Sydney-based Murray Mills, Manager – Cybersecurity at Tecala, tells us how companies can identify cybersecurity gaps that may require external assistance or additional resourcing.
With 2022 now underway it’s worth reflecting on the year that was, exploring what we’ve learned and what can be applied to your strategic planning for the next 12 months.
Last year at Tecala, we drew inspiration from a theme of emerging stronger from what 2020 and the first part of 2021 threw at all of us.
Most organizations spent the year digitally transforming and adopting cloud-based systems to enable work-from-anywhere scenarios.
Words like productivity and continuity permeated all technology and business conversations.
But so did security. With workforces distributed and working in new hybrid models, using technology systems they may have been unfamiliar with, an effective security solution for this environment was critical.
Organizations recognized this, but so did attackers. One survey found 73% of Australian organizations fell victim to cyberattacks targeting remote workers in the past year, suggesting far more work is needed to layer additional protections, build resiliency and raise internal security awareness.
Ultimately, as Gartner notes, long-term work-from-home ‘requires a total reboot of policies and security tools suitable for the modern remote workspace.’
Tecala is already undertaking these kinds of reviews. We use them as the basis for crafting security strategic roadmaps that tailor a security journey to an organization’s specific needs over forward years. The roadmap takes organizations from where they are now to where they want to be; is aligned to key threat mitigation frameworks such as the Essential Eight or the CIS Controls; and is designed to help organizations address the substantial challenges and security headwinds they are now facing.
While every review and roadmap is different, just as every organization’s needs are different, we have identified some common trends among the organizations we work with from a security perspective.
In the interest of openness and intelligence sharing, we’ve decided to list the top five here as they may be useful in reflecting on your own journeys to date and identifying gaps that may require external assistance or additional resourcing to close in the year ahead.
Security standards will actually become standard
Organizations presently have a range of standard frameworks to choose from and benchmark cybersecurity readiness. These include domestic frameworks like the Essential Eight, as well as overseas ones such as the Center for Internet Controls (CIS) 18 and the National Institute of Standards and Technology – NIST – framework.
There’s considerable repetition and overlap between the different frameworks, such that meeting the requirements of one would likely place an organization well on the path to complying with the others as well. Whatever framework an organization chooses, it is likely to serve them well.
However, within the small-to-medium enterprise market, the Essential Eight and CIS Top are currently favored because they are generally considered more business-friendly.
Only a year ago, awareness of these frameworks was practically non-existent outside of an organization’s security function. Today, however, it is more common to hear even C-level executives discussing the security standards they are endeavouring to meet.
We expect to see these standards become more tightly integrated into ways of doing business. For example, where company A wants to utilize company B’s services, they may ask company B to undertake a third-party risk assessment that includes portions of these frameworks. The message is effectively: meet security best practice or we won’t connect with you or integrate with your services.
Multi-layered approaches will become the pinnacle of best practice
When organizations undertake reviews and test their alignment to the security standards and frameworks, it quickly becomes apparent that more work is needed to increase levels of protection.
In my mind, the adoption of multi-layered approaches to security go hand-in-hand with the increased use of these frameworks.
Multi-layering isn’t about the number of tools an organization has. Instead, it’s about understanding the spectrum of threats and risk levels and creating security processes to effectively mitigate against them. It’s an approach to securing the organization, and one that more often than not, leads an organization down the path of Modern Management.
Modern management will come into its own
I spent much of 2021 talking about Modern Management, and there’s a good reason for that: 80% of the projects that we undertook this year were centered around Modern Management. There’s no reason to believe that level of interest won’t continue.
Modern Management is an umbrella term for a collection of strategies, services and software that is designed to help businesses to deploy and manage assets in the ‘new world’. It can be used to protect employees and the devices and systems they are logged into, regardless of what they are doing, where they are doing it from and what they’re working on.
It also ensures that all people and devices requesting authorization to connect to an organization’s network or applications meet appropriate security standards before they can login, and then that they can only access resources that are appropriate to their level and associated permissions.
To some extent, organizations may still be refining what work in 2022 looks like. We see organizations recruiting for fully-remote workers that will rarely, if ever, attend an office. We also see employees prioritizing flexibility over more conventional workplace benefits.
With so many future ways of working still up for negotiation, organizations will need to adapt their approach to Modern Management as well. It may have gotten them this far but will require changes to fit with what the workplace of 2022 will look like.
Security awareness reaches the board
The next two trends are related: the increased visibility of cybersecurity issues within organizations, and liability challenges that stem from that.
This year, more than any other before it, cybersecurity became an issue for the board of directors and C-level executives.
Ransomware’s role in that cannot be under-estimated: executives have now seen enough times the devastating consequences of a successful infection at other similarly-sized and similarly-resourced firms, and are far more aware of the risks and levels of sustainable investment and top-down support required to mitigate against these risks and drive a security-first culture internally.
Other drivers are more direct, such as a proposal on the table to make company directors personally liable for cybersecurity incidents. Directors of Australian financial sector participants also face direct pressure to skill up on cybersecurity: “Boards need to strengthen their ability to oversee cyber-resilience. Ultimately, … boards [are expected] to have the same level of confidence in reviewing and challenging information security issues as they do when governing other business issues,” Australia’s corporate watchdog recently wrote.
The intersection of governance and cybersecurity will only increase in importance. Cybersecurity will be a top-down problem that must be taken seriously and for which responsibility will ultimately sit with the board and C-level executives.
It will become harder and more costly to get cyber insurance
On the other side, escalating ransoms and mop-up costs have cyber insurers de-risking as much as possible. Too many organizations are being compromised and running up multi-million-dollar clean-up bills they expect insurers to meet.
Payouts have halved in some cases, while premiums have skyrocketed; industry body CIAB saw cyber premiums rise 27.6% in the three months to September 30 alone.
At the same time, insurers are trimming exclusions, testing contractual clauses before the courts, and forcing those seeking cover to constantly improve their baseline security capabilities and technology to reduce the risk of compromise.
We have seen during recent cyber insurance renewals that insurance companies are aligning questions to CIS and Essential Eight frameworks. The alignment to frameworks is catching some companies out when asked to provide evidence of MFA enforcement and vulnerability management capabilities for example.
All of which is to say that cyber insurance is a rapidly evolving space both in Australia and overseas, and 2022 will make or break the business models that have brought us to this point. There may be very real ramifications for the ability of organizations to secure cost-effective cover as a result, and that, in turn, is likely to lead to a fresh round of investments in cybersecurity aimed at reducing liability and mitigating against professional and organizational risk all around.