Australian organisations lack the security maturity and skills needed to cope with today and tomorrow’s threat landscape; this is the latest message coming from IDC. On top of that, cyber criminals are getting more sophisticated. Look no further than the WannaCry attack, which saw more than 200,000 computers across more than 150 countries get locked up by the ransomware. The ability of organisations to detect and respond appropriately to this threat is directly tied to their skills and maturity in their people, processes and technology.
You can’t stop a highly determined attacker from targeting your network, but with a strong focus on security, you can make your organisation extremely difficult to penetrate.
Here are three steps to clean up the security of your organisation and ensure you’re well equipped to survive in tomorrow’s threat landscape.
1. Start at the top
The biggest risk plaguing Australian organisations is a lack of dedicated security people. It’s eye-watering to think how many companies—storing extremely high volumes of sensitive customer data—consider security as a sideline for the IT department. Lydie Virollet, IT services and cybersecurity analyst at IDC Down Under, says the understanding and management of threats is a struggle that most Australian organisations face.
"In some markets the lack of compelling and enforced legislation leaves the IT security team with the paradox of how to secure the environment when the C-Suite are not prepared to fund it," Virollet says.
The C-suite needs to take a role in protecting your business that encourages the entire organisation to be aware of security, risks and protection. Without the support and funding of the C-suite, you won’t have the resources and capabilities to keep pace with the diversity of security needs.
If self-regulation is to be retained as the "state of play," then board members are responsible for driving clear cybersecurity objectives across their organisation. Coordinating minimum security standards and an overall cybersecurity strategy should be the primary remit of the Chief Information Security Officer (CISO), under board direction. Every system, data store and IT project should be reviewed and operational risk reported to the Risk Officer, CEO and board members. Transparency in the collection, analysis and reporting of this risk needs to be completed in real time to provide accurate, operational "situational awareness." It’s only with this level of maturity that cyber risk can be treated in the same way as other business risks.
2. Take a risk-centric approach
Securing C-suite funding for security is only the first step. Organisations must realise that outsourcing security doesn’t mean outsourcing the potential impact of a breach. When customer data is compromised, your company—not your security provider—will cop the overall blame. Last August’s Census is a good example. While The Australian Bureau of Statistics (ABS) pointed the finger at the vendor for failing to adequately test technology, it reflected most poorly on the oversight of the ABS and is now remembered as the "Census fail"—not the vendor fail.
By understanding what your critical assets are (such as customer data) and conducting a risk assessment to determine the likelihood of a breach, you’ll be in a better position to identify what level of risk your security team is required to mitigate.
3. Act tactically, plan strategically.
In the words of Ben Franklin: “By failing to prepare, you are preparing to fail.” There’s no point in fighting the threats of the present with tools from the past. Identifying future risks is a vital part of cyber hygiene; threat actors today move much faster than any security person could respond with manual tools. Automation is "de rigeur" for cyber criminals and "Malware-as-a-Service" or "DDoS-as-a-Service" have all plagued us for many years now. You need a future-proof solution which enables you to adapt your response in the heat of the action.
Overall, the growth in the frequency and sophistication of threats is far outpacing traditional security technologies. Now is the time to update your systems and ensure you’re well positioned to defend against the complex attacks of tomorrow.