Protecting your business is about cyber resilience, not just cyber security

Editor of Cyber Security Connect Liam Garman sat down with Absolute Software cyber security evangelist Torsten George to unpack how Australian organisations can strengthen their cyber security posture amid a worsening security environment.

The pair’s Q&A session shortly followed Dr George’s international tour, speaking with cyber security thought leaders and experts across the globe.

Liam: Has the Australian government placed sufficient emphasis on the need for businesses to secure their endpoint devices?

Dr Torsten George: If you take the Australian Cyber Security Centre’s Essential Eight as an example of guidance that the Australian government has provided to organisations when it comes to strengthening their cyber security posture and resiliency, you will notice that while some of the mitigation strategies touch upon endpoints, they are not fully focused on the protection of these devices.

This is not uncharacteristic — many of today’s security frameworks, industry standards, and government regulations “overlook” the importance that endpoints play in the cyber attack chain. A study by the Ponemon Institute revealed that 68 per cent of organisations suffered a successful endpoint attack within the last 12 months. Nonetheless, many organisations are still investing most of their funds in protecting their data repositories and are often treating their employees’ devices as an afterthought.

And even those organisations that are realising the importance of endpoint security are struggling with the fact that they must deal with a broad mix of networks, hardware, operating systems versions, and patches.

As an example, according to the Absolute 2023 Resilience Index, more than 80 per cent of devices use the Microsoft® Windows® OS, with the large majority on Windows 10. At first glance, this might appear homogenous and easy to manage; however, the reality is that IT practitioners are struggling to keep their employees’ endpoints up to date with 14 different versions and more than 800 builds and patches present.

Adding to the complexity, IT and security teams must deal with is the number of installed applications on devices. According to Absolute device telemetry data, there are 67 applications installed on the average enterprise device, with 10 per cent of those devices having more than 100 applications installed.

VIEW ALL

This complexity contributes to the fact that it takes, on average, 149 days for small companies, 151 days for medium and large enterprises, and 158 days for very large organisations to patch their endpoints’ operating systems.

In turn, it is apparent that it is no longer a matter of ‘if’ but ‘when’ an organisation will suffer a breach. This means that instead of exclusively focusing efforts on preventing an attack, it is important to develop a plan to reduce the impact when a successful attack occurs. This is why many forward-thinking organisations are adopting a new strategy to cope with today’s increased cyber threats, called cyber resilience.

Is the SOCI Act sufficient to keep Australian organisations safe?

Similar to the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF), the SOCI Act provides a framework for managing risks relating to critical infrastructure providers. It’s not specifically calling out that the framework is also applicable to the common enterprise.

However, you would hope that, like it was the case with the NIST CSF, all organisations would apply these best practices in their day-to-day cyber defence strategy. This holds especially true as the SOCI Act sends a clear message to responsible entities of critical infrastructure assets that risk management (including cyber security risk management) must be prioritised and form part of the organisation’s core business activity.

Taking a risk-based approach to compliance will allow organisations to strengthen their security posture as it will allow them to focus on what matters most to them rather than pursuing a checkbox mentality. In addition, the SOCI Act is not a ‘toothless’ government regulation but instead comes with hefty penalties for breaches of the risk management program and enhanced cyber security obligations.

Nonetheless, solely relying on deploying the recommended security controls is not sufficient to make organisations safe, as they would otherwise be deceived by a false sense of security. To make a real difference to the impact of cyber security incidents, cyber security priorities must shift from defensive strategies to the management of disruption through resilience.

What pieces of regulation or legislation have worked for international governments around endpoint security that the Australian government can learn from?

There are quite a few industry standards (e.g., ISO/IEC 27001, PCI DSS 4.0) and government regulations (e.g., HIPAA, Singapore MAS) that provide practical advice on what security controls to establish to minimise an organisation’s risk exposure — both company-wide and specific for endpoints. These controls range from encryption technology and endpoint detection and response tools to anti-malware solutions.

Unfortunately, these guidelines often lead organisations to believe that deploying more security solutions will result in greater protection against threats. However, the truth of the matter is very different. Gartner estimates that global spending on IT security and risk management solutions will exceed $183 billion annually in 2023, yet the breaches keep on coming. That’s probably because a large chunk of that money is being funnelled toward solutions that don’t address modern security problems and cover the ever-growing attack surface of modern enterprises. Hackers, for their part, are taking advantage of the fact that organisations and their workforce are relying on mobile devices, home computers, and laptops to connect to company networks to conduct business. In turn, these endpoint devices become the natural point of entry for many attacks.

So, to address a new challenge or threat, we purchase more solutions. We are spending tens of billions of dollars annually on endpoint security alone. In turn, it’s not surprising that there are more than 11 security applications installed on the average work-issued laptop.

Sadly, you can’t secure and ensure the efficacy of what you can’t see. An enterprise’s security posture is only as strong as the security controls that support it. If left unchecked, every security control deployed on the endpoint represents a potential vulnerability if it is not running and able to perform its job. Common decay, unintentional deletion, or malicious actions all impact the integrity and efficacy of security applications and endpoint management tools.

IT and security practitioners agree that security tools like endpoint protection platform (EPP), endpoint detection and response (EDR), anti-virus, etc., are essential to defend against attacks and, therefore, should always be running and up to date. Absolute’s data shows that 25 to 30 per cent of devices had unhealthy security controls, though. In turn, organisations need to be prepared for the worst-case scenario and, therefore, balance defensive measures with cyber resiliency — in this specific case, application resilience. With Absolute Application Resilience, we see initial app health scores leap from less than 50 per cent to close to 100 per cent, unassisted by IT.

Improving security uptime means closing the gap between cyber risk and cyber resilience.

With businesses slow to end hybrid work, what risks are they facing that they did not face before? And what crucial advice can you offer them?

To support the sudden shift to remote working, many companies had to adopt a “move first, plan later” approach and leave their network-centric security bubble behind that allowed IT teams to own and control most of the network. Ultimately, punching holes in existing security controls in the name of business continuity created vulnerabilities and exposed many organisations to increased risks.

These gaps ranged from

• sensitive data exposure – on average, 73 per cent of devices contained sensitive data as well as the amount of sensitive data significantly increased year over year by an average of 17 per cent;
• increased complexity of apps installed on laptops, which for the enterprise now accounts to an average 67 unique applications, including 11+ mission-critical ones;
• ultimately leading to the degradation of security controls, whereby 25 to 30 per cent of devices had unhealthy security controls at any given time.

As companies think through their long-term IT and security strategies in this new work-from-anywhere era, they need to consider the following four focus areas:

• Always-on visibility and control – Organisations should deploy technology that allows for a higher level of visibility when users work from anywhere, ensuring a consistent experience regardless of location. Ultimately, you cannot remediate what you cannot see. Gaining uninterrupted visibility of all your employees’ endpoints, applications, data, and/or network connectivity — even if off your corporate network — is vital to establishing baselines and is needed to harden system configurations.
• Resilient endpoints – As the work-from-anywhere approach is putting a heavy emphasis on the availability and security of endpoints that are the main productivity tool and access point to corporate resources, organisations need to assure that the devices as well as all installed mission-critical applications are always functioning. Thus, making each endpoint resilient (and intelligent) is paramount to supporting and securing your anywhere workforce and goes far beyond the self-healing cyber security systems you might have read about.
• Resilient zero-trust network access – To enable a secure and productive work-from-anywhere environment, it is vital to extend the concept of resilience beyond the endpoint and include network connectivity and critical applications as they are providing the necessary means for employees to get their job done. In this context, zero-trust network access (ZTNA) is a vital foundation to establish a secure services edge (SSE) paradigm, which requires the network to establish trust with an endpoint device that is constantly on the move and accessing a mix of corporate assets in the cloud, on-premises, or in a data centre using a host of Wi-Fi and cellular networks that are not necessarily owned by the organisation.
• Consistent end-user experience – Besides IT manageability and core security aspects, organisations need to focus on the remote worker itself and assure they have the insights and visibility from endpoint to network edge impacting the user experience, including device issues (e.g., outdated OS systems, hard drive capacity), home office Wi-Fi and network issues, VPN tunnel performance issues, and problems with the applications itself (e.g., due to software decay, collision, or malicious activity), allowing IT to quickly identify the root cause and remediate the issues.

What are some case studies where malicious actors have exploited a simple endpoint that resulted in a substantial data breach?

In February 2023, LastPass, a password management firm, made headlines by revealing that one of their DevOps engineers had a personal home computer hacked and implanted with keylogging malware, which subsequently led to the exfiltration of corporate data from the vendor’s cloud storage resources. The story shines a rare spotlight on the importance of endpoint resilience. Typically, media coverage of mega breaches focuses on the tail end of the cyber attack life cycle, namely the exfiltration points, rather than how the threat actor got there. However, post-mortem analysis has repeatedly found that the most common source of a hack is compromised credentials that are subsequently used to establish a beach head on an end-user endpoint (e.g., desktop, laptop, or mobile device). This is why in-depth cyber security strategies should incorporate endpoint resiliency as an essential component of the overall approach.

Liam Garman

Liam Garman is the editor of leading Australian security and defence publications Cyber Daily and Defence Connect. 

Liam began his career as a speech writer at New South Wales Parliament before working for world leading campaigns and research agencies in Sydney and Auckland. Throughout his career, Liam has managed and executed a range of international media and communications campaigns spanning politics, business, industrial relations and infrastructure. He’s since shifted his attention to researching and writing extensively on geopolitics and defence, specifically in North Africa, the Middle East and Asia. He holds a Bachelor of Commerce from the University of Sydney and a Masters of Strategy and Security from UNSW Canberra, with a thesis on postmodernism and disinformation operations.