Mining Manufacturer Cybersecurity Review
Challenge
With decentralised operations across Tasmania, The Australian mainland and South East Asia, our client understood the need to undertake a review of ICT systems and processes to ensure security of their data and provision of services to their 2000 staff.
This client approached 9X5 Consulting based on our technical knowledge of their core systems, to undertake a current-state review and make recommendations relating to their technology and processes.
Solution
9X5 Consulting undertook a current state review of all systems, data handling processes and device management tools to create a current state assessment document. This document was submitted back to the ICT management team who approved it’s validity.
With the current state understood, we then proceeded to write a recommendations guide for the client, based on the Essential 8 and NIST cybersecurity frameworks and broke down issues into 5 major categories:
- Identify: Where we develop an organisational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.
- Protect: Develop and implement appropriate safeguards to ensure delivery of critical services.
- Detect: Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.
- Respond: Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.
- Recover: Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.
Our recommendations guide outlined a range of system and process enhancements.
Impact
Our recommendations guide focused on both technology and policy changes including:
- Recommended security changes for key systems including their CRM. This included implementing 2 factor authentication for all systems containing client data.
- HR Policy changes were recommended including background checks for all new employees, disposal of non-essential personal data.
- Security Awareness Training for all staff.
The client has taken these recommendations to the board and is now working with us to implement the changes across their business.
Client Overview
A leading manufacturer of quality products for the global underground and surface mining industries, this company is an authorised Caterpillar OEM.
Based in Tasmania, Australia, with operations spread across South East Asia, the organisation has grown significantly over its more than 45 years in the industry.
Foreign Investments Group - Cybersecurity Review
Challenge
Given the sensitive nature of their work and the varied technology maturities of their partner companies, the board were concerned with their cybersecurity posture.
They approached 9X5 Consulting to independently review their systems, processes, and data maturity to provide a roadmap for activities to strengthen their defensive posture.
Solution
9X5 Consulting brought in a senior cybersecurity consultant to help with the analysis and provide a tailored cybersecurity roadmap. 9X5’s cybersecurity framework is based on the NIST Cybersecurity Framework and is broken down into five key areas: Identify, Protect, Detect, Respond, and Recover, supported by a governance layer. Given much of the organisation’s intellectual property was not documented, our consultant required a great deal of time interviewing staff from the client so the work was conducted on-site to minimise delays.
For each of these 6 phases, our consultant conducted an ‘As-Is’ assessment, which was then documented into a Current Profile. Based on best practices, we then created a Target Profile for an investment organisation. The gaps between these two profile documents determined the actions required in the roadmap, which were then prioritised based on legislative requirements (such as privacy legislation), cost and time to implement.
One example of an identified issue and roadmap recommendation was within the Governance Layer, it was identified that whilst the company had a risk policy and registered, this was not reviewed annually and did not include cybersecurity risks. As a high-impact, low-cost improvement, this was recommended as one of the first improvements on the company’s roadmap.
The current and target profile documents, along with the Cybersecurity Roadmap were delivered to Ampeliam Foreign Investments in 20 business days.
Impact
With their cybersecurity roadmap in place, this client is now on the way to strengthening their technology, work processes and cyber maturity to ensure that they can interface with potential partners with confidence.
Future aspirations now include ISO certifications to streamline the process of partnerships with other organisations.
Client Overview
Established in 2018, this Melbourne- based venture capital investment firm is part of a broader family office group of companies, focusing on science, technology, and manufacturing startups. The firm frequently engages with overseas companies, necessitating non-disclosure agreements and stringent measures concerning data privacy and security.
Australian Law Firm - User Account and Cloud Audit
Challenge
With many office locations, over 1000 staff and a myriad of systems and devices, The Firm approached 9X5 to conduct and independent audit of their systems, active accounts, software licensing, infrastructure utilisation and security posture.
Solution
This project was initiated in 2021 which added a level of complexity due to COVID lockdowns in Melbourne at the time. As a result, much of the work was conducted offsite, with limited access to the client’s Melbourne Office.
Despite these challenges, 9X5 assembled a team comprising of 1 Project Manager, 1 Solution Architect and 2 Analysts.
The initial area of concern was on Active Directory Accounts as there were over 1900 active accounts, yet only 1100 staff and 200 system accounts at the time. A deep dive on Active Directory was conducted to understand which accounts should be deactivated, whether policies were breached keeping them open and making recommendations as to which accounts could be closed or migrated.
As part of the investigation, licensing and utilisation of on-premise and cloud servers was also reviewed with recommendations made on which machines could be consolidated or shut down.
The team conducted the analysis and provided their recommendation in 65 days.
Impact
The analysis and recommendations report identified over 600 user accounts that could be shut down or mitogated, which represented a large cost saving to the client.
In addition, by reviewing their server usage and identifying which servers were required on premise, they identfied over 20 servers which could be migrated into the cloud, streamlining their operations and reducing ICT operating costs.
Client Overview
A prominent Australian law firm that specialises in consumer law, encompassing Personal Injury, Class Actions, Commercial Litigation, and Employment Law.
Since its establishment in 1935, the firm has expanded to become one of the largest nationally, with a presence in over 40 office locations throughout Australia.