Australian IT security concerns higher than before pandemic
Australian organisations are more concerned about cyberattacks than they were prior to the COVID-19 pandemic, according to a new survey from BeyondTrust.
The survey of respondents polled at the recent AusCERT conference on the Gold Coast and the Australian Information Security Association Cybercon Connect in Sydney found 82% of organisations have heightened security concerns due the ongoing prevalence of remote working. They recognise it is significantly more challenging to protect staff and resources when they are operating outside the firewall and connecting over the public internet.
"These concerns are understandable as organisations were forced to make significant changes to their mode of operation in a very short space of time," says Scott Hesford, director of solutions engineering, Asia Pacific and Japan, BeyondTrust.
"Even now, more than two years after the initial lockdowns, many feel they still have much more work to do to ensure they are protected against cyberattacks," he says.
Security challenges
When asked what specific security challenges they were currently facing, 89% nominated securing remote workforces. Additionally, 82 percent of respondents nominated the implementation of a Zero Trust strategy.
"While Zero Trust is seen as an effective way to protect both remote users and IT resources, it is a challenging strategy to adopt," says Hesford.
"Many organisations understand the benefits such a strategy can deliver but are still struggling to achieve them.
"It is not just employees who are working remotely. Fifty-five percent of organisations allow third-party vendors to remotely access their internal networks," he says.
"Of most concern is that two-thirds of those organisations provide VPN access for those remote third parties.
"Properly securing any VPN access is challenge for most organisations. We have seen a number of breaches over the last few years where VPN access has been leveraged by attackers to infiltrate corporate networks."
Dedicated secure remote access solutions are far easier to manage and provide the audit trail and granular security required by frameworks such as zero trust, whether for IT or OT (operational technology).
Adhering to the Essential Eight
Survey respondents were asked to indicate their level of alignment with the Federal Governments Essential Eight security guidelines. The guidelines outline best practices that organisations should follow to reduce their chances of falling victim to a cyberattack.
Interestingly, while three quarters of government responders indicated that their organisation was aligning to the Essential Eight, 64% of non-government organisations are also looking to adopt the Essential Eight Security Controls, highlighting the growing favour of these best practices in the private sector.
Yet the devil is in the details. While over half of organisations have met the requirements of the Essential Eight around Regular Backups, full alignment with the controls was lower when it came to restricting admin privileges (24%), application control (16%) and the user application hardening (19%).
"Many organisations have struggled with particular aspects of the Essential Eight, such as application control," says Hesford.
"Traditionally it is seen as complex to deploy with a long time to value.
"However, with modern endpoint privilege management solutions more organisations are finding that they can meet the requirements of the Essential Eight for application control, user application hardening and restricting admin privileges in a comprehensive way with minimal impact on users and low overheads for their support team."
Security budgets
Encouragingly, the survey found that a majority of respondents believed that their cybersecurity budgets would increase in the coming year with 61% of respondents indicating that spending will rise.
This news is welcome as it shows that most organisations understand the importance of having robust security measures in place. With the threat landscape constantly changing, it is vital to deploy and manage a portfolio of security tools and services that deliver complete protection.
Hesford says Australian organisations will continue to face cybersecurity threats and challenges in coming years and IT security must remain a top priority for both spending and action.
"The potential for a successful attack to cause significant disruption and loss is very real," he says.
"By allocating spending and following guidelines such as the Essential Eight organisations can be sure they are prepared to withstand security threats as they appear."