sb-au logo
Story image

Cybersecurity measures aren’t enough to stem the wave of breaches

21 Jan 2019

Article by Tenable A/NZ country manager Bede Hackney.

2018 was a milestone year for data security and privacy. The rollout of legislative frameworks, such as the Notifiable Data Breach Scheme and the General Data Protection Regulation, brought to light the endless wave of cyber attacks confronting businesses every day. 

A recent report by the Ponemon Institute on behalf of Tenable found that 60% of organisations represented in the study say they have suffered two or more business-disrupting cyber events in the last 24 months alone. More than 2,400 IT and IT security practitioners in the US, UK, Germany, Australia, Mexico and Japan were surveyed. In tandem with this, the Office of the Australian Information Commissioner revealed over 245 breaches were reported from July to September, signaling current security approaches are failing to keep pace with the surge of attacks.

The unfortunate reality is that the majority of Australian businesses aren’t able to quantify the business cost of this cyber risk, relying on outdated metrics which leave them exposed.

It’s high time to shore up measurement

With cyber security increasingly being elevated to the C-level, it is imperative that your plan is presented and endorsed by the C-suite and the board. However, less than half of Australian respondents (48%) measure and, therefore, understand what cyber risks are costing their organisations, leaving the C-suite and board confused about how to navigate risk and remediation strategies.

Traditional KPIs for evaluating business risks are insufficient for understanding cyber risk, as they fail to factor in the business cost, lack strategic direction and don’t offer any insight as to how businesses prioritise risk. This is hindering the ability of CISO to make informed decisions about the allocation of resources, leaving businesses vulnerable.

While most organisations are aware of the more important KPIs used to measure the business impact of a cyber attack, there is a clear gap in use and importance of non-security measures such as loss of revenue and productivity, as well as impact on share price. While conventional wisdom suggests a decline in stock price would be a major consideration in quantifying the risk of a cyber attack, it worryingly isn’t a prevalent factor for most businesses. 

Ride the wave through actionable insights

In the face of a rapidly evolving attack surface, new approaches to measuring cyber risk are needed to allow businesses to accurately quantify the consequences of cyber attacks. To fully understand your organisation's level of cyber exposure, a holistic approach is required to understand the entirety of your attack surface. This includes identifying the business operations and assets most vulnerable to cyber attacks, including OT and IoT assets.

Once you’ve got a grasp of the area you’re trying to defend against and where the danger lies, detailed threat intelligence is needed to prioritise remediation efforts. As the endless wave of threats continues, security teams don’t have the resources to guess which vulnerabilities need to be remediated first. 

Tenable’s recent Vulnerability Intelligence Report revealed an enterprise uncovers 870 vulnerabilities per day across 960 assets, on average. And of those, more than 100 vulnerabilities are rated as critical. There is a clear onus on CISOs to implement security strategies which allow them to understand and prioritise vulnerabilities based on their potential impact on business operations. 

Master the tides 

Cybercrime is relentless, undiminished and unlikely to stop. To keep pace, CISOs must adopt new approaches to accurately manage, measure and reduce cyber risk. Implementing a robust vulnerability management program will empower security executives to confidently visualise, analyse and measure the business cost of cyber risk. Doing so will close their cyber exposure gap and ensure they’re in the best position to stem the rising tide of data breaches. 

Story image
Sophos Rapid Response puts out the ransomware fire
“Attackers are using a range of techniques and whichever defence has a weakness is how they get in. When one technique fails they move on to the next, until they find a weak spot."More
Story image
A brief history of cyber-threats — from 2000 to 2020
Many significant cybersecurity events have occurred since the year 2000 — not every one of them ‘firsts’, but all of them correlating with a change in security behaviour or protection.More
Story image
Trend Micro adds cloud-native container security to Cloud One Services Platform
Designed to ease the security of container builds, deployments and runtime workflows, the new service helps developers accelerate innovation and minimise application downtime across Kubernetes environments.More
Story image
Fortinet promises free cybersecurity training until skills gap trend reverses
"We are committed to continue offering the entire catalogue of self-paced Network Security Expert training at no cost until we see the skills gap trend reverse."More
Story image
APAC secure content management market to hit $2.2 billion by 2024
The proliferation of cloud-based deployments will largely drive this, the report says, as the COVID-19 pandemic motivates more enterprises to move their workloads to the cloud and rely more on the internet. More
Story image
New year, time to update your passwords
The most popular passwords of 2020 were easy-to-guess number combinations, such as 123456, the word password, qwerty, iloveyou, and other uncomplicated options.More