InConsult

Hardhats and Hacking: Cyber Threats in Construction

Tony Harb — Tue, 02 Dec 2025 03:54:30 +0000

InConsult Partners with TAFE NSW to Spotlight Cyber Threats Impacting the Construction Sector

The Australian Federal Police recently issued a media release highlighting a significant surge in scams targeting the Construction industry. Unfortunately, this trend is not isolated. Across Australia, organisations in every sector are experiencing an increase in cyber-enabled fraud.

At InConsult, we’re seeing these threats first-hand. That’s why we’re bringing together experts who are currently responding to these attacks on the ground.

We invite you to join us for an engaging evening of insights, real-world examples, and a live demonstration of one of today’s most common (and costly) cyber attacks affecting Construction and many other industries.

Event Details

📅 When: 4 December 2025, 6:00pm
📍 Where: Lecture Theatre, Building M, TAFE NSW, Meadowbank NSW 2114
👥 Who Should Attend: IT Managers, Project Managers, Builders, Students — all welcome
💲 Cost: Free event + light refreshments provided

Why the Construction Sector?

With high-value transactions, frequent invoicing, and often limited cyber security resources, the Construction sector has become a prime target for cyber criminals. Threat actors are exploiting gaps in processes, systems and controls — often resulting in large-scale financial loss, stalled projects, and in some cases, business collapse.

These attacks rarely make the headlines. They are happening quietly, every day.

What to Expect on the Night

InConsult is proud to collaborate with TAFE NSW and the Institute of Applied Technology to deliver this important industry session.

Panel Discussion – Industry Experts Share What They’re Seeing Right Now

Hear from:

William Makdessi – InConsult
Jawad Khan – Gridware
Pete Tyrrell – Australian Payments Network (AusPayNet)

Our panellists will share current case studies, emerging scam techniques, and practical advice for mitigating risk.

Demonstration – A Real Attack Happening in Australia Today

Following the panel, we will showcase a simple but highly effective attack technique that is actively impacting Construction companies right now. This is the type of attack that often leads to six- and seven-figure losses, yet receives little public attention.

This demonstration will help attendees recognise threats early and strengthen controls before they become the next victim.

The post Hardhats and Hacking: Cyber Threats in Construction first appeared on InConsult.

IIA’s Global Internal Audit Standards Now Effective

Tony Harb — Tue, 04 Nov 2025 01:06:37 +0000

The Institute of Internal Auditors (IIA) has officially implemented its revised Global Internal Audit Standards, which took effect on January 9, 2025. These updates, initially published in January 2024, are part of the organisation’s ongoing efforts to evolve its International Professional Practices Framework (IPPF).

The development of these new standards was a comprehensive, multiyear process that involved collaboration with thousands of professionals worldwide, including internal audit practitioners, service providers, and international standard-setters. This inclusive approach ensures the standards are both practical and globally relevant.

As organisations continue to navigate a complex business environment, these updated standards are poised to provide internal auditors with a robust framework to deliver greater value, align with organisational goals, and adapt to evolving challenges.

The revised standards aim to elevate the practice of internal auditing by ensuring better performance, enhanced quality, and greater consistency across organisations worldwide.

Key enhancements in the revised standards include:

Internal Audit Strategy: Emphasis on aligning internal audit activities with organisational objectives to enhance strategic relevance.
Stakeholder Relationships: Strengthening communication and collaboration with stakeholders to ensure audit activities meet their needs and expectations.
Performance Measurement and Accountability: Introducing metrics and accountability frameworks to assess and improve internal audit effectiveness.
Governance Conditions: Defining essential governance structures and practices necessary for effective internal auditing.

Over the past year, these standards have gained significant traction within the global internal audit community. Translated into 25 languages, they have been downloaded nearly 600,000 times, underscoring their broad appeal and importance.

For more analysis, including a step by step guide to adapting the new standards, read our publication New 2024 Internal Audit Standards: Insights for CAEs

For further details about the new standards, visit the official IIA website.

Next Steps

By now, most Chief Audit Executives, have transitioned to their organisation to align with the new 2024 Global Internal Audit Standards. Many have compared the current practices of the internal audit function with the updated requirements to identify areas of non-compliance or improvement. What now?

Continue to engage with stakeholders. Inform the board, audit committee, and senior management about the transition to the new standards and their significance and benefits for your organisation.

The post IIA’s Global Internal Audit Standards Now Effective first appeared on InConsult.

Next-Gen GRC Needs Next-Gen Thinking: Welcome Andy

Tony Harb — Wed, 16 Jul 2025 23:00:19 +0000

GRC isn’t just about ticking boxes. It’s about making better decisions, increasing resilience, and unlocking the power of technology to bring it all together. As Satya Nadella, Chairman and CEO of Microsoft, once said:

“Technology is best when it brings people together and makes work easier.”

At InConsult, we believe that’s exactly what Next-Gen GRC technology should do.

We know that the future of risk management, audit, and compliance lies where deep expertise meets forward-thinking innovation. That’s why we’re excited to welcome Andy Chu as our new Risk Technology & Innovation Lead.

Andy brings a powerful combination of Big 4 consulting experience and a proven track record in technology-driven transformation. With close to a decade at KPMG, Andy worked across assurance, digital consulting, and innovation portfolios. Most recently, he played a key role in NBN Co’s product strategy team. He helped accelerate the adoption of high-speed internet and improve customer experience at scale.

Next-Gen GRC Starts Now

In his new role at InConsult, Andy will lead the ongoing development of our GuardianERM GRC platform, drawing on his strengths in assurance, audit, technology enablement, and risk transformation.

Andy’s focus will include:

Gathering and prioritising client and market feedback
Scanning the horizon for emerging technologies and trends
Identifying more opportunities to enhance GuardianERM’s features, user experience, and value

Supporting Andy is our dedicated GuardianERM engineering and support team. He is also backed by InConsult’s powerhouse of governance, audit, cyber security, AI, and risk management specialists. Together, they bring a depth of knowledge and momentum to help our clients confidently navigate the complex risk and compliance landscape.

With Andy at the helm, GuardianERM is set to evolve in exciting new ways—where the rigour of traditional risk management meets the agility of modern digital tools. Whether it’s enabling internal audit automation, streamlining compliance reporting, or leveraging AI for smarter risk insights, we’re building a platform designed for tomorrow’s challenges.

Watch this space — a new era of Next-Gen GRC innovation is just beginning.

The post Next-Gen GRC Needs Next-Gen Thinking: Welcome Andy first appeared on InConsult.

International Internal Audit Month

Tony Harb — Mon, 05 May 2025 07:44:09 +0000

May is Internal Audit Month and we want to tell the world that we are proud to provide internal audit services to our many clients.

Internal Audit Month aims to increase awareness of the Internal Audit profession to a wider audience. Internal auditors bring a disciplined approach to evaluating and improving governance, risk management, and control processes.

We encourage all organisations with an internal audit department to get involved this May. So here are our 7 strategies to boost internal audit awareness and improve the level of engagement with managers and staff:

Auditors love internal controls and are the internal control design experts. Internal audit teams can host an on-line Internal Control Awareness Training session for all managers.
Younger people love social media, engage them with internal audit memes and/or short educational videos from our YouTube – One Minute Risk Manager channel.
Have an on-line meeting catch up (and coffee) with managers who may be struggling to implement past audit recommendations and help them to move forward.
Host an on-line webinar for all staff to introduce the audit team members and members of the Audit and Risk Committee, outline exactly what internal audit does and doesn’t do.
Update the Internal Audit Page of your companies intranet page.
Review your Strategic Audit Plan including any realignment to the organisations risk profile and assurance framework.
Help senior managers and risk owners to review and update their risk registers via a workshop or an on-line meeting.

Remember that whatever you do, it’s all about keeping the role of internal audit and internal controls front of mind.

InConsult Delivers Internal Audit Quality

In November 2020, InConsult engaged the Institute of Internal Auditors Australia to conduct an independent External Quality Assessment of our internal audit services and InConsult achieved the highest rating possible of “Generally Conforms”.

Our clients can be reassured that InConsult is committed to quality and continuous improvement and that our internal audit activities are conducted in accordance with the International Standards for the Professional Practice of Internal Auditing (Standards).

Select from either one-off special audits, co-sourced or outsourced internal audit options and we will tailor our internal audit services to suit your needs, size of your organisation and your budget.

Check out InConsult’s Internal Audit and Assurance capabilities to find out how we can help you.

The post International Internal Audit Month first appeared on InConsult.

Setting Sail After 17 Years: Farewell to Director Mitchell Morley

Tony Harb — Tue, 08 Apr 2025 19:49:55 +0000

After 17 impactful years with InConsult, we bid farewell to our esteemed Director and friend, Mitchell Morley, who is officially retiring and setting sail into a well-earned next chapter.

Mitchell’s career spans over four decades, primarily in the NSW public sector, where he held senior roles including Governance Manager, Corporate Services Director and Acting General Manager. He served as Chair of the NSW Local Government Governance Network, was a Board Member of Westpool (now CivicRisk Mutual), and held executive positions at Liverpool, Marrickville (now Inner West), Hornsby, and Fairfield Councils.

Mitchell joined InConsult in 2008, at a time when we had just a handful of local government clients. Bringing with him deep expertise across corporate governance, probity, records and privacy management, insurance, risk management, internal audit, and administrative services, Mitchell worked tirelessly to establish InConsult as a trusted partner to local government. Thanks largely to his knowledge, leadership and commitment, InConsult now works with 115 of NSW’s 128 councils.

Mitchell’s experience, insight, steady leadership and thoughtful approach have been a cornerstone of our success. As a Director, he brought balance and perspective to our Board, enriching our strategic decision-making. He also led our internal audit and assurance engagements with professionalism, precision and an unwavering commitment to client outcomes. A standout achievement was guiding one of our clients to a prestigious risk management award.

A prolific thought leader, Mitchell has authored numerous articles on governance, audit, and risk, and presented at conferences across Australia and overseas. He continues to serve as an independent member on several Audit and Risk Committees.

Beyond the boardroom, Mitchell loves sport – Golf, horse racing, rugby league (go Parramatta) and “Aussie Rules” (go Hawthorn). Mitchell has long been an active figure in his local community, contributing as a player, coach, and committee member in grassroots sports.

As he embarks on retirement, Mitchell is looking forward to lowering his already enviable golf handicap, spending more time with family, and exploring the world alongside his wife. In between travelling and lowering his golf handicap, Mitchell will continue to keep a close eye on our future business endeavours.

Following Mitchell’s departure, Dane Parsons, Internal Audit Manager, will take the lead in delivering all internal audit and assurance engagements. Dane will be supported by Director Tony Harb, who will remain closely connected with the team as they continue to deliver the high standard of service our clients know and trust.

Mitchell, thank you for your exceptional leadership, dedication, loyalty and friendship over the past 17 years. Your contribution to InConsult, internal audit and to the wider public sector has been profound – and your legacy will continue to shape our journey.

Wishing you calm waters, smooth fairways, and many unforgettable adventures ahead.

The post Setting Sail After 17 Years: Farewell to Director Mitchell Morley first appeared on InConsult.

Cyber Security Awareness Month 2024

Tony Harb — Wed, 02 Oct 2024 22:48:45 +0000

October is Cyber Security Awareness Month and an annual reminder for all of us to stay secure online.

With the ever-evolving digital landscape that now includes Artificial Intelligence (AI), cybersecurity threats are becoming more sophisticated, targeting individuals and businesses alike. It’s crucial to recognise the role we all play in securing the digital world, from using strong passwords to implementing comprehensive security measures in organizations.

The Australian Cyber Security Centre (ACSC) leads the Australian Government’s efforts to improve cyber security.

The theme for 2024 is ‘Cyber security is everyone’s business’. There are 4 simple steps you can take to be cyber wise and significantly boost your cyber security:

Turn on multi-factor authentication – Multi-factor authentication (MFA) is one of the best ways to protect your accounts.
Keep your devices and software up to date – Check that automatic updates are on and install updates as soon as possible.
Use strong and unique passwords, such as a passphrase – Passphrases are more secure versions of passwords, using 4 or more random words. Consider storing your passwords and passphrases in a reputable password manager.
Recognise and report phishing – Visit the ACSC Emails and texts information page for more details on how to identify and report phishing attempts.

Find out more about Cyber Security Awareness Month 2024 by visiting the Australian Cyber Security Centre website.

10 Ways to Promote Cyber Security Awareness

Don’t miss this opportunity to reinforce the importance of cyber security within your organisation. What will you do to raise awareness that cyber security is everyone’s business?

Here is our list of 10 things you can do during Cyber Security Awareness Month:

Plan ahead. Work with your People & Culture, Risk Management and Communication teams in a rollout plan to engage and reach as many employees as possible.
Set the ‘tone from the top’ by creating a culture of cyber security awareness. The entire C-suite needs to understand and embrace cybersecurity efforts. Cyber security habits are best learned through management taking the lead.
Review your cyber security touchpoints. Is cyber security awareness part of onboarding? How often does your organisation communicate about cyber security? Which vendors pose the highest cyber risk for your organisation?
Arrange cyber security awareness training sessions. Awareness training should reinforce that cyber security is everyone’s business and stress the importance of cyber security at work and at home.
Run a simulated phishing campaign to evaluate employee behaviour on receipt of a socially engineered phishing email, analyse results and provide a report of the results to all staff.
Review and update key elements of your IT-Disaster Recovery Plan or Data Breach Incident Response Plan.
With cyber attacks and third party data breaches on the rise, conduct a Crisis Management Team simulation exercise covering one of these risks.
Provide management a high level presentation covering the concept of operation of the Data Breach Incident Response Plan.
Run on-line games and quizzes such as crosswords and find a word with cybersecurity words as the central theme.
Reward good behaviour and people who embrace cyber security. Rewards don’t have to be expensive – small gift vouchers are often enough and always appreciated.

Want to Strengthen Cyber Resilience?

InConsult is an ACSC partner and we strongly encourage all organisations to get involved in Cyber Security Awareness Month. Contact us if you would like help in planning or conducting cyber awareness training or email phishing campaigns.

Remember that whatever you do, it’s all about keeping cyber security front of mind! Check out InConsult’s Cyber Resilience capabilities to find out how we can help you build a more resilient organisation.

Be more resilient to a wide range of cyber risks and contact us to discuss how we can help strengthen your cyber security posture.

#staysecureonline #CyberSecurityAwarenessMonth2024

The post Cyber Security Awareness Month 2024 first appeared on InConsult.

Cyber Security Awareness Month 2023

Tony Harb — Mon, 18 Sep 2023 05:29:59 +0000

October is a BIG month for cyber security awareness and presents a great opportunity for organisations to promote cyber security awareness and #becyberwise.

Cyber attacks are still on the rise and your employees and vendors are more susceptible than ever to attacks like phishing and social engineering. Cybercriminals are constantly developing more sophisticated and targeted tactics to exploit both people and vulnerabilities.

According to the ACSC, one cybercrime is reported every 7 minutes.

In Australia, October is Cyber Security Awareness Month and it’s an annual reminder for all Australian’s to stay secure online. The Australian Cyber Security Centre (ACSC) leads the Australian Government’s efforts to improve cyber security.

The theme for 2023 is ‘Be cyber wise – don’t compromise’. There are 4 simple steps you can take to be cyber wise and significantly boost your cyber security:

Update your devices regularly
Turn on multi-factor authentication
Back up your important files
Use passphrases and password managers

Meanwhile, in the United States, October is also Cyber Security Awareness Month. The event runs all month and aims to raise awareness about the importance of cybersecurity. 2023 marks 20 Years of Cybersecurity Awareness Month. Cybersecurity Awareness Month 2023 will focus on four key behaviours all month long:

Use strong passwords and a password manager
Turn on multifactor authentication
Recognize and report phishing
Update software

Find out more about Cyber Security Awareness Month 2023 by visiting the Australian Cyber Security Centre and the National Cyber Security Alliance websites.

10 Ways to Promote Cyber Security Awareness

Don’t miss this opportunity to reinforce the importance of cyber security within your organisation. What will you do to raise awareness and encourage people to #BeCyberWise?

Here is our list of 10 things you can do during Cyber Security Awareness Month:

Plan ahead. Work with your Human Resources, Risk Management and Communication teams in a rollout plan to engage and reach as many employees as possible.
Set the ‘tone from the top’ by creating a culture of cyber security awareness. The entire C-suite needs to understand and embrace cybersecurity efforts. Cyber security habits are best learned through management taking the lead.
Review or audit your cyber security touchpoints. Is cyber security awareness part of onboarding? How often does your organisation communicate about cyber security? Which vendors pose the highest cyber risk for your organisation?
During the pandemic, many employees may still be working from home. Conduct on-line cyber security awareness training sessions. Awareness training should reinforce that it is everyone’s role to #BeCyberWise and stress the importance of cyber security at work and at home.
Run a simulated phishing campaign to evaluate employee behaviour on receipt of a socially engineered phishing email, analyse results and provide a report of the results to all staff.
Review and update key elements of your IT-Disaster Recovery Plan or Data Breach Incident Response Plan.
With cyber attacks and third party data breaches on the rise, conduct a Crisis Management Team simulation exercise covering one of these risks.
Provide management a high level presentation covering the concept of operation of the Data Breach Incident Response Plan.
Run on-line games and quizzes such as crosswords and find a word with cybersecurity words as the central theme.
Reward good behaviour and people who embrace cyber security. Rewards don’t have to be expensive – small gift vouchers are often enough and always appreciated.

Want to Strengthen Cyber Resilience?

Gap Analysis of your Cyber Security and Resilience
Cyber Risk Governance Framework Review
Cyber Risk Governance Framework Development
Third-Party Vendor Review and Cyber Risk Analysis
Cyber Risk Awareness Training and Internal Campaigns
Email Phishing Campaigns
Cyber Incident Response
Post-Cyber Incident Review
Crisis Team Familiarisation Training

Be more resilient to a wide range of cyber risks and contact us to discuss how we can help strengthen your cyber security posture.

#staysecureonline #becyberwise #CyberSecurityAwarenessMonth2023

The post Cyber Security Awareness Month 2023 first appeared on InConsult.

New Sustainability and Climate Reporting Standards Agreed

Tony Harb — Thu, 04 Aug 2022 11:16:10 +0000

Australia’s leading financial and business bodies have agreed on the need for consistent sustainability and climate reporting standards.

The group of 20 peak bodies include the Insurance Council of Australia, Financial Services Council, Australian Banking Association, the Australian Council of Superannuation Investors, CPA Australia, Chartered Accountants Australia and New Zealand and the Institute of Public Accountants.

Collectively the group represent more than 400 companies, approximately 300 investors with US$33 trillion assets under management and 500,000 business and finance professionals.

The group welcomed the new International Sustainability Standards Board (ISSB) draft sustainability standards published in March 2022. The group believes that clear, transparent, comprehensive and comparable disclosure of sustainability-related information to be part of the foundations of a well-functioning global financial system.

The group also recognised that climate is a “first order risk” to the Australian economy and stated that it supported the Paris Agreement and its objective to achieve net-zero emissions.

The only caveat…the group said the transition to achieving a net-zero emissions economy needed to be undertaken with care. The group said, “To avoid large-scale financial risks from a disorderly transition to net zero emissions and the physical impacts of climate change, there must be clear and comparable disclosure of sustainability-related and in particular, climate-related information.”

The ISSB Will Lead Sustainability & Climate Reporting

The ISSB released two exposure drafts in March 2022. They set out general sustainability-related disclosure requirements and specified climate-related disclosure requirements while also providing stakeholders with the opportunity to comment on the proposed standards.

Just days earlier, the effort to establish a global baseline for sustainability disclosures took another positive step with the consolidation of the Value Reporting Foundation (VRF) into the IFRS Foundation.

The IFRS Foundation is home of both the ISSB and the International Accounting Standards Board (IASB), the global standard-setter for financial reporting.

In recent years, investors with global investment portfolios have been calling for more transparent environmental, social and governance (ESG) reporting by companies. The ISSB was launched by the IFRS Foundation at last year’s COP26 summit and was tasked with developing a single set of standards to meet the information needs of investors.

In March 2022, the U.S. Securities and Exchange Commission’s (SEC) proposal on thorough environmental reporting by American public companies also came in response to a shift in investor interest and public opinion.

Sustainability & Climate Reporting Next steps

The agreement provides the foundations for taking further steps towards sustainability and climate reporting reporting. Moving forward:

There will be a global approach to the development of sustainability disclosure standards. The coordinated approach helps ensure there is no regulatory fragmentation in definitions, terminologies, and metrics on disclosure.
The ISSB will be the global body overseeing these standards.
There will be collaboration and coordination between sustainability disclosure initiatives and financial accounting standard setting.
The goal will be to achieve a globally consistent and verifiable corporate reporting system.
The new disclosure standards will impact Australia’s capital markets and participants, as investors continue to demand comparable disclosures.
The 20 peak bodies will work with the Australian government as well as other national and international stakeholders.
The assurance providers including Registered Company Auditors, will need to expand their skill set in order to keep up with a fluid environment.

The agreed approach now provides the foundations for taking steps towards sustainability and climate reporting reporting.

Financial institutions like banks and insurers and well as listed companies will need to stay vigilant and engage with their peak bodies. Also, risk, investment, finance, audit and assurance professionals will need to stay ahead of developments and keep their skill set up to date.

The Challenges

Recently, 86 finance chiefs from across the globe signed a letter sent to the ISSB insisting on the improvement of its proposed reporting standards in 6 areas:

Alignment with relevant existing sustainability reporting standards “to the greatest extent possible.”
Clarity on what constitutes enterprise value, recognizing that investors may need disclosures on broader social and environmental impacts to assess risk and make investment decisions.
Clear definitions and guidelines for preparers.
Disclosure requirements should enable a “continued focus on setting science-based, ambitious targets and the actions needed to achieve them.”
Promote integrated thinking through frameworks such as the Integrated Reporting Framework.
Address the environmental, social, and economic issues that impact decision-making.

The Benefits

More than 80% of mainstream investors now consider ESG information when making investment decisions. There are currently $23 trillion of assets being professionally managed under responsible investment strategies, an increase of 25% since 2014 which exceeds the gross domestic product of the entire USA economy.

Besides the clear benefits to the environment and reducing the financial impact of climate change, improved guidance will reduce the risk of ‘greenwashing’. This is when an organisation spends more time and money on marketing itself as sustainable and environmentally friendly than on actually minimizing its environmental impact. We saw this when Volkswagen admitted to cheating emissions tests by fitting various vehicles with a “defect” device, with software that could detect when it was undergoing an emissions test and altering the performance to reduce the emissions level.

12 ESG Questions

Achieving the desired ESG posture is not easy and there are lots of questions the board can ask. Here are 12 questions to start:

Does the organisation’s vision and values specifically reflect a commitment to ESG?
Is the board approved ESG policy and framework aligned to the organisations vision and values?
Are ESG responsibilities clearly described and included in positions descriptions and performance incentives?
Is ESG on the board and leadership agenda?
Has the organisation identified the ESG related compliance obligations and assigned responsibilities to monitor?
Has the organisation identified the ESG related risks and developed the appropriate action plans?
Are ESG practices embedded into day-to-day business processes and activities?
Does your ESG framework extend to third parties, vendors and suppliers?
Is there regular communication between your organisation and stakeholders?
Is there regular reporting and monitoring of your ESG posture to the board?
Are the underlying assumptions in the analysis reasonable and supported by evidence?
Does internal audit verify the accuracy and completeness of ESG reporting processes, external disclosure and data?

There is no right or wrong here, but your answer should be appropriate to your organisation, industry and stakeholder expectations.

Remember, climate change financial risks are often categorised into physical, transition and legal/ liability risks and they all must be managed.

Next steps

What does this agreed way forward mean to your business? What does sustainability look like at your organisation? How far do you want to go to minimise the impact of climate change on your business?

Whatever your climate resilience posture, making a start as soon as possible is better than waiting to get it perfect or waiting until you have researched all the alternatives.

There are four ways that we can help you with your environmental and sustainability reporting:

Interpreting applicable standards and frameworks and advising you on their benefits and application.
Environmental/sustainability performance reporting obligation compliance.
Understanding the best metrics and data to record and report.
Generating your reports.

Be more resilient and contact us if you would like help with developing sustainability strategies, climate change risk assessments and testing, sustainability education and reporting.

The post New Sustainability and Climate Reporting Standards Agreed first appeared on InConsult.

Act Now: Release of New Ransomware Threat Guidelines

Tony Harb — Tue, 08 Mar 2022 01:14:52 +0000

There has been a historical pattern of cyber attacks against Ukraine that have had unintended international consequences. Sanctions and digital measures could put the US, its allies and other NATO nations at high risk as the threat of a response is likely and of an unpredictable scale. Malicious cyber activity could impact Australian organisations through unintended disruption or uncontained malicious cyber activities. Typically, high-value targets in state-sponsored digital warfare include governments, militaries, energy, finance, and critical infrastructure. Despite this, the Australian Cyber Security Centre (ACSC) is recommending that all Australian organisations, no matter the size or industry, urgently adopt an enhanced cyber security position in response to the threat of malware, particularly ransomware.

In this context, the Australian Cyber Security Centre has published two guides to help organisations manage and respond to ransomware threats. Much like the Third Party Risk enhancements NIST introduced in late 2021, these new guidelines are a direct response to the global state of cyber risk and how organisations should better prepare.

The two documents are:

The Ransomware Risk Management: A Cybersecurity Framework Profile (NISTIR 8374): this incorporates feedback from earlier drafts and is based on the broader NIST Cybersecurity Framework Version 1.1. NIST says that it can be used as a guide to manage the risk of ransomware events – which includes helping to gauge an organisation’s level of readiness to counter ransomware threats and to deal with the potential consequences of events if they occur.
Getting Started with Cybersecurity Risk Management: Ransomware: a guide that is designed to enable organisations to make a quick start on managing ransomware risks by encouraging enhanced communication and taking risk-based action in response to the new threat landscape.

By introducing these guidelines, NIST is addressing the current environment while also encouraging adoption of the entire Cyber Security Framework. By adapting it to what many organisations would consider the greatest cyber threat – ransomware, the relevance of the framework becomes clearer, especially for those that have documentation that is loosely adapted or incomplete. The NIST Cyber Security Framework and all sub-guides are based on the five key areas – Identify, Detect, Protect, Respond, Recover.

The time is now. Be your framework incomplete or the perfect example of compliance, review and improvement is never ending and key to the combined fight against cyber threats. We must act. Our cyber gaps not only pose a threat to us, but our vendors, stakeholders, clients and much more. Indirect exposure is prolific in Australian infrastructure with an IBM-Ponemon study revealing more than half of all organisations have experienced a data breach due to a third party.

6 steps you need to take right now to combat ransomware

Here is our list of 6 steps you can take to help improve the maturity of your cyber security:

Strengthen COMMUNICATION with staff to ensure a combined understanding of the evolving threat. Human error still remains the greatest weakness.
Enhance your DETECTION tools to predict and alert your security team before an impact occurs.
Review and exercise your RESPONSE documentation to ensure a sense of readiness throughout the organisation.
Adopt a strict ZERO TRUST policy across all platforms to ensure access to sensitive information is limited to requirements and review existing privileged access regularly.
Ensure all devices whether company owned or BYOD are PATCHED and kept up to date as often as possible (e.g. enable auto-update on end user devices).
Broaden your organisation’s overall CYBER HYGIENE to ensure existing and new processes are designed with cyber security at the foundation (e.g. multi factor authentication, centralised password rules, anti-malware on all devices including BYOD).

Equally important, InConsult encourages all organisations to regularly monitor Australian Cyber Security Centre advisories, threats and alerts. Contact us if you would like to know more about any notices released and how they may affect your organisation.

And finally, remember that whatever steps you take, ensuring Cyber Risk is prioritised and regularly discussed is already the first step to enhancing your cyber posture! Check out InConsult’s Cyber Resilience capabilities to find out how we can help you build a more resilient organisation.

InConsult is an official partner of the Australian Cyber Security Centre

We are proud to be an official partner of the Australian Cyber Security Centre (ACSC), a part of the Joint Cyber Security Centre that is collectively enhancing communication between security agencies worldwide. As an official partner, we are privileged to priority notifications and direct support from the ACSC to address any matters or concerns relating to threats to the Australian business landscape.

The post Act Now: Release of New Ransomware Threat Guidelines first appeared on InConsult.

Business Continuity Awareness Week 2022

Tony Harb — Mon, 21 Feb 2022 02:38:17 +0000

Business Continuity Awareness Week (BCAW) is a global event designed to raise awareness of business continuity and resilience by educating, sharing experiences, knowledge and best practices.

This year, BCAW 2022 will run from 16th – 20th May 2022 and celebrates the theme, “Building Resilience in the Hybrid World”. Why this theme? According to The Business Continuity Institute (BCI), in the last 24 months, the world has seen a rise in the adoption of hybrid work models, where employees have the flexibility to work part in the office and part remotely. In this new work environment, organizations need to rethink the way they embed, validate and raise awareness amongst their staff of Business Continuity Plans.

The aim of the theme is to equip organisations & Business Continuity Professionals with the necessary tools to embed & improve awareness of Business Continuity in this new workplace reality.

Don’t let the pandemic get in your way. You are resilient right? Be creative. What will you do to raise awareness of business continuity and the importance of resilience?

8 things to do during Business Continuity Awareness Week

Here is our list of 8 things you can do during BCAW 2022 to help improve the level of engagement in resilience and business continuity management:

Update your organisations Business Impact Analysis (BIAs) via on-line meetings or a hybrid meeting.
Review and update key elements of your response plans such as the BCP, Crisis Management Plan, Pandemic Plan, IT-DRP or Data Breach Response Plan.
As many employees may still be working from home and this increases cyber risks – conduct on-line cyber security awareness training sessions.
With climate risk and third party risks on the rise, conduct a hybrid Crisis Management Team simulation exercise covering one of these risks.
Conduct refresher training for the Crisis Team and those senior managers involved in implementing your response plans.
Provide management a high level presentation covering the concept of operation of the various response plans.
Run a hybrid of games and quizzes such as crosswords and find a word.
How creative are your people? Run a competition and have people draw a picture, design a meme or write a short poem on what ‘Building Resilience in the Hybrid World’ means to them.

Equally important, InConsult encourages all organisations to get involved in Business Continuity Awareness Week 2021. Contact us if you would like help in planning or conducting events during BCAW 2022.

In the mean time, find out more about BCAW 2022 at the Business Continuity Institute’s website.

And finally, remember that whatever you do, it’s all about keeping business continuity front of mind and staff aware of your organisations response strategy! Check out InConsult’s Business Continuity Management capabilities to find out how we can help you build a more resilient organisation.

InConsult is a member of the #1 global BC professional association

We are proud to be a corporate member of the Business Continuity Institute (BCI), the world’s leading institute for business continuity and resilience. Just like InConsult, the BCI promotes and facilitates the adoption of good business continuity practice to help build more resilient organisations. Further, the BCI is the leading membership and certifying organization for Business Continuity (BC) professionals worldwide.

The post Business Continuity Awareness Week 2022 first appeared on InConsult.