Article authored by Sebastian Scandura
It was not that long ago that the world’s population was forced to work remotely due to the COVID19 pandemic changing the working landscape, perhaps not forever, but certainly for many years to come. Today, nearly four years later, hybrid working continues to add risk and complexity to businesses, particularly to those who develop, and share sensitive intellectual property (IP) with partners and clients of all shapes and sizes. The altered reality has demonstrated varying levels of cyber security maturity, with Gartner predicting that by 2025, 45% of organisations worldwide will have experienced attacks to their supply chains.
Private Industry has evolved significantly over the past few decades and the pace at which information-sharing measures and mechanisms evolved during the Pandemic resembles the pace at which technological advancements developed during the second World War. The use of commercial and, to those who can afford it, military-grade encryption protocols as a means of ensuring communications channels are maintained and that IP is appropriately secured, has rapidly become a widely accepted practice.
Identification of IP ownership is a crucial success factor, and an often a contentious issue as companies struggle to articulate, define, and strike the right agreements to outline the rights and responsibilities of all parties. This is a significant risk for Small to Medium Enterprises (SMEs), sharing their IP with larger, more powerful enterprises or government organisations. For example, for companies in the Defence Industry Security Program (DISP), information ownership is arguably one of the most challenging aspects because there is no single authoritative source or single information repository allowing deconfliction. This is further compounded for those in Whole of Australian Government (WoAG) supply chains, with Departments and Agencies often having different standards or terms which may vary according to the recipient.
SMEs are often at the mercy of their clients for the transmission of information between provider and client. This often means using and managing a number of different file-sharing platforms, each with its own inherent security risks, such as using unassessed or insecure solutions for the transmission, and storage of sensitive (sometimes not yet appropriately classified) information. Assessed or endorsed commercial solutions are not plentiful, and to SMEs these can sometimes be outside their budget, or harder to justify to the business as a cyber security expenditure. Uplifting cyber security maturity can make or break SMEs as there are often limited resources and budget to implement advanced cyber security measures.
Australia is quite idiosyncratic in the way cyber security spend is authorised usually by CFOs, not CISOs. This is because CISOs are yet to be considered a true C-Suite position and report directly to a CIO, but the CFO is often the sole custodians for the cyber security purse as they balance security needs with budget constraints. Additionally, unlike in other countries, cyber security insurance companies do not allow drawing-down from the policy to uplift maturity, which may in turn lower that company’s premium, a practice that was widely observed in 2021-22 as the US Defence Industrial Base (DIB) struggled to meet Cyber Maturity Model Certification (CMMC).
Successfully managing the risks associated with information sharing and ownership means not fearing these risks but understanding and ‘respecting’ the risk. Because risk identification is key to understanding the protection of business operations, it is understandable why this step is often the most frustrating to risk practitioners. The following measures and techniques are by no means exhaustive.
Implementing a security culture can oftentimes be overlooked by some SMEs, particularly in cases where the core employees have come from secure workspaces and industries with a strong security indoctrination. But as their company grows, it is important to establish a robust security culture. Teaching the ‘Why’ employees need to adapt security practices will always have a longer-lasting impact on the workforce that just teaching them the ‘What’.
SMEs must consider what makes the most [business] sense for their environment, many opting to operate a file server on premise, or having a hybrid cloud/on-prem collaboration tool. Conducting regular Backups and exercising Disaster Recovery plans are critical in case of incidental data loss, corruption, or cyber-attacks such as Ransomware, ensuring business operations can resume quickly after an incident.
Utilising Secure Communications channels in line with recommended government best practices and tools for sharing information is vital. This can include secure file-sharing platforms, Virtual Private Networks (VPNs), and encryption of differing levels, and of course, budget.
The risks associated with information sharing across our supply chains, differing risks including the nature of the cyberthreat and ecosystems containing private and sensitive information such as personal identifiable information (PII) and commercially sensitive information will continue to evolve and increase in complexity.
There is no silver-bullet approach to securing information sharing. Whichever tool or mechanism is found, assuming an agreement can be reached, must be the right type to solve this complex problem. Each security community in the Australian landscape has its own differences and it should be an imperative to enable information sharing at the right time in a systematic way with the right stakeholders to allow for the effective protection of intellectual property and business interests.
Industry must look at information sharing and ownership security as a deliberate muscle movement with business continuity in mind. The ability to appropriately secure information has a direct relationship to a business’ ability to build resilience in an effort to protect itself. End-to-end agreements, a shared responsibility approach across the supply chain, informed by factors that consider sector risks and sufficiently strong governance may be the way forward.
#CyberSecurity, #InformationSharing, #IntellectualProperty, #SMEs, #DataProtection, #CyberRisk, #SupplyChainSecurity, #CyberThreats, #InfoSec, #BusinessContinuity, #CyberResilience, #SecureCommunications, #DataOwnership, #CyberAwareness, #DigitalTransformation, #TechEvolution, #CyberDefence
