With cyber experts predicting that the threat to Australian organisations will continue to rise in 2023, the government's announcement of a new Cyber Security Strategy is timely. The 2023-2030 strategy will introduce new cyber security guidelines for businesses to follow.
With this in mind, it's critical businesses start to fortify their security strategies now and stay ahead of the curve. Australian organisations must assess the security and resilience of systems and solutions, identify obstacles, and address compliance gaps before they grow any wider.
The state of cybersecurity in Australian businesses
While we're seeing more investment in advanced threat prevention technology, with Gartner® predicting that global spending on information security and risk management products and services will grow 11.3 per cent to reach more than 281.13 billion AUD in 2023, most organisations remain underprepared.
Dell Technologies' recent Breakthrough study reveals that 57 per cent of Australian workers admit they have not improved their security after hearing about publicised ransomware attacks. While they may have solid threat mitigation tools for their perimeters, an attack can traverse the infrastructure. If breached, businesses can suffer considerable financial losses, damage to reputation, and exposure of vulnerable information.
Against this backdrop, it's critical to consider four broad security obstacles within organisations.
Security obstacles within organisations
First, there is a misconception that only certain-sized businesses or industries are targeted for cyber-attacks. However, the latest ACSC report shows that any business can be a target – with the cost per cybercrime increasing by an average of 14 per cent across small, medium and large businesses in June 2021 – July 2022 compared with the previous 12 months.
Second, as organisations hasten their digital transformation pace, many make rapid technology changes without considering the security implications. In this data era, security transformation must accompany digital transformation. Companies must operate under the assumption that an attack is just a matter of time and have a rapid recovery strategy in place.
Third, security applications have long been bolted-on, and some have been an afterthought when creating new technologies. Often, businesses don't consider security integration until after applications and processes have been developed; instead, the framework is adapted to fit existing operations.
Fourth, security is far too siloed – that is, it is defined within the confines of different development teams, each building to their narrow functional lens, so it doesn't play well across an organisation. Security has to be purpose-built to detect and mitigate threats, aligned with overall business objectives – and it should follow a zero-trust model.
John Roese, Global Chief Technology Officer at Dell Technologies, says in his 2023 new year's resolutions for CIOs that "silos are the enemy of real zero-trust security". He recommends businesses have "an authoritative identity management, policy management, and threat management framework to do zero trust properly".
Fortifying your security strategy
Securing data, applications, and devices calls for a more mature approach that leverages innovative technologies for scale and intelligence, aligns around the business rather than the threats, is proactive in recovery planning, and defends the organisation as a whole rather than in silos.
To protect against and be resilient in the face of cyber threats, we recommend organisations consider three fundamentals.
1. Protect data and systems
The first step in fortifying with modern security is to re-think how you protect data and systems. It starts with trusted infrastructure that takes an intrinsic security approach. This means the infrastructure is secure by design and doesn't introduce risk into your environment.
Security must be built-in. To the extent possible, it should evolve from using security applications as patches and be native to the architecture it will protect. It should use devices, firmware, and processes intrinsically engineered for security.
2. Enhance cyber resilience
In a cyber-resilient mindset, the focus shifts from defending against an attack to being resilient in the face of a cyber-attack. This ensures minimal disruption and loss. Think of it as a "ready state" for withstanding attacks that culminates from planning, technology, and discipline, so an organisation knows exactly how they will act when a breach occurs.
Threat mitigation and resiliency planning must be defined and prioritised in alignment with critical business operations and services. Business continuity planning should evolve beyond solving for traditional disasters and ensure collaboration with IT teams and business stakeholders. Being cyber resilient is about focusing on what's really important to your organisation and the services you provide to the market you serve.
3. Overcome security complexity
The final step in fortifying with modern security is to overcome security complexity. With accelerated digital transformation coupled with skills shortages, it's an ideal time to turn to automation, intelligence, and consolidation to enable scale and drive better business results.
Consolidating tools where possible from a select number of providers simplifies your overall environment and enables more consistent governance, more predictable behaviour, and more effective threat detection and mitigation.
Robust security drives business outcomes
Building a robust security posture not only protects operations but also helps drive business outcomes. Your organisation will benefit from modernising your approach to cybersecurity and resilience; in turn, you'll effectively address risks and accelerate innovation.