Highlights

Highlights From Previous CIO Cyber and Risk Network Gatherings

December 2023

For the final Cyber and Risk Network call for 2023, the CIOs discussed:

  • Dealing with employee end of year burn out, a number of organisation had programs in place to deal with this
    • Including forcing employees to take leave
    • A couple of organisations had engaged Cybermindz
    • Almost all organisations had put in place change freezes
    • The idea of better meeting practices was discussed, including allowing staff to excuse themselves from meetings
    • Improving processes in general – not immediate effect (more structure around tasks and resourcing)
  • Security concerns and general discussion around AI
    • Most organisations agreed that MS Co-Pilot was not worth the cost, although Federal Government has done a deal with MS for a period of time for cheaper access
    • Some organisations still grappling with ethics and privacy; and basic guardrails for safe use of AI
    • One CIO mentioned they had introduced an AI working group – to work towards managing how it is use
    • One CIO mentioned BING chat enterprise is available and a good option
    • One organisation has developed a learning program for users
    • All agreed that getting practical use cases from the business was not easy
    • Training people on acceptable use of AI proving difficult
    • A couple of CIOs mentioned they were developing in GitHub
  • Australian Cyber Strategy feedback
    • A good step forward and progress on the original strategy (released only a few years ago)
    • Sets out a bold ambition, mapped to six ‘cyber shields’
    • Formalised new responsibilities for the National Cyber Security Coordinator, who is now responsible for improving maturity across Commonwealth Government agencies
    • Some are critical of a lack of detail about when and how action items will be delivered, although this is common of government cyber strategies
    • Keen to see the government engage closely with industry to co-design and jointly support the delivery of action items.

November 2023

On this months call the CIOs discussed the Optus outage with a view to how to build resilience.

  1. One CIO was discussing how they are now tracking down who uses what connections for both business and private use
  2. It was agreed that organisations need diversity with their communications platforms, usually resulting in a mix of telco partners rather than a strategic vendor relationship
  3. All CIOs voiced their disappointment at the Government’s response, it was used for political grandstanding

What has changed;

  • One CIO quite mature with diversity/redundancy
  • Drive whether they need to push harder around diversity of multiple carriers
  • Improved SLAs – with providers
  • Optus will never agree to SLAs with 100% uptime
  • With technology being so pervasive this has emphasised the risk

The DP world breach was also discussed

  • The CIOs noted the changed tone from Govt regarding DP world versus Optus
  • Supply chain an issue once again, opening up vulnerabilities of supply chains
  • One CIO recommended patching Citrix vulnerabilities, this was first published July

Dave also shared hot issues being discussed across the cyber community

  1. Supply chain – critical that we know what we’ve got and where it is
  2. Suppliers/vendors in Middle East and Ukraine
    • SLAs not being met
    • Looking for alternative suppliers due to conflict
    • Taking a long time to map their supply chains
    • Staff once available at vendor are now fighting on frontlines
  3. Israeli company support channels affected by the war – staff and support no longer available

Dave also shared details of the latest ACSC annual threat report. More incidents and greater impacts observed nationally. Exec talking points have been attached – to assist with briefing boards.

October 2023

On Wednesday 11th October, we held our CIO Cyber and Risk Network roundtable in Sydney. The CIOs got to receive a TLP:RED briefing from a government agency on what this agency is seeing online from both criminals and nation state actors, as well as how adversaries are using AI as a force multiplier. (TL;DR, “It’s not Skynet, it’s just a bunch of people who can do stuff faster.”)

David Cullen from CISO Lens delivered a session on lessons learnt from the 2019 Victorian hospital ransomware attack. Also, a guest security executive from a large organisation which had suffered a recent public breach shared their perspectives on the aftermath of an incident and what that means for the staff of the company.

One of the CIOs shared the results of a red team exercise conducted against the company’s 100 most senior executives. The data from this exercise helped the executives realise that they were an easy way in, and that they needed to tighten up their policies and practices.

The CIOs also spoke about cyber insurance, Microsoft’s performance as a security vendor, and which vendors are producing good awareness content.

Some Key Takeaways

  1. All tech projects should include a 10 percent allocation for security. This allocation should be for: time, effort, cost, and headcount. Some projects may be less, some will be more, but 10 percent for all projects should equal out over time.
  2. If a platform or service is important, it must have multi-factor authentication (MFA).
  3. Phishing is a key avenue of attack for most organisations, so the HR consequences of failing phishing simulations need to be agreed on and adhered to. One participant shared that after two failed phishing simulations, that became a component of their performance review, but after three failed phishing simulations it became a key component and could result in zero payrise and/or performance bonus.

September 2023

On our call this month, the participants shared their variuos approaches to vulnerability management:

  1. The discussion centred on both their own patching policies (and the different SLAs for Critical and High versus Medium or Low, as well as internet facing, or not); as well as their concerns around the hidden vulnerabilities from SaaS providers.
  2. This moved into a discussion on how the participants went about assuring themselves on alerts, and ensuring that filtering out false positives did not potentially scoop up important alerts.
  3. One of the participants shared a recent incident where a staff member’s access has been compromised via an emailed QR code, and the resulting effects within the organisation.
  4. This moved the conversation into a discussion on awareness training, and another of the call participants shared that they were doing an intensive campaign against their executives ahead of a leadership offsite so they could present the results at this offsite.
  5. We also spoke a little about this incident, and will carry it over to the next call to talk in more depth.
    – ‘Microsoft’s slow outage recovery in Sydney due to insufficient staff on site’, DCD, 4th September 2023

August 2023

This month on our call, the discussions were focused on:

  1. AI and business impact, experiences and perspectives. From the discussion, it appears that most organisations are still working out how best to use LLMs (like ChatGPT). There was general agreement that putting a popup on the screen when users went to the OpenAI website to warn them against posting sensitive information was a pragmatic approach. The AI discussion was in response to one of the CIOs being asked to brief their board on this AICD discussion paper.
    Links shared:
    – What Are the Risks of Artificial Intelligence?
    – A Voice Deepfake Was Used to Scam a CEO Out of $243,000
    – What is Worm GPT? The New AI Behind the Recent Wave of Cyberattacks
  2. Changes in Zoom’s terms and conditions and what this could mean for sensitive calls. It was noted that apparently enterprise customers are being given the option to turn off their calls being monitored by Zoom; but this raised the question of how a third party using the free version would go when having a call with an enterprise version. It seems reasonable to assume that the enterprise version settings would take priority, but this is an assumption. 
    – Zoom’s Updated Terms of Service Permit Training AI on User Content Without Opt-Out
  3. A brief discussion was also had on Microsoft security on the back of a threat actor, alleged to be Chinese, managing to force authentication tokens.
    – Schneier On Security: Microsoft Signing Key Stolen by Chinese 
  4. An extensive conversation about the HWLE data breach, and specifically around the government response to this.
  5. A brief discussion on the corporate use of a keylogger in a recent case in Australia.
    – IAG Used Keystroke Logging to Investigate Productivity of Remote Worker

July 2023

This month on our call, the particpants:

  1. Shared their organisations’ responses to ChatGPT. Depending almost entirely on the nature of the business, ChatGPT was either blocked outright, or was permitted but with cautions to not paste sensitive information into it.
  2. Discussed their views on the efficacy of third party assessments. Various approaches were shared; ranging from including the right to audit in contracts, through to ensuring that the most senior stakeholders were in alignment that the business would not use a supplier which did not pass a security assessment.
    – “Not doing a third party assessment is worse than doing one and relying on it.”
    – “It’s hard enough to bring Shadow IT into the IT tent, nevermind getting them up to our cyber security requirements.”
    – UpGuard was mentioned by some of the call participants as the platform they used to help with third party assessments; while noting that it is still very manual.
  3.  Briefly discussed their views on cyber insurance.

Resources mentioned in the call: