Mining Manufacturer Cybersecurity Review
Challenge
With decentralised operations across Tasmania, The Australian mainland and South East Asia, our client understood the need to undertake a review of ICT systems and processes to ensure security of their data and provision of services to their 2000 staff.
This client approached 9X5 Consulting based on our technical knowledge of their core systems, to undertake a current-state review and make recommendations relating to their technology and processes.
Solution
9X5 Consulting undertook a current state review of all systems, data handling processes and device management tools to create a current state assessment document. This document was submitted back to the ICT management team who approved it’s validity.
With the current state understood, we then proceeded to write a recommendations guide for the client, based on the Essential 8 and NIST cybersecurity frameworks and broke down issues into 5 major categories:
- Identify: Where we develop an organisational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.
- Protect: Develop and implement appropriate safeguards to ensure delivery of critical services.
- Detect: Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.
- Respond: Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.
- Recover: Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.
Our recommendations guide outlined a range of system and process enhancements.
Impact
Our recommendations guide focused on both technology and policy changes including:
- Recommended security changes for key systems including their CRM. This included implementing 2 factor authentication for all systems containing client data.
- HR Policy changes were recommended including background checks for all new employees, disposal of non-essential personal data.
- Security Awareness Training for all staff.
The client has taken these recommendations to the board and is now working with us to implement the changes across their business.
Client Overview
A leading manufacturer of quality products for the global underground and surface mining industries, this company is an authorised Caterpillar OEM.
Based in Tasmania, Australia, with operations spread across South East Asia, the organisation has grown significantly over its more than 45 years in the industry.
Foreign Investments Group - Cybersecurity Review
Challenge
Given the sensitive nature of their work and the varied technology maturities of their partner companies, the board were concerned with their cybersecurity posture.
They approached 9X5 Consulting to independently review their systems, processes, and data maturity to provide a roadmap for activities to strengthen their defensive posture.
Solution
9X5 Consulting brought in a senior cybersecurity consultant to help with the analysis and provide a tailored cybersecurity roadmap. 9X5’s cybersecurity framework is based on the NIST Cybersecurity Framework and is broken down into five key areas: Identify, Protect, Detect, Respond, and Recover, supported by a governance layer. Given much of the organisation’s intellectual property was not documented, our consultant required a great deal of time interviewing staff from the client so the work was conducted on-site to minimise delays.
For each of these 6 phases, our consultant conducted an ‘As-Is’ assessment, which was then documented into a Current Profile. Based on best practices, we then created a Target Profile for an investment organisation. The gaps between these two profile documents determined the actions required in the roadmap, which were then prioritised based on legislative requirements (such as privacy legislation), cost and time to implement.
One example of an identified issue and roadmap recommendation was within the Governance Layer, it was identified that whilst the company had a risk policy and registered, this was not reviewed annually and did not include cybersecurity risks. As a high-impact, low-cost improvement, this was recommended as one of the first improvements on the company’s roadmap.
The current and target profile documents, along with the Cybersecurity Roadmap were delivered to Ampeliam Foreign Investments in 20 business days.
Impact
With their cybersecurity roadmap in place, this client is now on the way to strengthening their technology, work processes and cyber maturity to ensure that they can interface with potential partners with confidence.
Future aspirations now include ISO certifications to streamline the process of partnerships with other organisations.
Client Overview
Established in 2018, this Melbourne- based venture capital investment firm is part of a broader family office group of companies, focusing on science, technology, and manufacturing startups. The firm frequently engages with overseas companies, necessitating non-disclosure agreements and stringent measures concerning data privacy and security.