Cyberattacks continue to gain momentum and become increasingly sophisticated – and this frightening trend is not set to slow down.
In the last twelve months, 39% of UK businesses have identified a cyberattack, but the issue is potentially much bigger. The UK Government’s Cybersecurity Breaches survey found that enhanced cybersecurity leads to higher identification of attacks, which suggests that organisations with lower cyber maturity may be underreporting. The key point being if that a organisation does not have the right monitoring in place then how does it even know that its been breached.
Unfortunately, there is no easy answer. Cybersecurity defences are multifaceted and vary between organisations, depending on size, scale, budget, industry vertical, and even geography. Both senior executives and security professionals realise that more work must be done to advance security roadmaps in line with budgets and business objectives.
By 2026, 50% of C-level executives will have performance requirements related to risk built into their employment contracts.
A cybersecurity strategy, however, is not a tick-box exercise. It continually evolves in line with the growing threat landscape and requires ongoing commitment.
IT and cybersecurity have become more integrated. As a result, 68% of Chief Information Security Officers (CISOs) say they can now meet their security posture objectives.
Why is the problem so complicated?
A move to hybrid working and accelerated migration to the cloud has seen a significant rise at any time, anywhere, any device working, expanding the vulnerability landscape. As a result, attacks have subsequently grown. According to the Anti-Phishing Working Group (APWG), 3 million phishing attacks happened in the third quarter of 2022 alone. This represented the worst quarter the group has ever reported.
Technology advancements have seen organisations utilise cloud-native tooling to help their security posture. While this means there are cost savings, they do not always give the functionality, and visibility organisations require. This presents new challenges to security teams who might want to implement more costly tools that give better visibility where the business might want to use the cloud native tooling which is more cost effective.”
79% of business leaders say that keeping up with the speed of digital and other transformations is a significant management challenge.
Multi-clouds are a hunting ground for cybercriminals.
Cybercriminals are increasingly targeting cloud infrastructures to exploit vulnerabilities in cloud applications, virtual machine software, and virtual machine orchestration.
Cloud estates are becoming incredibly complex. It is estimated that many organisations now have at least eight clouds, including Software as a Service (SaaS) from different providers. Malevolent across are exploiting deficiencies in connections and access points to launch attacks.
According to the Joint Cybersecurity Advisory, made up of cybersecurity authorities from the UK, US, and Australia, cybercriminals have ramped up their ransomware attacks on the cloud and we expect this trend to continue to grow given the success its had for the cyber security criminals.
This includes exploiting known vulnerabilities in cloud applications, virtual machine software, and virtual machine orchestration software.
SASE: the answer to enhancing network security
The network infrastructure has also changed. The network edge now exists wherever users are logging on. Applications have moved from corporate data centres into the cloud and to Software as a Service (SaaS) providers. This means that security needs to change to close the vulnerabilities that can be accessed anytime, anywhere.
SASE (Secure Access Service Edge) provides centralised management and visibility to all users, devices, and connections running via the cloud. A key benefit is that it reduces the complexity around setting up secure connections for users, wherever they are, as security is offered up on a per-use basis using zero-trust. The zerotrust model does not trust anyone or any device by default. Strict identity verification is required to access resources on the network, whether users are inside or outside the network perimeter.
The move to a digital-first era
As digital-first increasingly becomes a way of life, organisations must create greater confidence in security across the entire business ecosystem. Now is the time to bolster defences to mitigate risk and robustly safeguard users, partners, suppliers, and customers. Telstra Purple will help you to limit exposure to security threats.
Ensure you have the right foundations
Users must understand what is right and wrong in the organisation from a security perspective. You need a suite of appropriately shaped and sized policies, relevant to your business to inform end users precisely what their expectations are when using IT systems and provide the appropriate cybersecurity training.
From the top down
The board needs to be cybersecurity aware. It must have the correct information to make decisions on risk. Provide training to the board on cybersecurity so that they can support messaging from the top down but more importantly challenge what their cybersecurity and IT teams are telling them.
Cybersecurity plans must have direction
Some organisations embark on a security strategy to address areas that the CISO feels pose the most immediate risks. Although this is not an incorrect approach, an organisation must take an holistic view before moving forward with a security strategy. This includes carrying out an assessment and determining a roadmap. Ensuring the strategy is aligned to business goals and communicated to the broader business will make it more successful, especially if its something that everyone in the business buys into.
Secure your users at work and in the real world
Generic security awareness training, although helpful, doesn’t answer all the questions. Users need to be secure in their roles, and their training should be outlined accordingly. Employees should act safely, whether at home, at work, or on the road – allowing them to become the first line of defence.
Tooling has a place in the market
If implemented correctly, technology such as Endpoint Detection and Response (EDR) can act as a first line of defence. These automated tools can detect anomalies and isolate the machine from the network, stopping ransomware spread. It should be noted that technology and people have to work together with the right processes to be successful.
Visibility is key
As the threat vista grows, monitoring is increasingly focusing on User Entity Behaviour Analytics (UEBA) which looks for patterns with users rather than just machines. We see a move in the industry to ingest logs that will derive patterns vs. everything available. The cost of data transmission, particularly in cloud environments, means that architecting a SOC/SIEM platform and the data flows is essential; otherwise, an expensive investment could become even more costly.
It is not just about robots and AI
Organisations are moving to security orchestration, automation and response (SOAR), robotics, and AI. However, this is not a magic bullet, and enterprises need to assess processes to understand which elements can and cannot be automated. Some platforms have AI built in, such as EDR and DLP platforms; however, these need rigorous testing, are rarely fully automated, and always require some human intervention.
Patch and patch again
The most significant entry point aside from phishing is through unpatched systems. Its no point trying to protect an organisation if large backdoors are left open. Ensure that there is a holistic and effective patch management programme, including assessment and working with departments to patch systems to keep them up to date. For legacy systems that cannot be patched, it’s vital to ensure that there is an action plan to remediate them in the future.
Embed security risk into organisational risk
Suppose an organisation is exposed to specific threats that cannot be reduced by cybersecurity. These need to be flagged to the board and documented in an organisational risk framework. Such visibility is key for any security team to ensure that business-based decisions about cybersecurity risk can be made accurately.
Have the right people on the team
Organisations must understand their available resources based on the target operating model and strategy. Many organisations try to do much with too little regarding staff and skills. Organisations should look internally at what they can do and want to do and should look at hybrid or fully managed security services for those bits they choose not to do.
Third parties are not just third parties
Organisations should not forget that third parties can impact their security posture. Ensure that interconnections with third parties are understood, what data is being shared, and more importantly their security posture. This approach will help to reduce unnecessary risk. Ensure that the data shared with third parties is understood and the security posture of your third parties is an extension of your own. Undertaking these simple steps will help mitigate risk.
Assurance is not a one-off exercise
Assurance is an ongoing process. As defined in the PDCA (Plan, Do Check, Act) principles, organisations will assess their third parties at the beginning of the contract. The ongoing assessments tend to be ad-hoc. The key is to ensure that security clauses are in contracts and these are reviewed annually. Understanding the most critical suppliers and regularly having open and transparent conversations about security will ensure that breaches and incidents, along with potential incidents, are understood quickly if there is a breach.
Protect the right things and understand who has access to it
Recognising that not everything can be protected at the same level is crucial. Organisations need to understand the value of their data and which elements they want to protect, and which controls. This exercise helps prioritise security investment and controls and allows the organisation to understand who has access to that data.
The technology world is changing so how do we keep on top of it?
Technology continues to develop at an astonishing pace. There are new tools, systems and approaches being developed at an alarming rate. Technologists themselves are struggling to keep up with the pace of change. Therefore, ensuring that privacy by design principles are adhered to will mean that security considerations are being sought for all solutions. Lets not try to ensure that everything is secure in its implementation but that security risks are identified where security controls cannot be met. Its not about saying “No” but saying “Yes” with options and risks identified.
Keep testing, testing, testing
The modern world of cyber threats and the way that they are constantly evolving mean that it is almost impossible to predict. It is thus essential for organisations to continually test. This includes utilising third-party pen-testers, running tabletop crisis management exercises, and using breach attack simulators, where appropriate. The more an organisation can test itself, the more structured and coordinated it will be when an attack happens.