Telstra has warned organisations to not rely purely on technological capabilities when defending against cyber threats, pointing to a need for “the other parts of cybersecurity” such as cyber risk management programs also be prioritised.
“An information security management system that is driven by managing cyber risk provides the governance of cybersecurity that’s required to go along with all of the technology components that are regularly found to be in place,” said John Powell, Telstra Purple principal security consultant.
In terms of how organisations should undertake the development of cyber risk management programs, Powell said the approach for each organisation would need to be sector-specific rather than focusing on creating “bank-level security”.
“[There’s] this misconception that there is ‘bank-level security’. The key to cyber risk management and information security management is the understanding of your contextual risk,” Powell explained.
“So we look at the organisation’s threat landscape, we look at the organisation’s assets, and that helps us to determine what the organisation’s risks are. From that point, we then work with the organisation to understand what controls they need to put in to deal with their risks so understanding the risk of the organisation itself is what is the right risk management or cybersecurity posture.”
The warning came alongside Telstra Purple launching what it has described as a “bespoke offering” for helping customers comply with the federal government’s recent critical infrastructure reforms.
The reforms have so far come in the form of two pieces of legislation, with the first one already being passed in December to give government “last resort” powers to direct a critical infrastructure entity on how to intervene against cyber attacks.
The second piece of legislation, currently before Parliament, looks to add requirements for critical infrastructure entities to have risk management programs in place and entities deemed “most important to the nation” to adhere to enhanced cybersecurity obligations.
The risk management program under the second set of laws would have to identify hazards, including cyber risks, to critical infrastructure assets and the likelihood of them occurring.
Telstra Purple’s new service entails providing advice about the development of a cyber risk management program, cyber detection and response, incident response readiness assessments, vulnerability assessments, and cyber exercises.
Powell said the target demographic of this new service would be critical infrastructure entities covered by the reforms as well as the supply chain partners to these entities.
“[Telstra Purple’s role] is to actually present to customers and talk about security issues, and help understand some of the security implications associated with either being a critical infrastructure operator or a responsible entity for critical infrastructure asset or being in that supply chain,” Powell explained.
Powell’s warning comes shortly after Prime Minister Scott Morrison called for organisations to boost their cyber defence in light of the Australian government joining other Western governments in placing sanctions on Russia for its invasion into Ukraine.
Morrison said the government had already privately reached out to some entities and that local organisations should read guidance issued by the Australian Cyber Security Centre (ACSC).
The prime minister added that cyber would be the most obvious vector for Russian retaliation, and that companies could be targeted as well as be cyber collateral damage.
“The cyber attacks can sometimes come from miscalculation and misadventure, we have seen that in the past, where cyber attacks have sought to let loose various worms … or viruses and they get out of control of those who put them in the system,” he said.