With 2024 fast approaching, it’s becoming increasingly evident next year will be a pivotal one in cybersecurity, against the backdrop of continued high-profile attacks and the roll out of the government’s new 2023-2030 Australian Cyber Security Strategy.
Australia’s Minister of Home Affairs, Clare O’Neil, recently released the Strategy, which brings six cyber shields to respond to the challenges cybersecurity poses to the Australian community, and emphasises that active defence should be a shared goal.
Although details and implementation of programs mentioned in the strategy still need to be thrashed out, this is an important step forward for a country bruised by some very high profile cyber attacks, such as the recent strike on logistics firm DP Ports. Swift and proactive action is necessary and the government’s significant emphasis on bolstering defences is important in ensuring lessons are learnt.
The strategy also puts the right emphasis on the need for cybersecurity in the consciousness of all Australians, not only among our citizens, but also among businesses of ‘all sizes. The importance of this emphasis is reinforced by a new ÁSIC report, which found 44 per cent of organisations fail to manage the cyber risks posed by dealing with external third parties such as vendors, suppliers, partners, contractors or service providers, who often have access to their internal systems. Worryingly, 58 per cent report having limited or no ability to secure confidential information, and a third have no cyber incident response plan.
If we are to get better at securing our critical infrastructure, data, and intellectual property, then leading with a national cyber security strategy that emphasises the role that the private sector can play and incentivises good behaviour is world leading. But having a strategy is one thing. Putting it into practice is another.
It’s essential we accept the business environment that we operate in; namely, software or a piece of technology is never going to be zero risk. The 2023-2030 Cyber Security Strategy, with its six shields, recognises that concepts like ‘secure by design secure by default’, more private-public partnerships, and greater cyber education for citizens and businesses, is a good start. It’s also equally important to recognise that more still needs to be done to inculcate a better understanding of what risk mitigation tools and strategies look like in a non-zero risk environment.
Whilst risk mitigation is great from an education perspective, we do need resources to assist companies in being more cyber savvy. That starts with people inside organisations having conversations about cyber and becoming comfortable in accepting that cyber risk is a constant threat that can be managed with the right tools and approach.
It will be important for the government, as it begins to implement its new strategy, to partner with the private sector for guidance to help smaller businesses improve their cyber defences, and take advantage of the products and approaches enjoyed by larger organisations. Preparing for incidents isn't a one-time exercise, but an ongoing commitment to adapt to the ever-shifting strategies of threat actors.
Looking ahead, it’s important we communicate what best-in-class cyber can look like, even if a company feels budget constrained because bigger is not always better. What does help is to understand your company’s risk and look for solutions commensurate to the manner in which organisations buy these services. So, as the 2023-2030 Cyber Security Strategy gets underway and companies look for solutions, it will be important that government and business consult broadly for what is shaping up to be a very interesting year for cyber.
With that in mind, here are seven cyber security predictions for the year ahead.
- AI and Automation – Given the volume of attacks, the use of AI and automation will accelerate in 2024. It’s one thing seeing threat intelligence, but it’s another doing something about it, and that will rely on more automated responses. On average, 14 hours pass between the identification and exploitation of new vulnerabilities, so with AI coming and more advanced automation techniques, a lot of the detection and remediation or prevention work will occur automatically. But some caution is needed. Inevitably, some AI capabilities will miss the mark simply because the solution has been rushed to market. Additionally, with the continued adoption of ChatGPT, it can present risk. But like any new technology, whilst it can be used maliciously, the pace of innovation is moving so fast that it’s difficult to provide a concrete prediction on what will happen. If exploited, that doesn’t necessarily mean you should not use ChatGPT.
- Public and Private Sector Partnerships - Organisations like Rapid7 can provide meaningful guidance and visibility of these environments. Not just the enormity of all the vulnerabilities out there in the wild, but more specifically which ones have been exploited, which ones are exploitable to ensure better protection of infrastructure. Leveraging open source communities is important for innovation and will play a key role in the sharing of threat intelligence and democratising access to information that will help organisations protect themselves, especially as cloud adoption grows.
- Assessments - We anticipate the need for greater understanding of vulnerability disclosure and, from an intelligence perspective, how this will impact critical infrastructure. As a result, we expect 2024 to be the year of assessments of attack surfaces as organisations try to better understand their weaknesses and proactively address them.
- Mid-Market Growth - The mid-market will be a growth area with many looking to outsource cybersecurity given it’s not a core competence. Budget is already being allocated as company owners and boards recognise it's essential to act and shore up their defences now. This segment is becoming more susceptible to attacks as a result of larger organisations making it more difficult for adversaries to penetrate their networks.
- Education – Citizens will want to better protect themselves so we can expect to see more public education awareness campaigns to accelerate greater understanding on the steps individuals can take to be more cyber aware. We will see the larger technology players collaborate with the government to run education programs and infuse cyber into their curriculums. The recent Microsoft and NSW TAFE partnership is a good example. However, it’s important to note that despite these initiatives, there is no one-to-one correlation that just because someone goes through these programs, they will actually choose a career in cyber.
- Ransomware - Australia is second in the world for the most ransomware attacks and there will be no letup in 2024. We can expect to see more high-profile breaches, and rather than extracting personally identifiable information, we anticipate more disruptive attacks on critical infrastructure as adversaries target greater rewards and create more disruption. Organisations will focus on proactive exposure management and prevention, from the endpoint to the cloud, to reduce material impact of ransomware attacks.
- Visibility – Any good threat intelligence should start with ‘what is there to learn about our own security posture.’ With that, we expect more organisations to better understand their risks and figure out their visibility so they can act as quickly as possible. We will see further consolidation in the number of security solutions organisations use to drive visibility and balance the signal to noise so security teams can focus on the most critical threats to their businesses. As a result, more organisations will move from ‘best-of-breed’ to ‘best-of-suite.’
With Australia's commitment to enhancing our national cybersecurity anchored by six shields, we’re moving in the right direction. While the specifics are yet to be fully realised, the government's dedication to fortifying our digital defences is commendable, serving as a reminder of the imperative need for greater cybersecurity awareness across all facets of Australian society.
But progress is not just about having a strategy. It’s about putting it into action so that we can bolster our security posture to protect critical infrastructure, data, and intellectual property, in what will continue to be a dynamic and evolving threat landscape.