Article content
Keeping up with an evolving threat landscape: Five key lessons from our cloud and cyber security webinar
More and more businesses in Australia are actively shifting critical workloads and applications to the cloud.
While the move to the cloud is enabling improved productivity and customer experiences, there’s also a dark side to this, as explained in the alarming statistics below:
- 83% of businesses surveyed globally, reported having more than one data breach. 1
- 60% of breaches organisations’ experienced led to a price increase passed on to their customers.1
- 56% of Australian businesses saw a significant rise in major security incidents in the last 12 months.2
To understand what lies ahead, we brought together security experts from Telstra Purple, Microsoft, and Omdia in a recent webinar to discuss current cyber security challenges that Australian businesses face, real-life insights into the issue, and solutions organisations can implement to help fortify their security postures.
Here are our five key learnings :
A hacker is more than just a guy in a hoodie
When most people imagine cyber criminals, they probably draw up an image of someone wearing a hoodie operating from a basement. However, as time and technology have progressed, so have these malicious threat actors.
Cyber attackers are now using increasingly sophisticated techniques for financial gain. One such example is Crypto-jacking, which involves the unauthorised use of an organisation’s resources to deploy malware or scripts that solve complex calculations to earn cryptocurrency. Another is Ransomware-as-a-Service, a criminal business model where ransomware creators sell or rent their malware to unscrupulous figures, which is then used to infect and encrypt the machines of unsuspecting victims.
“The perception is that an adversary is a guy in a hoodie in a basement, but they’re often professional businesses, running a business to sell a service. Unfortunately, the service they provide is illegal and used to compromise your IT systems.”
Fraser Wilson, Cloud Solution Architect for Security and Compliance, Microsoft Global Partner Solutions
Cyber-attacks are not just committed over hours or even a day—according to the IBM Security report - 2022, the average mean time that an adversary spends in a targeted network environment can be up to 277 days. This means that there is a good chance that an organisation will not see any red flags to suggest an attack, or a breach is underway. The time spent is used to carefully plan the attack.
All good we can do can be undone with a simple error
Cyber security's asynchronous nature can make it more challenging for businesses to prevent, respond to, and recover from a breach. The organisation needs to cover all its bases and do everything possible to prevent a breach. Still, the adversaries are just looking for that single chink in the armour to break through the defences.
“The increase in incident response calls that we’re receiving (at Telstra Purple) points to the magnitude of this imbalance, which means that all the good we can do can be undone with a simple error. Maybe a configuration lapse on an Azure Blob or one leaked credential pair. That’s all it takes.”
John Powell, Principal Security Consultant, Telstra Purple
Simple errors like these can result in disastrous consequences for the organisation and their customers. The protection a cyber security system provides is only as strong as its weakest link—and often, the weakest link is the people operating and managing the system. A small lapse or a human error may just be the weakness that a threat actor is looking for. Therefore, organisations must develop a structure for information security that weaves in people, process, and technology.
More cyber security tools and platforms aren’t always better
The technology industry is thriving now more than ever, with organisations allotting a huge chunk of their operating expenses to tools and platforms that can improve productivity, workplace engagement, and customer service.
Many businesses now have over a dozen security tools and platforms as their IT stack has grown, resulting in more complexity, management challenges, high operating costs, and even gaps in their cyber security. But dedicating this much resource and not getting the desired results quickly can be challenging for IT departments to defend to decision-makers in the organisation.
“We always start with understanding the risks, which will help us understand the purpose for each of the tools so we can provide the necessary responses to the business as to why a tool is needed, or in some cases, why a tool can be decommissioned. Quantitatively assessing risk will give us a view of the investment versus the cost that was saved or the revenue that wasn’t lost because a breach has been blocked.”
John Powell, Principal Security Consultant, Telstra Purple
Resilience over security
The cyber security conversation is moving toward resiliency rather than security. With the current concerns businesses have around threat and security, more organisations are retracting into their shell—inhibiting further adoption of security practices.
On the other hand, some organisations are just throwing more money and resources at the problem than what is required, caused by a poor understanding of the risks that need to be mitigated.
“We need a mindset shift here. We need to move away from the old concept of building a bigger boat or a bigger castle wall because that’s not always going to keep the adversaries out. If we understand the risks to our environment, then we can look for ways to reduce the impact of any risk that’s realised. This requires an understanding of the business impact of these risks, showing that cyber security is more than an IT issue.”
John Powell, Principal Security Consultant, Telstra Purple
Reinforcing the continuous and cyclical nature of security
More than buying into the latest, shiniest tools and platforms in the market, the importance of evaluation before acting, is crucial. Doing so can help with not only cost savings, but also making the most of the investment in the long run.
Telstra Purple recommends a process of evaluation through the ‘Circle of Security’, an incredibly useful tool that has been successfully used and deployed for many of our customers. This framework can be used even as threats continue to evolve, and business requirements change.
“The risks to say, cloud assets, should always be at the centre of our security considerations. Knowing the risks will help us define the controls that we need to treat the risks. And this list will define the requirements for choosing the right security solutions, be it tools, policies, awareness, and so forth.”
John Powell, Principal Security Consultant, Telstra Purple
No risk can be reduced to zero
Life would be much better being 100% risk-free—however, this is not the case, especially when it comes to cyber security for businesses of all sizes.
Many IT leaders are accepting a certain degree of risk if there’s a lower likelihood of a significant breach happening, as mentioned by Omdia’s Adam Etherington, based on his conversations with Australian business leaders and decision-makers. While eliminating all risk would be ideal, pragmatically IT and business leaders are coming to terms with residual risk in line with commercial goals.
Apart from mitigating risk and lowering the consequences of a breach, leaders should also look toward proactive cyber security by implementing measures to prevent an attack before it happens and ensure that the fallout is minimised and recovery is quick.
“Proactive security is essentially cheaper than reactive measures because it’s about responding and mitigating the damage caused by an attack. Employing security techniques in a proactive approach will help mitigate and address the risk and damage of an attack in real-time.”
Fraser Wilson, Cloud Solution Architect for Security and Compliance, Microsoft Global Partner Solutions
[1] Cost of a Data Breach Report 2022, IBM Security.
[2] State of Cloud, Edge, and Security in Australia 2022-23, Omdia.
You can watch the full recording of the Cloud Security Webinar here.
