No matter what statistic you look at, cybersecurity attacks and data breaches are on the rise.
The Covid-19 pandemic has accelerated the trend for businesses to move operations online - the latest OAIC report revealed another jump in cyber risk with malicious or criminal attacks accounting for the majority (58%) of data breaches. At the same time, our lack of preparedness is costing Australian businesses AUD $276,000 per cybercrime on average.
Continuing to take the same approach to cybersecurity – with a focus on user awareness, user access control, traffic monitoring, protecting endpoint devices, data networks and computing infrastructure – is not slowing down the number of successful attacks, data breaches, or their impact.
While they have their place, these legacy security measures alone are not enough. Instead, organisations must focus on embedding data security into their business practices and processes.
A growing cyber risk profile
Hackers will always find weaknesses to exploit, especially as we continue to digitise and adapt to a constantly evolving economy.
There are three key factors that should prompt Australian businesses to rethink their cybersecurity approach in 2021:
- Everything is digitising – as Covid-19 accelerated the pace of digitisation, organisations have had to quickly adapt. As a result, many have ended up with disparate digital platforms that offer exploitable security gaps and lack coherent cyber defence.
- Data is spreading and is less visible to IT – the recent digital shift has led to a much wider distribution of data, and more complex digital environments. Sensitive data has become harder to locate and IT teams are struggling to deal with an unprecedented “data sprawl.”
- 5G – while still at the bottom of most IT teams’ priorities, more digital initiatives are set to rely on 5G networks in the coming years. The potential of 5G is significant, but the accessibility of the technology itself poses new risks to securing the business and the operational data it collects.
We must understand, not every piece of digital ground is defendable. It’s therefore important to pick a digital terrain that favours the defender and not the attacker. Embedding security at the core of the business can make our digital terrains much safer and more easily defendable.
Embedding security: 2021’s greatest opportunity?
So far, we’ve approached cybersecurity like early car safety: focusing on the driver's skills and road quality, when we know the embedding of safety (like seatbelts and airbags) into vehicles themselves is what keeps drivers safe.
Most IT teams are prioritising cyber-awareness training, securing access, securing networks, monitoring traffic, etc., when the data shows such initiatives are not driving down successful attacks and breaches.
Unfortunately, humans are often the biggest risk to data. Users are the most difficult part of an organisation to embed with consistent and reliable cyber defence, as they tend to be highly visible and exposed. The OAIC report reminds us how much - showing a jump of 18% in the number of data breaches resulting from human error last year, which accounted for 38% of all breach notifications.
We cannot fully rely on users for a successful cyber defence.
Embedding security at the organisation’s core means shifting our focus to securing systems, business processes, and prioritising data protection best practices. This requires four main levels of rethinking and investment:
- Prioritising system protection through codifying security such as machine certificates and identities, data encryption and anonymisation, as well as enforcing stricter and more granular access controls. These systems can then be highly automated and orchestrated, addressing the business need to accelerate digital programs and deliver, while no longer being reliant on user behaviour or computer infrastructure for security.
- Consolidating and integrating disparate systems, so IT teams can take the invisibility cloak off the growing pool of hidden data. This, in turn, will make it easier to add high levels of security automation and codification, so security can be consistently embedded in any system.
- Centralising systems and security tools. A centralised approach is essential for IT teams to locate, categorise, secure, report and enforce their embedded cybersecurity controls and processes.
- Security embedding needs to go beyond the technology itself and become an intrinsic part of executive leadership and business processes. It’s about creating a proactive, security-first mindset from the CEO down. The embedded security approach to technology and data will then organically follow.
Until we change our current cybersecurity approach, attacks will continue to rise, and businesses will continue to pay the price. IT teams have a key role to play in reframing the cybersecurity strategy and mindset of their organisations. It starts with embedding security into their digital processes, instead of continuing down the traditional path of relying on users and infrastructure which is proven to lead to failure.