Cyber: your whole organisation is the attack surface
Cyber security underpins the modern world. Without effective safeguards, the world grinds to a halt or is held to ransom. Cyber risk is pervasive and can destroy organisations if not taken seriously. KSIB focuses on providing strategic advice to effectively and efficiently manage this risk. Our work in this area is led by one of Australia’s most experienced technologists and security experts. We work extensively with AI and we partner with other cyber experts when needed. Our main areas of focus include:
Strategically understanding and managing cyber risk
Board and executive cyber risk governance
Breach and incident preparedness and response
AI security
Boards and senior executives cannot outsource the management of this pervasive risk to CIOs and CISOs. It is important that those charged with governance understand the changing risk landscape. For example, in an AI enabled world, the cyber risk has just increased exponentially. If a breach does occur, it is often the non-technology executives who need to take responsibility for the holistic management of the issue, and there are many areas to consider. In our experience, for large organisations, approximately a dozen key areas of the organisation will need to be involved in the preparation for, and management of, a breach.
Case Study 01
Understanding the full scope of a cyber incident
2022, Australia
In 2022, a major Australian organisation was breached. Nearly 10 million confidential records were exposed. The attackers got in through stolen credentials. Nothing sophisticated.
The response required more than a dozen parts of the organisation
The ransom decision sat with the board, not the IT team. Responding to the breach required coordinated action across:
- Board
- Law enforcement
- Media
- CEO
- Customer communications
- Government relations
- Legal
- Insurers
- Regulators
- External forensics teams
Organisations that have not stress-tested their preparedness, forensic logging, analytics and response capabilities across every one of those functions should be asking: what happens when the threat is no longer a stolen password, but an AI that can find and exploit weaknesses faster than any human attacker?
Now is the time to test your preparedness: across the board, not just in IT.
KSIB can strategically assess your situation and help you strengthen your defences or respond to a threat or incident. Our team brings differentiated capabilities including strong AI security experience as well as leadership experience beyond technology leadership in handling breaches and incidents.
KSIB Insights
What has surprised us most about managing cyber risk and dealing with a major breach
A number of members of our team have had direct experience with both preventing and managing a major cyber attack in large, complex organisations. This experience incorporates non-technical leadership experience as well as deep domain expertise. The following insights from our experiences surprised us the most.
Key insights from experience
Cyber is never done
Like AI, the threat landscape evolves continuously. Frameworks provide structure, but they are lagging indicators of good practice, not guarantees. The organisations that fare best treat cyber as a living discipline. Benchmarking against peers is useful but may not provide protection from threat actors. "Attackers do not read your risk assessment spreadsheets."
Visibility is king
You cannot protect what you cannot see. The single most important investment an organisation can make (ahead of any specific security tool) is knowing what assets you have, what data sits where, who has access, and what activity is occurring across your environment. Organisations that lack this visibility before a breach will fight blind when one occurs.
Preserve everything
Logs, disk images, access records. Preservation of evidence must be the priority from the moment an incident is declared. The first instinct might be to remediate and contain immediately, but sometimes this destroys forensic evidence which can prevent ever finding out the answers to important questions.
When a breach hits, state only facts
The executive leading the response will be overwhelmed immediately with multiple simultaneous issues to deal with. In that chaos, assumptions made under pressure harden into accepted truth, and when they later prove false, they undermine every decision built upon them. Disciplined response requires the courage to say "we don't yet know."
Expert opinions will conflict
Forensic analysts, legal counsel, communications advisers, insurers and customers will each bring legitimate but competing views. Managing these tensions with incomplete information is the real job of crisis leadership.
Divide and conquer
A breach response is not one workstream; it is at least ten concurrent operations competing for the same scarce resources. Forensics, containment, restoration, hardening, regulatory notifications, customer communications, legal coverage, operational continuity, vendor management, and board reporting each need a designated owner from day one.
Understanding what happened and what was taken is difficult
These questions take longest to resolve, particularly in organisations with many systems, a large attack surface, and years of data with inconsistent classifications.
Follow-up questions the Board and management will ask
- Is the attacker still in our environment? How would we know?
- What are our regulatory and customer notification obligations and status?
- Have we covered off insurance related questions and answers?
- Who else is affected (partners, suppliers, customers)?
- What is the full timeline of who knew what and when?
- What data was taken and how can we be sure?
- How did the attack happen (including all contributing weaknesses)?
- Could it happen again? How do we prevent it happening again?
- Why didn't we understand this risk earlier? (when did we first consider it?)
- Why didn't we detect this risk earlier? (when did we first detect it?)
- Why didn't we block this risk earlier? (did we ever consider blocking it?)
- What will it cost and how long will it take to prevent a similar incident?
- What are the lessons learnt from this and what will we do differently next time?