Cyber risk is keeping the Australian enterprise on its toes
In the second half of 2023, an event in the North American cybersecurity sector put leaders on notice.
The US Securities and Exchange Commission (SEC) formally charged a company and its CISO with fraud and internal control failures related to a 2019 cyberattack.
The indictment sent a stern warning to security leaders, suggesting that they could be held criminally or civilly liable for cyberattacks that take place on their watch. It also highlighted a fundamental challenge for the CISO role: that while CISOs are responsible for raising risks to their senior leadership teams and board of directors, they rarely have the final say in how those risks should be managed. Additionally, the indictment raised broader questions about CISOs' confidence levels in their organisations' cyber risk management and governance practices.
The case would have had lessons for Australian leaders - if they hadn't already been put on notice much earlier.
In May 2022, a similar set of circumstances emerged, where the Federal Court ruled that an Australian financial services licensee had breached its licence obligations "when it failed to have adequate risk management systems to manage its cybersecurity risks." That ruling drew a firm line in the sand, and some legal commentators' expectations were that it would not be an isolated instance of regulatory action.
Australian business and cybersecurity leaders have arguably had a one year-plus headstart on their US counterparts when it comes to getting a handle on cybersecurity risk. The question is: how far have they progressed, and where is there still room for improvement?
ExtraHop's 2024 Global Cyber Confidence Index highlights the wins stemming from actions that Australian organisations and cybersecurity teams performed across 2023, as well as where the opportunities for additional improvements still lie.
A wide risk spread
The results show that Australian organisations still encounter a number of barriers when managing cyber risk. The top barrier is immature cyber risk management processes, followed by a lack of alignment between the business and cybersecurity, insufficient personnel levels, the speed of change and - a related barrier - the use of outdated technology.
There's no clear front-runner when it comes to the barriers organisations face to effectively manage cyber risk or the approaches they use to assess it. Realistically, organisations are more or less equally concerned at the prospects of being attacked by insider threats, state-sponsored attackers, generative AI, third-parties or ransomware infections. The fact that all of these risks are on a more or less equal footing with one another is illustrative of the challenges that cybersecurity teams face.
Just as organisations face a wide variety of risks, they rely on a variety of methods to assess their cyber risk exposure. Some popular methods include conducting regular internal or external penetration testing or red teaming exercises, performing threat modelling assessments of the business and technology, and bringing in third-parties to run assessments.
This is generally well-supported at the executive and board level, with a quarter of Australian organisations having directors and C-suite that are "very involved" in cyber risk governance, and a further 41% who are more "moderately" involved. High executive involvement suggests that organisations take cyber risk seriously.
A need for improved visibility
One interesting aspect of the findings is that there are some clear technology solutions that provide a direction for getting to grips with cyber risk.
The challenge many organisations face is a lack of adequate network visibility. Without being able to see what's happening on their network, it's much harder to identify and remediate vulnerabilities, which increases exposure to cyberattacks and the disruption they cause.
As a result, it's no surprise to see detection and response tools are a clear favourite among Australian organisations seeking to reduce their cyber risk exposure - whether it's extended (XDR), network (NDR) or endpoint (EDR) flavours of the technology.
XDR brings together the capabilities of best-of-breed EDR, NDR, security information and event management (SIEM), and security orchestration, automation, and response (SOAR) solutions. Other ways of reducing cyber risk included investments in zero trust network access and identity and access management.
These rely on NDR to reach their full security potential, making NDR an essential investment for organisations planning to implement a range of cyber risk reduction-oriented solutions.
Outlook is hopeful
Despite the challenges and issues uncovered, organisations are making positive strides in the way they manage cyber risk, which gives reason to be hopeful about the future. It is clear that Australian organisations are recognising that cyber risk is business risk, and that cyber risk management is a maturing discipline.
Australian organisations are employing diverse practices to assess their cyber risk exposure, and C-level involvement in cyber risk management is high.
The implementation of NDR technology can set organisations up foundationally to implement a range of cybersecurity platforms that can further address their exposure risks.