Decisive action needed to build a cyber resilient business

it security lock cybersecurity breach alignment by chakisatelier getty
ChakisAtelier / Getty Images

The past two years have seen a dramatic increase in major cybersecurity incidents, most notably JBS Foods, which disrupted the Australian meat and livestock industry, Solarwinds and Colonial Pipeline. With the increasing frequency and high cost of cyberattacks, most leaders I speak with now acknowledge that cybersecurity is a serious business risk, not just an IT problem.

However, despite this increasing awareness, PwC Australia’s partner for Cybersecurity & Digital Trust – Identity & Access Management Mary Attard, recently told me she’s noticed there’s quite a number of businesses in Australia that are yet to give cybersecurity the focus and funding it requires.”

This is concerning given the Australian Cyber Security Centre (ACSC) received over 67,500 cybercrime reports in the 2020–21 financial year, an increase of nearly 13% over the previous year. The ACSC Annual Cyber Threat Report 2020-21 states this increase equates to one report of a cyberattack every eight minutes, with a higher proportion of incidents categorised as ‘substantial’ in impact.

Attard said: “While most leaders understand that cybersecurity is a growing business risk, humans are prone to confirmation bias which fuels the belief that if we haven’t experienced a cyberattack yet, it won’t happen to us. Unfortunately, this is a big problem that often limits organisations from reaching their full potential when it comes to their security posture.”

The rapid rise in the number and severity of cyberattacks should be a wakeup call for all organisations to review their cybersecurity hygiene levels, particularly tightening who has control and access to critical information and systems.

This year will see several factors converge, placing further pressure on businesses in Australia to act decisively. Not only will digital transformation continue unabated, Australia’s Security Legislation Amendment (Critical Infrastructure) Bill 2020 will significantly impact 11 new sectors deemed as critical infrastructure for the country.

In addition, the Attorney-General’s Department has signalled its intent to strengthen provisions in the Protective Security Policy Framework (PSPF), so all non-corporate government entities will be mandated to implement the ACSC’s Essential Eight mitigation strategies. While private organisations don’t currently need to comply, they must be mindful of this change especially those collecting, disclosing, storing, and processing government or citizen data in the delivery of services.

PwC Australia’s Attard also noted that while achieving compliance with cybersecurity reforms is very useful in mitigating the likelihood of a significant cybersecurity event, it’s only the beginning and an opportunity to establish strong foundations – it doesn’t guarantee the security job is done.

This means businesses need to accept the fact that they need to deploy an identity-centric security approach to deliver secure access and privilege for any identity to any resource, using any device, from anywhere.

Implementing least privilege is a crucial step in securing privileged access and identities for cloud-based infrastructure and applications. In a perfect world, each identity is configured to have only the privileges and permissions needed to perform its intended functions – nothing more, nothing less. This is the crux of the principle of least privilege and a core tenant of zero trust – “never trust, always verify.”

Identity security offers organisations the peace of mind that their most critical assets are secure, while accelerating business agility. By taking this approach, every identity is verified, devices validated, and access limited to just what they need – and taken away when they don’t.

Taking this approach will help ensure compliance with future legislation, but it will also build a cyber resilient business from the bottom up. It must be a central tenet for all business operations going forward to ensure cybersecurity becomes a business enabling and risk mitigating proposition.

cyberark thomas fikentscher CyberArk

About the author

Thomas Fikentscher is the regional director of Australia and New Zealand for CyberArk. For more information visit: https://www.cyberark.com/

 

Copyright © 2022 IDG Communications, Inc.