The last couple of years have seen cyber-attacks spike at an alarming rate, with sophisticated hacker and state-sponsored groups infiltrating numerous businesses, including critical infrastructure organisations responsible for daily necessities, such as utilities, food production and medical services.
As attackers change their methods and begin to discover new ways to meticulously take down an organisation’s defences, businesses need new methods that will adequately stop attackers in their tracks. As we move into 2023, getting boards and C-suite leaders on the same page, and implementing thorough contingency plans will mark the difference between a company falling victim to modern-day attacks or successfully thwarting threats.
Shifting perspectives and how to respond
Today’s cyber criminals have cultivated their approach to maximise their ability to gain entry into an organisation. It’s become an industrialised industry in and of itself, hugely profitable for those on the wrong side of the law. In response, businesses have become more vulnerable to exploitation. One example of this in action is with ransomware.
In the past, automated sweeps of malware were rampant and profitable for hackers, but in time security experts caught up to their tactics and were able to more easily recognise and stop attacks. In time, however, ransomware groups adapted their methods and gained traction once again. The vast majority of these groups now operate in a similar way to as-a-service companies, complete with hierarchies, systems and processes.
With a methodical and unpredictable mode of operating, these attacks aren’t scripted or automated but are driven by human attackers, enabling malware to move laterally within an environment and avoid enhanced protection a business may have in place. This also means a perimeter defence is out of date, as hackers now have multiple ways to gain entry. In response, it’s imperative to think of security as a holistic whole, and cultivate security awareness and practical defence within an organisation.
Cybersecurity becomes a board-level conversation
While once only regulated industries, such as banks and insurance companies, prioritised cybersecurity, now it’s undeniably important for everyone. As high-level attacks continue to take down even big name businesses and are causing the Australian Government to release new guidance and governance changes, cybersecurity is becoming a board-level conversation.
On a global scale, Harvard Business Review finds that 23% of board members think the risk of an attack on their organisation is very likely, and about 47% believe their organisation is unprepared for an attack. In addition, HBR states only one third of board members say they interact with the CISO only when they are presenting to the board, further highlighting the room for improvement when it comes to aligning security priorities with boards and the C-suite.
When all key stakeholders come together on the same page, the burden is taken off the CIO or security leader and becomes a core focus, baked into the business’s strategy. An organisation is able to reduce the risk of reputational, legal or operational damage, and more effectively find a balance between usability, security and cost.
Integrating security into the fabric of your business
When it comes to developing security, preparation is key. There is a notable difference between how an organisation reacts if preparatory work has been completed, versus one that has no understanding of potential risks or how to deal with them.
The first task is, as mentioned above, to bring the board and leadership together. From here both the overarching strategy and aims can be decided on, with every leader or manager able to share this with the wider team. Now, awareness and training can be addressed. This should be delivered throughout an organisation and include every employee. Every department or team must know the reality of cybersecurity and their part in it, including what to look for and what to do in the case of an attack – be that a phishing email or something more malicious.
In fact, human error continues to be a common way hackers gain footing within an organisation, offering a way in beyond even the most secure perimeter defence. Security teams must educate employees on risks, including types of attacks and what they look like, as well as implementing important lines of defence both at every level. This is also a chance to define degrees of access and operational policies that will genuinely work in daily practice.
In addition, an organisation must develop concepts and tools, and build internal capability. This includes key tasks such as checking critical assets and processes, implementing procedures for attacks, testing and revising infrastructure and data sprawl, and striking the balance between exercising control while not stifling usability and innovation. Building capability includes developing knowledge, testing procedures, establishing emergency plans and fallback scenarios, and using this to inform and evolve the strategy.