Security leaders need to be considering how they can reorient their approach to cyber threats, understanding that attackers have the means to infiltrate even the most robust perimeters. By Chris Fisher.
Millions in both government funding and internal budgets is being funnelled into cybersecurity, with the intention of building resilience against sophisticated threats, indicating just how serious this issue has become.
The latest Australian federal budget includes an almost A$9.9 billion package to improve the country’s cybersecurity and intelligence capabilities, while in New Zealand, Gartner finds that 73 percent of CIOs expect cybersecurity to be their biggest technology investment in 2022.
Meanwhile, the number of threats continues to skyrocket. In 2021, 8,831 incidents were reported to CERT NZ, a 13 percent increase on 2020. Individuals, small businesses and large organisations from all over New Zealand submitted incident reports. Across the ditch in Australia, over the 2020/21 financial year, the Australian Cyber Security Centre (ACSC) received more than 67,500 cybercrime reports, an increase of nearly 13 percent from the previous year.
When it comes to cybersecurity, threats have become more sophisticated and devastating to even large companies with sizeable IT budgets, and the commentary on the topic can be overwhelmingly negative and complicated.
In a bid to sift fact from fiction, and provide actionable, tangible steps to creating a smarter security strategy, Vectra has released its ANZ Security Leaders Research Report, part of a larger global study of 1,800 security decision-makers, focusing on uncovering how today’s organisations are tackling complex, modern cyber threats.
Uncovering the problems with security
According to Vectra research, the same digital transformation that is powering innovation has also dramatically expanded the attack surface. From the rapid proliferation of cloud to the growing adoption of micro-services, DevOps and APIs, new pockets of opportunity are opening for cyber criminals to take advantage of.
To take an extreme example, in Australia, a report from ACSC found that a quarter of cyber incidents reported to security officials within one year targeted critical infrastructure, leading to potentially significant disruption in essential services, lost revenue and the potential of harm or loss of life.
This trend follows suit in New Zealand, with the annual National Cyber Security Centre (NCSC) Threat Report showing there were 404 incidents affecting nationally significant organisations in the 2020/21 year, a 15 percent increase on the previous year’s total.
Breaches today can disrupt operations, damage supply chains, destroy customer trust and open companies to regulatory fines. Oftentimes cyber-attacks cost companies a huge amount, to the point that they may not recover. In fact, in 2021 global data breach costs rose from $3.86 million to $4.24 million [on average per breach], and ransomware attacks that result in stolen data and lengthy operational outages can end up costing many times that. Some companies have reported losses in the millions. This evidence alone reveals why cybersecurity is now a board level issue.
Within this threat landscape, what has become abundantly clear is that the old ways of defending operations are no longer working. Whether it’s through system exploitation, phishing, using stolen accounts, or bypassing multi-factor authentication (MFA), there’s always a way in, and once inside, attackers are masters at staying hidden. To adequately defend against threats, security leaders and teams must evolve.
Four key factors that will drive change
The Vectra report found that in Australia and New Zealand:
• The majority (85 percent) of respondents stated that they felt traditional approaches wouldn’t protect against modern threats.
• Only 40 percent were confident their security tools would protect them.
• More than half (58 percent) reported they’d purchased a security solution that failed at least once.
• 60 percent were worried their tools had missed something.
• 57 percent felt it was possible or likely they’d been breached while being unaware of it.
These findings make it obvious that security leaders are thinking about security, are aware that they’re on the back foot, and are looking for a better approach.
The report also uncovered four key changes that can benefit organisations within the cybersecurity space.
For a start, a shift in thinking is required. Oftentimes, culture and mindset can be put aside in place of a technology solution, but this isn’t good enough.
Security leaders need to be considering how they can reorient their approach to threats, understanding that attackers have the means to infiltrate even the most robust perimeters, and how to build a strong foundation.
This starts at an employee level, first with the leaders within the organisation and then right down to the latest hire. A strong company culture with a security-first mindset will do a lot to build a strategy that works.
Part of the shift in thinking is to understand that a prevention first approach will no longer be enough. Legacy tooling and thinking is an impediment in the new threat landscape.
Even so, many organisations continue to over invest in a doomed prevention strategy that fails silently, leaving them open to being breached. We must move into detection over prevention thinking, and from here protect against attackers in the way they are actually operating, as opposed to how you may think they are.
Another key focus for security leaders is their relationship with C-suite management and the board.
As the propensity and cost of breaches increases, these key stakeholders are waking up to the risks posed by cyber-attacks, but they are not the experts.
Security leaders need to find more effective ways to communicate risk and educate on how best to mitigate these risks, and in doing so get crucial buy-in for their strategies.
Finally, the report found that legislation and guidelines offer a useful starting point for businesses, with guidance and regulations helping to ensure businesses have a base security layer within their organisation.
Even so, greater industry involvement and experience can help to make regulation more effective and offer a clearer understanding of the threat landscape, so leaders can move into implementing effective detection and response plans.
Genuine resilience
Genuine resilience begins with the right attitude. Many cybersecurity professionals understand that they simply can’t rely on legacy prevention-based tools any longer, nor can they rely on government advice and outdated input from boards.
By accepting this, CISOs can begin to create the right conditions for effective cyber risk management and stop breaches before they have a heavy impact.
By doing so, organisations will be able to continue to evolve their culture and security strategy to protect against threats and win in their area of expertise.
See: https://info.vectra.ai/leadership-survey-anz-2022
Chris Fisher is the director of security engineering for Vectra.ai in the Asia Pacific and Japan markets. His key responsibility is to ensure that Vectra’s customers have the security foundation to embrace new technology and lines of business, allowing them to digitally transform whilst reducing business risk and improving their security posture.