The cyber arm of the Australian Defence Force, The Australian Signals Directorate (ASD), recently updated its most recommended strategies to prevent data breaches, doubling its previous four directives to eight guidelines, dubbed the "Essential Eight".
This move has provided partners with some new evidence about cyber security from an independent body to take to customers, but will it increase adoption and opportunity?
Partners looking at the new recommendations, which are mandatory for government departments, as a silver cyber bullet for the private sector will be disappointed, according to some partners, but they may be a decent place for businesses to start.
“I think a lot of organisations that look toward this Federal Government entity for guidance with their own cyber security strategy should look at this new list as a good starting point when reviewing their overall digital security posture,” IPSec principal security consultant, Bill Robson said.
Similarly, Enosys sales director, Joseph Mesiti, said the revamped guidelines pointed to a strong focus on protecting and reducing the attack surface of the endpoint.
“Partners with a strong go-to-market in the endpoint protection space should see significant opportunities present themselves over the next 12 months with customers becoming acutely aware of limitations in their current endpoint solution,” he explained.
While partners agreed that the new rules would generate additional conversations on cyber readiness, some said the new “Essential Eight” could cause confusion with certain customers.
“The newly-revised list could be a help or a hindrance to cyber security consultancies, integrators, MSSPs, and resellers; whilst the list will provide further (independent) support for recommended cyber security remediation, the structure of it may introduce a level of confusion as to how to balance the relative outcomes and may also introduce complexity regarding the explanation of upfront and ongoing costs,” IPsec CTO, Ben Robson, said.
“It may be of particular interest to those MSSPs who can offer solutions addressing the ‘Essential Eight’ whilst reducing the upfront and ongoing costs for the client organisation.
“There are many organisations who take note of the ASD’s recommendations, but few will take it as literal guidance; most will take note of its contribution, blend it with other cyber security leadership standards, and finally rationalises to the needs of their own organisation,” Robson added.
“The recommendations will assist those organisations that chose to promote them to their clients,” Seccom Global director, Michael Demery, said. “The guidelines are a tool that companies can choose to use or not use, the same can be said about the organisations who choose or not choose to promote the recommendations to assist their clients.”
“Security focused organisations have been educating customers on the information discussed in the ASD guidelines for some time as part of a larger security education process.
“I don’t believe ASD introducing the additional guidelines will make a lot of difference to those organisations that already have a security focus, but it is important for the ASD to continually update and promote these changes as threats continue to evolve,” Demery said.
In January, Australia’s Prime Minister, Malcolm Turnbull, warned that vulnerabilities stemming from “warmware” were among the top contenders for potential weaknesses in the country’s national cyber security posture.
“You can have flaws in the hardware that provide vulnerabilities, flaws in the software, and - as I often say - the biggest vulnerability is often the 'warmware'; the humans making mistakes, or, indeed, taking information as, say Edward Snowden did, in a criminal fashion,” Turnbull told journalists on 24 January.
“The most important thing is to be aware and to practice good cyber hygiene,” he said. “What they [organisations] need is better practices. Generally, as I said, most of these vulnerabilities are a consequence of the 'warmware', the humans failing to protect themselves…opening an attachment to an email that contains phishing malware for example, something of that kind."
This risk of human error is a constant one, but Mesiti said the ASD’s recognition of the issue was indicative of general heightened awareness and meant that organisations needed to move beyond relying on simple automated controls.
“I think the good old days of having offline backups a security control really points to the prevalence and risk associated with ransomware and the fact that it is now considered an essential control by the ASD should prove to be a catalyst for a rethink," Mesiti said.
“For partners with strong ties to government it would most likely present opportunities in helping to achieve compliance across gaps in technology and process, particularly related to continuous incident detection, endpoint protection and vulnerability management,” he added.