THANK YOU FOR SUBSCRIBING
The world today is interconnected at an unprecedented level. Aseconomies integrate, with supply-chains and production lines globalising, we are seeing a rapid increase in multilayered cross-border ownership of enterprises. Data distribution and storage now span multiple jurisdictions. This means, global cause-effect nexuses are becoming complex opaque. Thus, threats can originate from multiplepoints, be invisible, and spread through the world very quickly.
While on the one hand global-integration has suffered a setback due to covid-19, the same disruption has made the integrity and security of digital networks become all the more important, as it is these networks that are holding economies together now. New exposures have been created as large numbers of people working from home are channelling sensitive information through public networks and VPNs, and more people are using the same device for both work and privatepurposes.
The risks are particularly high, if you are running critical infrastructure, because failure of these can have devastating consequences, plus critical infrastructures are open to malicious attacks by both state and non-state forces from around the world. Thus, cybersecurity is now a concern of governments as much as of enterprises, and they can learn from the way some governments are managing access-point risk without compromising the efficient running of economies.
Over the last decade, there has been a lot of public debate in Australia over foreign ownership of its infrastructure; especially ports and electricity, as they open them up to the possibility of sabotage, espionage and coercion. So far, the publicly visible government strategy dealing with this, is to develop ways of detecting and responding to threats early, without compromising too much on the flow of foreign investments and free trade. The government has released its Cybersecurity Strategy, set up the Critical Infrastructure Centre responsible for assessing foreign investment applications relating to infrastructure and managing associated risks, and introduced legislation to back these up.
Consequentially, operators of critical infrastructure are now required to report a whole raft of information about their operations, including ownership structure - details of executives and board members of all entities having more than 10% interests - data arrangements including sensitive and personal information they might be holding, intellectual property, risk management and business continuity plans, and critical operational information such as load levels. But more importantly they are also required to provide details on asset operators, in other words, anyone who has full or partial control of the asset, including plant operators, IICATS and SCADA engineers, IT vendors, security contractors, etc. The government can require release of information, and under proposed amendments to the legislation, also mandate organisations to take corrective action when a threat is detected.
An interesting aspect of how this legislative framework operates is that, it does not focus on restricting access, but on creating transparency through the access configuration, meaning creating visibility of who has access to what. Which enables government agencies, including intelligence agencies, to continuously risk assess access points, identify threats and instigate a proportional response. The key advantage of this approach is that, though it might initially create a reporting overburden, it avoids loss of operational efficiencies arising out of pre-emptively restricting of access-based on some broad categories or introducing too much accesspartitioning.
The concept behind this model used to mitigate cyber threats, can be effectively used by enterprises as well. Especially by the ones who struggle to find the right balance between restricting access to sensitive information and wanting to give their analysts and operators as much as access they need to increase agility.
Organisations typically manage access-risk by granting access to sensitive information and systems on a ‘need to know’ or ‘need to use’ basis. Or they ‘partition’ access, so as not to let one person or group-of-persons have ‘too much’ access, to limit the impact of threats originating at access points. However, enterprises that relyheavily on real-time coordination, or organisations that require analysis of enterprise wide data for tactical decision making, know all too well the problems heavy access restrictions can create; getting multiple authorisations across several justifications, before meaningful access can be obtained, and even when granted, usually coming far too late.
Therefore, it is worthwhile for organisations that face this problem, to consider something along the lines of the approach taken by the Australian government. Enterprises too can shift their focus from access restriction to access transparency, coupled with continuous access point risk/threat evaluation. This would mean giving your employees - who are likely to be security cleared and bound by confidentiality agreements - the access necessary to maximise business outcomes, but have up-to-date transparency, and carry out continuous evaluation of whether access is being used in accordance with organisational policies. This should be followed by speedy and targeted intervention when a violation or threat is identified. Though this might create a governance overhead within the organisation, they are likely to be easily offset by the operational and strategic gains.