In Australia, like the rest of the world, the threat of cybercrime is rising.
Cyber criminals are hitting an increasing array of targets and no organisation is too big or too small to fall victim.
COVID-19 forced many businesses to rapidly become more digital, with many people working from home for the first time. Now, having seen what hybrid working can do for productivity, flexibility, and the availability of skills, many businesses are adopting it permanently.
The advantages are too big to ignore, but successfully introducing the hybrid work model means adopting both the culture and technology that keeps a business safe against the rising tide of threats.
The numbers show the startling size of the problem. The federal government’s Australian Cyber Security Centre (ACSC) recently reported there were more than 67,500 cybercrime reports made in the 2020-21 financial year, about the equivalent of one every eight minutes. The number of reports was up 13 per cent on the year before and a larger proportion of those incidents had a “substantial” impact compared to previous years.
“No sector of the Australian economy was immune from the impacts of cybercrime and other malicious cyber activity. Government agencies at all levels, large organisations, critical infrastructure providers, small to medium enterprises, families and individuals were all targeted,” the report says.
Many businesses aren’t big enough to have a dedicated security team to deal with the growing threats, but they also can’t afford not to engage with the digital economy. Businesses that have long relied on being “too small” to be a target may have very few defences in place, making them especially vulnerable.
That has to change, because with so-called “island hopping” attacks on the rise, exposed systems in one business can potentially provide attackers with a gateway to the systems of their suppliers, customers and other organisations.
Security can’t be just an add-on or afterthought anymore. It has to become part of a business’ culture, just as locking the doors offices and factories has been for generations.
The human factor
Many methods criminals exploit to attack businesses rely on a human factor, such as tricking someone into clicking on an email link or downloading malicious software like ransomware. Once underway, cyber attacks can be difficult to stop, so having staff that are properly trained and alert to cybersecurity threats is a vital first line of defence - even more so when people are working from home on their computers.
Many employees can now work from anywhere there is an internet connection, making modern unified communications systems a vital link to provide the training and resources to build a security culture. It also goes without saying that the systems used to do this should be highly secure.
And training can’t be a “set and forget” one off, because threats constantly evolve. Everyone needs to understand their own responsibility in keeping the organisation safe.
Not for sharing
Another line of defence is to make sure systems access is limited only to those that need it. Attackers use compromised accounts to work their way into more important systems, so it’s crucial people only have access to the things they really need.
It’s been said so often, but logins and passwords can't be shared, and simple, easy-to-guess passwords must be changed. Such basic measures have been best practice for a long time, but it’s amazing how many businesses still don’t enforce them.
Even better, use multi-factor authentication that requires a user to verify who they are using more than one method. Secure access codes, and SMS and email verification are among the more common ways of doing this, providing an additional layer of defence that substantially increases security.
More businesses are using apps and other systems delivered from the cloud. Cloud systems can offer huge advantages like increased capability and scale, and they’re particularly well suited to hybrid working. And because of the way they’re delivered, the updates and patches required by conventional, locally installed software are managed centrally, making it less likely systems will become out of date and vulnerable.
But like hybrid working, cloud systems do bring another dimension to the security culture required. Delivered remotely, they increasingly rely on “zero trust” security architecture, which requires every part of the IT infrastructure stack, from the user and their device at the network edge, all the way to the databases they are working with, to identify and verify itself, as well as enact security policies.
Hybrid working and the cloud have also made the public internet a vital part of most businesses’ infrastructure, so defending the connections between users and systems, with methods including software defined wide area networks (SD-WANs) and virtual private networks (VPNs) is now required.
The security environment that businesses need to manage is getting more complex, and a “security as a service” (SECaaS) market has developed to allow companies to bring in capabilities that in many cases they wouldn’t be able to develop and maintain in-house. It’s part of a shift to cloud services that allows even small companies to adopt a “best of breed” approach to their technology systems, choosing the apps and services that work best for their business, staff and customers.
But as hybrid working becomes entrenched as a normal part of life, the people and culture around security will remain vital. Wherever they are working and whatever they are doing, everyone is on the security team now.