The recent ransomware attack on Victoria’s Health Sector and breach of ANU’s administrative systems both serve to highlight the need to prioritise and build an effective cyber security management program, where raising security awareness is key to protecting systems and data.

End users remain the most vulnerable point of initial attack through phishing.   Weak protection and access controls (eg. passwords, authentication) of infrastructure – including legacy infrastructure can lead to networks being further compromised.  Incident response time is also paramount to mitigating further attacks.

In planning an effective security management program, one must consider factors including but not limited to: user awareness education; access controls; incident response times; purple teaming – by combining red (attackers) and blue (defenders) teams to simulate an attack and gauge responses; providing technical training to developers to build applications that are more resilient to current and emerging threats.  At the executive and boardroom levels, risk modelling should be presented to better understand cyber risks and implications – blending traditional risk assessment approaches with contemporary approaches to technical testing and validating controls.

It is imperative that organisations adopt a whole-of-business approach when addressing security concerns, educating all of its members from boardroom to basement, engendering a positive cultural change in its security posture.