Securing Asset Data against Cyber-Crime

Data security is a critical issue for every business. With cybercrime continuing to escalate, protecting your data from theft and ransomware attacks is vital. All industries are affected, with government, manufacturing and construction experiencing the highest number of attacks. Experts predict a continued rise, and warn that the more critical data is to an organisation, the more likely it’s likely to be a target for ransomware.

Statistics from the Office of the Australian Information Commissioner (OAIC) show that over the six months to July 2020, 537 breaches were notified, a rise of 19% over the previous period. 64 percent of these were traced back to malicious or criminal attacks. Nearly two thirds of these were due to malicious attacks.

We deal not only with our own data, but critical and sensitive customer data. Protecting and maintaining this data is of paramount importance to our business. Because of this, we recognise that information security can’t simply be delegated to the IT department any more. It needs to be an all-of-business issues, driven by the board and executive team, and become everyone’s responsibility. According to CybSafe analysis, human error caused 90% of cyber data breaches in 2019, most often through phishing attacks - such as a user clicking an unsafe link in an email. Without proper security education, robust security policies and the best security technology, any "link in the chain" can put an organisation at risk.

One key measure we’ve adopted at AssetFuture is to create the role of Chief Information Security Officer (CISO) whose core function is intertwined with all aspects of our strategic initiatives and operational activities.  CISOs are more often found in large corporations (74% of companies with $5 billion or more in revenues have one, compared to just 40% of companies with less than $1m revenue) but the number is increasing as businesses recognise that information security needs to be taken seriously. 

Data is the most important asset for any organisation, and must be protected and maintained. Data security is a crucial component of our trust pillar for clients, partners and stakeholders: whether asset data, Personally Identifiable Information (PII), corporate systems or the reputation of all stakeholders. We achieve this through a combination of uplift projects, targeted initiatives and continuous improvement programs.

Certified as Continuously Improving

Our goal at AssetFuture has been to find an internationally-recognised information security framework which is industry agnostic, flexible enough to accommodate both professional services and software-as-a-service environment and has a built-in continuous improvement program. The framework we’ve selected is ISO 27001, the internationally-recognised standard for Information Security Management Systems.

ISO 27001 is not only a set of technical controls, of which there are many, but also a framework for operating information security within an organisation to repeatedly circulate through plan-do-check-act cycles. This ensures we have an ever-improving security status.

We’ve also chosen to undertake formal audit and certification, to communicate the commitment placed in the standard and information security more broadly. This is in contrast to the common approach of being guided by ISO 27001 but avoiding the discipline and rigour required of formal certification.

For those interested AssetFuture’s Information Security Management System implementation, a document hierarchy is shown below:

AssetFuture’s Information Security document hierarchy

Vendor Selection

The selection of strategic partners, vendors and suppliers is just as important as how information security is managed and maintained internally. Like the majority of organisations, AssetFuture relies on third parties in its supply chain to provide its services. We’ve deliberately decided to partner with market leaders who are expert in their field. Our platform contains critical and sensitive data and there’s no room for compromise.

For example, we’ve selected Microsoft Azure as our underlying cloud provider, due to their expertise in maintaining reliable, scalable and secure hosted infrastructure. Azure maintains over 50 security specific certifications including ISO 27001, CSA STAR, CIS Benchmark, NIST CSF, FedRAMP, IRAP, APRA and PCI DSS. Knowing that our infrastructure is taken care of allows us to focus on our core business while guaranteeing the best security for ourselves and our customers and other partners.

Encryption

Encryption is another important aspect of our data protection strategy. We use encryption throughout the entire lifecycle of data. Data is first encrypted in transit when input, imported or processed. HTTPS with TLS 1.2 is used for client-to-server, server-to-server and server-to-database communication. Commercial Extended Validation (EV) certificates are used to provide authentication.

Data is encrypted at rest using a number of methods depending on the location. SQL data stores are encrypted using Australian Government approved and industry recognised algorithms and implementations (AES256). All database backups are also encrypted.

Independent Testing

To ensure our security is robust, penetration testing is performed at scheduled intervals. This includes after significant system changes, with no more than 12 months between tests. Penetration testing is performed using specialist Australian-based providers with Council of Registered Ethical Security Testers (CREST) and Offensive Security Certified Professional (OSCP) qualified personnel.

Sovereignty

AssetFuture maintains geographic specific instances in order to maintain data sovereignty. Personnel, data processing, data at rest and third-party access is limited to the country where the instance is located. This is critical in supporting the requirements of AssetFuture’s government and enterprise clients.

Audited

AssetFuture recognises that if something isn’t checked, it can often become neglected. To counter this, all aspects of our information security program undergo regular audit. This ranges from formal surveillance audits carried out as part of ISO 27001 certification, through to systematic logging and review of system access and privileges to enforce role-based access control and least privilege.

Technical Controls

On the technical side, we employ a range of technical controls such as firewalls, antivirus, intrusion detection and prevention, vulnerability management, network segmentation and server hardening. All of these are kept constantly updated to prevent and detect malicious activity.

Resilience

As well as malicious attacks, data can be lost to disasters such as fire and flood. AssetFuture carries out comprehensive business continuity and disaster recovery planning and testing to support any technical or environmental disruptions. In the recent COVID-19 pandemic many people have been forced to work remotely. We’ve adapted policy to reflect the new flexibility required and invested in solutions to keep remote workers secure and fully operational. This means minimal disruption to operations and staff easily moved to a remote workforce.