Cybersecurity
controls

To achieve these objectives and mitigate these cybersecurity risks, security mechanisms need to be implemented with the objectives of protecting information assets, detecting malicious activity when (not if) it occurs, and responding effectively to that malicious activity to minimise the impact on the business.

Different controls need to be implemented at different levels of the software, across the spectrum of components outlined as follows.

Things we protect
Servers
Desktops
Mobile devices
Networks
Data storage
Business applications

How we protect them
Policy and policy management
Software updates
Configurations
Security products
Application software controls

Protection First and foremost, we try to protect our information assets and systems against attack. Protection strategies are our first line of defence, and breaches are often a failure of protection strategies. Protective controls include the following measures:

Identification. To have confidence in accountability for users, whether individuals or interactive system components, we need to have identification — like usernames, for example.

Authentication. We also need to be able to authenticate that identification (e.g., passwords, fingerprints, etc.). Multifactor authentication is a core feature of identity and access management (IAM).

Authorization. In addition to authentication, we need to make sure a user is authorized to conduct transactions — verification of the user’s level of authority for particular types of access or transactions.

Protecting secrets. We need to ensure that sensitive data is unrecognizable — e.g., encryption of credit card or other sensitive information:

At rest — While being stored
In process — While being processed
In transit — While being transmitted

Strong identification

Common, easily implemented methods of identification and authentication include:

Something you know, such as passwords (Quality of passwords is increasingly important.)
Something you have, such as tokens that are sent to you via text message
Something you are, such as biometrics like fingerprint, facial scan, and palm print scans
Multifactor or two-factor authentication (2FA), such as the combination of a password and token — increasingly in use today.

Certificates are a significant underpinning of security systems, especially where payments or particularly sensitive information are involved. Certificates are used for all kinds of practical applications, including the transmission of confidential information and the digital signing of documents. Certificates are used in what is referred to as a ‘handshaking’ procedure to verify the identity of the sender, enable the transmission of encrypted confidential information privately, and also enable the receiver to know whether the information has been tampered with via the use of tamper-evident seals. Certificates have public and private halves. It is critical that the private half of the certificate be kept secure and not passed between parties. Within an organization, certificates can be centrally managed to enable users to access the public certificate for someone to whom they want to send encrypted information. For external use, public certificates are issued by third-party certificate authorities that verify the identification of parties using them.

Man-in-the-middle attacks

Certificates are essential for circumventing man-in-the-middle (MitM) attacks. MitM is the term used for attacks in which the attacker independently makes connections with the victims and relays messages between them to create the impression that they are communicating with each other when, in fact, the attacker is controlling the conversation.

Detection In addition to protective or preventive strategies, it is also essential that entities employ detection strategies to identify when threats occur — the computer equivalent of the security camera. Common detection strategies include the following:

Event monitoring. Documentation of events logged into files can be reviewed for unusual patterns of activity.

Intrusion detection and prevention systems. Sophisticated applications are available that enable ongoing monitoring.

Threat monitoring. The security community can study the tools and techniques attackers use to develop ‘threat intelligence’ that can inform the development of new controls.

User reports. User reports can also be helpful in identifying unusual activity.

Response Part of the evolution of cybersecurity is the advent of ‘computer incident response teams’ (CIRTs), sometimes referred to as computer security incident response teams (CSIRTs). The primary functions of the response team are to

reduce losses;

help the business get back into business quickly;

support investigations when necessary — law enforcement, forensic;

provide decision support during incident — plan of action, informed decisions; and

facilitate crisis communications — customers, law enforcement, media, etc.

Breach identification and containment

The time to identify and contain a data breach dropped to a nine-year low.

241 days — Average time to identify and contain a breach

276 days — Breaches across multiple environments took the longest

$1.14 million — Average cost savings of containing a breach in less than 200 days versus more than 200 days

80 days — Average reduction in time, with extensive use of AI and automation, to identify and contain a breach

^Source:^IBM^{Cost of a Data Breach Report 2025}

Security AI and automation

32% — Share of companies using AI and automation extensively across prevention, detection, investigation, and response

$1.9 million — Lower average breach costs incurred by companies making extensive use of AI and automation versus no use of AI and automation

^Source:^IBM^{Cost of a Data Breach Report 2025}