CRN is a central source of news and business insight for IT resellers, systems integrators, managed service providers, IT solutions companies and distributors and vendors.
Last month the Australian National Audit Office slammed the Department of Home Affairs' enforcement of the critical infrastructure bill as only “partly effective”. CRN reached out to StickmanCyber to reflect on the watchdog’s review.
Read Ajay’s contribution to the article below, and read the full article as published in the CNR News here.
StickmanCyber chief executive and founder Ajay Unni said that the latest instalment of the bill was in April and “expecting any department to have all the protections in place in such a short period of time is unrealistic.”
Unni said that he supported the auditor general’s seven recommendations, which the department has accepted.
These included recommendations such as “establishing an engagement strategy; having appropriate performance measurement; improving the department’s existing framework to manage compliance” and “the use of risk management to inform decision-making.”
However, Unni said that the recommendations could do with more clarity and that ratings of different security risks had been left to organisations instead of standardised.
“The issue I have is that not all the risk-management protocols are accurate and are left open to interpretation.”
“Some companies may define a ransomware attack as a critical risk but will rate its likelihood as low, resulting in a low-risk score and limited need for mitigation.”
“This ambiguity in risk assessment is where a lot of problems arise. What’s needed is ongoing resilient security controls including 24x7x365 days surveillance, threat hunting, incident response, monitoring the dark web while also being on top of user education, training and awareness and implementing stringent policies and procedures.”
“I like the emphasis on engagement strategy and performance measurement, however people are always going to be our weakest link. As long as humans continue to be the custodians of critical infrastructure, there needs to be a strong emphasis on education, training, testing and surveillance, with emergency incident responses in place to deal with any unforeseen attacks.”