It is easier than ever for someone to launch a cyber attack. There are even software packages and support that attackers can acquire to enable them to launch these attacks without even understanding coding. This new world of “Cybercrime-as-a-Service” is part of the reason that, if you’ve got an application that has a public interface, you can expect the first attack to come in within around 11 seconds of it going live.
This doesn’t mean you shouldn’t be leveraging cloud services – they’re too important to your business, its competitive position, and its ability to innovative. However, risk management with cyber attacks are more critical than ever. You need to have the right security in place, with the right alerts, to respond to the escalating challenge.
The real challenge with cybersecurity
Australia faces a massive skills shortage around cybersecurity. It’s so significant that even the government is struggling to beef up its security as it would like to.
This is resulting in a two-speed approach to security. On the one hand, it has been elevated to a board-level discussion point, and the Australian Institute of Company Directors (AICD) even runs courses on helping board members to understand the regulatory, compliance and risk mitigation strategies of cyber security. On the other hand, the CTO is struggling to find the people that they need to actually execute on the board’s objectives.
There should be a two-pronged approach to this problem. The first is training. By engaging with consultants (like NovaWorks) to upskill staff, then you don’t necessarily have to hire in new individuals, you can train up existing staff. Most people with a technical background understand the value of adding cybersecurity capabilities to their skillset, so will jump at the chance of training.
In addition, cyber security is actually everyone’s responsibility. Most cyber breaches are down to human error, and often it’s simple mistakes that are made. Therefore, everyone needs to have a basic level of understanding of what cyber security is and its importance to the organisation. Each employee should know what to look for and what not to look for, even if they’re not in a technical role.
Understand that the approach to security needs to change
With companies increasingly working in the cloud, the approach to security needs to change in kind. Once, the default approach was called “perimeter” security, where you would set up firewalls and antiviruses that would stop any access to the network and applications from outside of the perimeter. Typically, this was closely associated with the physical perimeter of the office (i.e. the computers “inside” the perimeter were also the devices inside the building).
The cloud, and decentralised work (remote work and work from home) has changed this dynamic, however. Perimeter defence is now often inefficient and ineffective. So, instead, most IT security environments work on a “zero trust” foundation; the application or network assumes that the user is malicious until proven otherwise. This means sign-ins and other forms of authentication.
Zero trust isn’t fool-proof, of course. Zero trust still requires configuration. You can still misconfigure zero trust to make it “everyone’s trust” and accidently allow hackers in.
Meanwhile, attackers can still compromise a single individual in a zero-trust model, but on the plus side, with zero-trust, there are a lot more effective controls to limit the damage that can be caused by that one individual who is compromised. There are a lot of use cases out there where if zero trust is compromised, you can just isolate the damage to one individual. It doesn’t necessarily have to then have a sudden on-flow to a second person, and from there to the entire group.
In other words, once that one person is compromised, it is possible to quickly move and limit the damage quickly when compared to responding to a threat that’s infected everybody on the network – you don’t know where they are or what they’ve been doing, or who they’ve been talking to. So, there’s a lot more control in place to do that.
NovaWorks In Action
For an example of how we were able to work with a customer on their security needs: A financial services company came to us because they were embarking in their hybrid to full cloud migration. One of the things they realised is that they didn’t necessarily know how to set up the initial governance framework around their Microsoft Azure environment. They had the insight that they didn’t want to deploy anything until they fully understood it, and they wanted to make sure that that they had the governance in place before they deployed the services. They came to us and asked us to conduct a full review and develop a roadmap to ensure that they have the right governance, learning and toolsets in place to make sure this can be a successful project.
Security was one part of the bigger picture. The client didn’t really understand what it should be configuring, or watching out for or alerting, or how to lock it down via a successful implementation. They did know they wanted a zero trust approach, and to move away from the perimeter-based approach, but weren’t sure how to achieve that.
Finally, the IT team needed help with communicating to a whole range of business levels – C level, the board level, all the way down to technical support staff. Because of the nature of zero trust, everyone is a different stakeholder, with different priorities, objectives and concerns.
We were able to help this client in the journey, from audit, to developing the roadmap, and on to execution, while at the same time enhancing their own IT skills with our own.
This needs to be the approach to IT moving forward – collaborative, whole-of-business, and focused on ongoing education at all levels of the organisation. For more information on security in these new and hybrid IT environments, contact NovaWorks today.