New year, new rules – understanding the cybersecurity danger areas in 2022
The World Economic Forum's Global Risks Report 2022 was released last week, revealing cybersecurity is the biggest worry for business leaders in Australia in 2022.
And with good reason.
2021 saw a maelstrom of high profile attacks, most notably Colonial Pipeline and JBS Foods in the USA, with Australian businesses suffering more than $33 billion in total losses from cybercrime, according to the Australian Cyber Security Centre.
We sat down with three leading experts on cybersecurity for their take on what businesses should be keeping front of mind and how they can mitigate security risk in 2022.
Unification of OT and IT security
According to Qualys A/NZ chief technology security officer Rahn Wakeley, one of the most important things organisations can do in 2022 to help mitigate risk is to simplify the management accountability of OT and IT security under the CISO role.
"The risk to physical equipment has been apparent for years, but the Colonial Pipeline attack has acted as a wake-up call and a salutary lesson to organisations that use any solution that exposes physical machinery to the internet," notes Wakeley.
He is a firm believer that 2022 will be the year when a single CISO becomes responsible for OT and IT security. "As we move further along the path of the fourth industrial revolution, it's inevitable that we must think of OT and IT under the same risk domain."
Wakeley also predicts a rise in ransomware related to OT assets in 2022 and notes that as cyber insurance providers are scaling back coverage on ransomware attacks, now isn't the time to sit back and hope a breach won't occur.
Critically, he is concerned that it isn't just the financial impact that businesses must consider. "Last year Gartner predicted that we'll see cyberattackers weaponising operational technology (OT) environments to successfully harm humans by 2025, so ensuring critical OT systems are protected really could be a matter of life or death."
The development of new strategies as cybercrime grows
Leaders in unified physical security software Genetec are all too familiar with the problem caused when OT and IT security are out of synch.
Genetec A/NZ general manager George Moawad notes that this can often lead to the simplest yet most important part of cyber hygiene – ensuring that all IoT devices and on-premise servers are running the most secure version of the firmware that is available – being overlooked.
According to Moawad, new models for cybersecurity will emerge. "As more devices come online and data processing becomes central to operations, businesses will need to remain agile and responsive to the evolving threat landscape. At the same time, their customers will also demand greater transparency about how they are keeping data secure and private," says Moawad.
"All of this will usher in an entirely new model for cybersecurity that relies on continuous verification rather than just hardening networks and systems."
He also notes that "building layers of protection into a security ecosystem won't be enough. Decision-makers will need to implement more offensive cybersecurity strategies and choose partners who offer higher levels of automation to stay on top of potential threats."
The supply chain becomes the new weakest link
Last year's far-reaching SolarWinds Orion attack has catapulted supply chain security vulnerabilities into the spotlight – particularly those involving the third-party software applications and hardware components that comprise much of today's enterprise IT environments. CyberArk regional director Thomas Fikentscher says Australian businesses should brace themselves for an upswing in supply chain attacks in 2022.
"Attackers have long targeted third-party vendors across both digital and physical supply chains as backdoors to the networks they were targeting. Historically, many devastating attacks started as a phishing vector, and supply chain attacks were conducted by state-sponsored actors going after high-value or high return-on-investment targets (for example, the Kaseya breach).
"However, the experiences of the last two years shows that threat actors have become increasingly precise in targeting the weakest links and supply chain security blind spots. Companies have been trying to deploy pragmatic and sustainable security strategies with minimal impact on business operations and the speed of innovation. Still, it's a balancing act that can cause security vulnerabilities."
Fikentscher believes that the biggest lesson from the SolarWinds attack was that the hackers could attack the build and deployment phase rather than compromising the source code. This type of attack had never been seen before, and so it highlights the importance of adopting a security by design mindset when working with software developers and designers.
New Year, New Rules
Without exception, all three executives highlighted that many Australian organisations have also been forced to adopt (or plan to) a highly proactive cybersecurity strategy following the amendments to the Critical Infrastructure Act 2018 introduced at the end of 2021.
With the definition of "critical infrastructure sector" expanded to cover 11 sectors, scores of organisations must now adhere to the Act's requirement, including mandatory notification of cybersecurity incidents and making company directors personally accountable for a cyber breach.
Their key takeaway on this? For better or worse, this key legislative change and the high-profile attacks of last year have thrust cyber risk into the spotlight and into the board room – which they hope will, in turn, drive best practice and Australian innovation.