What Australian businesses must learn from a year of sophisticated cyber threats

Economies and enterprises across the world had to deal with sophisticated cyber attacks borne from an increased exposure to supply chain risks. Public cyber incidents, such as those at Tasmania Ambulance, Western Australia Parliament, Facebook, JBS Foods and Optus are just some of the many security breaches Australia faced in 2021.

IBM’s threat index report showed that Australia was the third most attacked country in Asia-Pacific after Japan and India. The average cost of a data breach for Australian companies was $3.7 million per incident, up 10 per cent from 2020 and hitting an all-time high in the last 12 years. The rapid shift to remote operations during the pandemic led to more expensive data breaches as well.

And the threats kept coming. The most recent threat, Log4Shell, has been dubbed one of the worst supply chain risks ever discovered. Through an open-source vulnerability included in many software offerings, attackers were presented with an opportunity to gain access to internal enterprise networks and a new channel that could be exploited to loot valuable data, seed malware, and mine cryptocurrencies. Developing a security patch has been a global effort across most software providers. But we must all spare a thought for operations teams who were tasked with mitigating this threat over the holiday season.

If 2021 taught us anything, it’s that cyber security will continue to be one of the great challenges of our era. Enterprises must adopt an ongoing holistic approach to mitigate cyber risks. Unfortunately, many cyber security efforts continue to be under resourced to address these threats and priorities, making board involvement critical in acknowledging the responsibility and investment required.

It is past time for boards to be involved in cyber security

According to GlobalData, the total addressable market size of IT security in Australia, in terms of enterprise spending, is set to grow at a CAGR of 6.7 per cent to reach US$3.5 billion in 2025. Outside of regulated industries (such as financial and critical infrastructure), cyber security has traditionally resided primarily in the chief security officer’s budgets and conversations. But with an increasing threat impact, it is essential that directors have a clear understanding of an organisation's cyber security standpoint, their critical assets and risks and what the organisation would do if they found a threat or were exposed because of one.

Deterring today’s cyber threats and mitigating business risks require an end-to-end view of threats and risk, and the context by which decisions are made.

“Zero trust” is a framework that ensures access to secure data is only granted to those that absolutely need it, and this is supported by continuous verification. The interoperability between users, data and resources means that we need to ensure context is applied at every level of access as this helps ensure the identity, authentication, and authorisation of all users and devices. A consistent architecture approach inspires a new way of delivering security, speed and scale, and will help organisations adapt to the risks emerging from the changing business environment. A zero-trust approach challenges an organisation to test their practices by assuming a breach has already occurred and determining their response capability.

VIEW ALL

Australian companies that adopted a zero-trust security approach were better positioned to deal with data breaches in 2021 – those with a mature zero-trust strategy had an average data breach cost of $2.73 million – $1.54 million lower than those who had not deployed this approach at all.

But to address the all-embracing security issue at scale and speed, governments are starting to play an active role in establishing regulatory obligations across broader industry definitions. Governments across the world rolled up their sleeves in 2021 to improve cyber security frameworks.

The White House released an executive order earlier this year, which signals the need to understand the threats to government networks, signalling that the term zero trust would become industry terminology. The order highlights those incremental improvements in case cyber security won’t continue to be effective; instead, there is a strong need to make bold changes and significant investment in the area. This supports the role that the US National Institute of Standards and Technology (NIST) is driving to ensure that interoperable standards are developed to deliver the scale across public and private organisations and service providers. The Australian Cyber Security Strategy 2020 aimed to create a “more secure online world for Australians, their businesses and the essential services upon which we all depend”. Highlighting the significance and need for a strong cyber security framework, the strategy involves a $1.67 billion investment over 10 years into Australian cyber security initiatives. As we move into 2022, expect to see a growing trend toward greater collaboration between the public and private sectors to help deliver implementable governance frameworks at scale.

In reflecting on the year that was 2021, I feel buoyed by the fact that the government has recognised the need for greater focus on cyber security across many of the industries that we must engage with every day and the suppliers that support them. This level of attention will mean that in 2022, Australian businesses will need to apply a risk lens, and as a result, a zero-trust framework across the information technology landscape. Australian organisations have their work cut out for them in 2022 as they adapt to regulatory changes and work to deliver security at scale across their ecosystems. But if Australia gets this right, we will see a new level of innovation, collaboration and ultimately, safety across the economy.

Chris Hockings is the regional chief technology officer for IBM Security Australia and New Zealand (ANZ).