  A number of areas are reviewed all the way from password policies, all the way through end-user education sessions on what to look out for.  We also provide our customers with a report indicating security levels before and after the review process following the implementation of a number of best practices through the review process.  In many cases, we will also provide a list of further recommendations which can be implemented to further enhance your defences. These reports are very useful to demonstrate reasonable efforts to maintain security if you’re ever faced with an industry body review or insurance renewals to name a few.

When it all comes down to it, security is not something that can be skimped on.  It is probably the most predominant element in ensuring your business continuity in today’s world and can no longer be treated as a cost as it is quite simply an investment. ONGC recognises the importance of upgraded security and is effectively directing all of our clients to review their infrastructure and processes. Remember the cost of not undertaking security exercises goes well beyond any ransom or technician charges to rebuild your environment. Government fines are real, insurance could be void and the loss of face in the eyes of your clients far exceed that of investment in the review and the subsequent peace of mind it provides. For more information about our security reviews please contact us for more information.