No organisation is completely immune from cyber attacks and data breaches. It is almost certain that many large organisations have similar vulnerabilities to those exposed in recent events that have dominated the headlines in Australia.
There will always be the employee who falls for a phishing attack, the dishonest worker who steals data, or the well-meaning but negligent insider who makes a mistake and exposes their organisation to a breach. As reported by Verizon’s 2022 Data Breach Investigations Report, 82% of breaches involved the Human Element, including social attacks, errors, and misuse.
Indeed, insider threats, such as developers not securing API endpoints or employees inadvertently allowing access to sensitive data by falling for a phishing attack and sharing credentials, are thought to have played a significant role in the majority of data leaks.
Given that most large organisations have made significant cybersecurity investments yet have poorly resourced security teams under enormous stress, what can be done to reduce the likelihood of similar incidents occurring again?
Now is the time to get buy-in from concerned boards of directors
The recent attacks have acted as a ‘wake-up’ call to organisations. Cybersecurity is now becoming a priority for boards and other business leaders. Now is the time for CISOs to get buy-in from their alarmed boards of directors. A recent Proofpoint and Cybersecurity at MIT Sloan (CAMS) study reveals that 58% of Australian businesses view cybersecurity as a top priority. The study also shows that 52% of Australian board members believe their organisation is at risk of a material cyber attack over the next 12 months, compared with 68% of CISOs. While boards are beginning to prioritise cybersecurity, this survey response indicates that there is still a material gap between boards’ and CISOs’ cyber attack risk evaluations. To effectively close this gap, boards need to work with the rest of their organisations to address cyber threats. A people-centric ‘whole of organisation’ approach is required.
It is important to realise that you will be breached. It is not a question of if, but when. Although traditional protections designed to prevent any breach from occurring are still essential, organisations must place greater emphasis on threat detection, and incident response and recovery. In other words, they need to detect malicious activity in their systems and networks quickly and respond by making it difficult for the attacker to cause any considerable damage.
Often companies respond by investing in more technology, but this alone is not the answer. People are an organisation’s single biggest vulnerability, and people are what cyber criminals are targeting, so any cybersecurity posture needs to focus on protecting people as well as defending data. Australian organisations should re-assess their risks and threats, evaluate their current controls, identify the gaps, and put people and processes in place to implement an adaptable posture aligned with acceptable risk levels in new, more distributed, and data-rich technology environments.
With a shortage of cyber talent in the market, companies should look to automate, where possible. A better option, at least in the short term, is to focus on ‘low hanging fruit’ — which has a lower skills requirement and can reduce risk significantly. It also offers the best value. For example, a lot of data leaks are caused by weak access controls. Increased use of multifactor authentication (MFA) and adhering to the principle of least privilege can have a huge impact on reducing risk. These are examples of relatively small changes that require less skilled labour. Increased automation can also reduce the need for security professionals in SOCs.
Companies should re-evaluate their access configurations and policies. There are probably people in the company who have too much privileged access to sensitive data rather than limiting this access to those who “need to know.” Although most security professionals were probably aware of this principle of least privilege, recent headlines mean they may be more likely to get board-level support for restricting access. The same applies to separation of duties. Now is the time to ensure accountabilities are assessed to ensure that roles and responsibilities are clear, transparent, and not open to fraud or able to circumvent existing controls.
Additionally, companies need to conduct an assessment of what data is collected and why, where, and how it is stored, and the length of time that it needs to be retained. Do companies really need to keep their customers’ most valuable personally identifiable information (PII)? Data minimisation is a critical component in defining the business need.
Processes that minimise the amount of PII collected are necessary, as are processes around purpose limitation and storage limitation. Put simply, companies can massively lower the risk associated with data leaks by only holding data that is absolutely necessary for as short a time as possible.
These immediate steps are likely to receive board support, as the cost associated with devising and implementing these policies is comparatively low compared to those associated with post-breach recovery. Improving security requires companies to focus on people, processes, and technology. Too often, the role of people and processes is overlooked —boards can play a major role in working with CISOs to ensure that these areas receive greater focus.
Recent high-profile data leaks provide cybersecurity professionals with a renewed opportunity to engage concerned boards. Reducing risk is a ‘whole of organisation’ endeavour and requires everyone to do their bit. A people-centric approach to cybersecurity is the most sensible path forward, and the headline-grabbing attacks in Australia provide the urgency for companies to improve their security posture now.