In the ever-evolving landscape of cybersecurity, the lessons learned in a short timeframe can redefine an organisation’s approach to safeguarding its digital assets. As we reflect on the challenges and triumphs of the past 12 months, professionals and industry experts are compelled to share their insights on the most influential cybersecurity methods and articulate how this newfound knowledge will shape their business strategies in the coming year.
Rafi Katanasho, APAC Chief Technology Officer, Dynatrace, believes that the complexities of modern hybrid and multi-cloud infrastructure coupled with a lack of available talent and skills shortages are making it increasingly challenging for organisations to manage and maintain the optimal performance of their digital strategies. He says that many are attempting to overcome these challenges with a ‘do it yourself’ attitude. “However, the cracks are starting to show in this fragmented and highly manual approach.”
With the adoption of Generative AI as a business tool, in addition to cyberattacks, Usman Choudhary, Chief Product and Technology Officer at VIPRE Security Group, considers the risk of intellectual property and commercial data loss could grow exponentially if there isn’t a continuous alignment of cybersecurity, business strategy and operation. “The risk of breaching industry regulations such as HIPPA, GDPR and a host of similar country-specific data protection legislations is greatly increased too,” he added.
In a regional context, this impact on critical infrastructure has led to an emphasis on regulatory investment. The Australian government recently launched its Federal Government 2023-2030 Australian Cyber Security Strategy after major cyber incidents affected business movements.
Anthony Daniel, Regional Director, Australia, New Zealand and Pacific Islands, WatchGuard Technologies, commented on the strategy, saying that the AUS$600 million to combat cybercrime is crucial in the face of the rising number, speed and sophistication of cyberattacks. “At the same time, the mandatory reporting for hacked businesses will not only empower the government to respond effectively but also enable the creation of a more resilient cybersecurity ecosystem.”
The values of learning from mistakes and adapting to the modern world should be embraced and explored. It’s clear that regional and global compliance will help organisations protect their supply chains and operations. Still, individual reflection and removing complacency will enhance the likelihood of preventing further attacks – or at least acknowledge that there is more work to be done.
Chester Wisniewski, Director, Field CTO, Sophos
One old truth we learned this year has more nuance than we might have anticipated is how lazy criminals are, and yet quick to take advantage of things that increase their successes. Observing the last 18 months of cases handled by Sophos Incident Response Services, we see the criminals waver back and forth between using stolen credentials and exploiting unpatched vulnerabilities as the winds of security fates blow in either direction.
In the end, why bother doing the hard part if your potential victims will make it easy for you. It’s no surprise that the easiest way is the favourite way, but to see it so directly tied to the availability of high-profile exploits (easiest) and their scarcity force criminals to step up to credential theft provides useful information for us to use in crafting a defence. One, we should spend more time on patching externally vulnerable systems. Two, we should require Multi-Factor Authentication on all externally referenceable systems. Lastly, for every action we take, we can raise the cost of our attackers to gain an initial foothold. Good defences not only protect but they impose a cost on criminals.
Another takeaway from 2023 is we have no time to waste when defending our information. The median time for a criminal to have penetrated a network until they detonate their final malware has reduced from 10 days in 2022 to eight days in the first six months of 2023. If this decline continues, we will need to be even faster at both detection and response than ever before to prevent increasingly costly incidents.
How are the criminals getting faster? They are becoming more specialised at specific tasks and working in ever larger, complex networks to achieve their goals. With the large sums of money, many of the groups can hire increasingly talented co-conspirators to breach our defences.
The biggest lesson of 2023 is that everything that was wrong, still is wrong. While we have solved the problem of Flash and Java being exploited to compromise our PCs and we use TLS to encrypt nearly all of our internet traffic, there is still a lot of low-hanging fruit.
If we leave the doors and windows unlocked, we should expect to find intruders among us. The work we have done to improve our security as a community is working and the evidence supports that. Now we must continue to build on those improvements to make it increasingly more difficult and expensive for thieves to take advantage. Fast and complete patching will go a long way; along with stronger authentication, 24/7 monitoring and remediation capabilities. On to 2024, onward and upward.
Stephen Gorham, COO, OPSWAT
The paramount lesson learned this year is the shifting of responsibility upstream, placing greater demands on boards and executives. It’s no longer sufficient for organisational leaders to ensure the protection of their digital assets; they are now expected to possess a comprehensive understanding of the risks faced by their organisations and actively engage in the mitigation of these risks. This paradigm shift is underscored by the fact that executives can now be held criminally accountable for lapses in cybersecurity, for example, as evidenced in the US by the SEC pursuing charges against the CISO of SolarWinds.
This heightened expectation is indicative of a broader trend where cybersecurity is becoming not just a technical concern but a crucial aspect of corporate governance. Executives are now required to play a proactive role in steering their organisations away from potential cyberthreats, acknowledging that their decisions impact not only the digital infrastructure but the overall well-being of the company. The repercussions of inadequate cybersecurity measures are not limited to financial losses and reputational damage; legal consequences are becoming a stark reality.
Coupled with this challenge is cybersecurity insurance. Securing coverage is increasingly difficult, marked by rising costs and more restrictive terms. This trend is likely to continue, creating a scenario where leaders are compelled to take cybersecurity seriously and move beyond mere compliance and ‘checking the box’. Organisations must foster a culture where cybersecurity is prioritised in the decision-making process and a part of the overall corporate strategy – from technology to employee training and awareness.
As cybersecurity challenges persist and responsibilities continue to climb up the corporate ladder, the adaptability and resilience of organisations will define their success in an increasingly digital and connected environment.
Scott Hesford, Director Solutions Engineering, APAC and Japan, BeyondTrust
During 2023, the biggest lesson I learned was the continued importance of securely managing remote access of IT and OT (Operational Technology) environments. This quickly became a significant issue for many organisations at the beginning of the pandemic shutdowns and – unfortunately – remains so today.
The key security challenge caused by the increase in remote access, by both employees and third parties, is that it continues to be a key entry point for many cybersecurity breaches. Although the threat landscape is constantly evolving, this is something that appears to be an ongoing challenge for many CISOs and their security teams. Throughout the past year, it’s been frustrating to see the number of cybersecurity breaches initiated through this attack vector continue to grow. It appears that – despite significant industry and media attention – many business leaders have still not got the message.
Changes to the regulatory environment also appear to not be having as much impact as they should. Recently, the Australian Government’s Cyber and Infrastructure Security Centre highlighted the significance of this attack vector to businesses in its annual risk review. Hopefully, this will help to spur action on this front during 2024.
The recent cyberattacks that targeted Okta identity infrastructure and Microsoft Active Directory instances served to highlight weaknesses in identity security and controls. Many organisations are continuing to struggle with achieving the visibility needed to get a clear understanding of their identity security posture.
While there are often logs fed into an SIEM or tools tracking on-premise Active Directory, the data remains siloed. In 2024 and beyond, organisations need to make the move to holistic visibility of identities across all their environments, including on-premise, SaaS platforms and multiple cloud services. By doing so they will be able to effectively detect and respond to the growing range of sophisticated cyberthreats. This can be achieved by deploying tools that harness advanced analytics and intelligence capabilities. These tools, in turn, can deliver real-time visualisation of threats, indicate potential attack paths and provide actionable insights.
For security teams, these tools create an intelligence layer that delivers a new level of identity and access security. Deployed correctly, the tools can give security teams a unified view of identities, accounts, cloud entitlements and privileged access rights across an organisation’s entire IT infrastructure.
Strengthening an organisation’s security posture by providing more secure remote access should be a priority for many organisations in 2024. Likewise, identifying threats, risks and attacks on common identity-related vectors will not only reduce the threat surface but allow a more nimble and timely response to attacks.
Daniel Chu, VP of Systems Engineering, APJ at ExtraHop
Throughout 2023, we have all become increasingly aware of the impact that Generative AI has – and will continue to have – on the business world. It was interesting to observe the varied reactions of people to the technology and how organisations responded.
While Generative AI is widely seen as a transformative technology, security teams have expressed concern about the risks that it may pose. These include the chance that personally identifiable information (PII) used to train the AI models may inadvertently be leaked to the outside world.
Interestingly, a survey conducted by ExtraHop found almost a third of respondents confirmed their organisation had banned the use of Generative AI tools in the workplace altogether. However, despite these bans, just 5% said employees never used the tools at work which shows they are ineffective.
This approach to managing a new technology has occurred before. Back when mobile devices first entered mainstream use, many organisations prevented employees from using them to access corporate IT resources. Then, when cloud computing emerged, many firms banned its use believing that data and applications should only be housed in on-premise facilities. Over time, these attitudes moderated, and I expect a similar shift will happen concerning Generative AI.
It comes down to a case of managing risk and having the correct policies in place to guide usage. Staff will then have a clear understanding of how and where the tools can be used – and where they should not.
During 2024, Generative AI will continue to evolve at a rapid rate. The technology’s ability to add significant business value will become clearer and adoption will grow. From a security perspective, wider usage of Generative AI tools will require an improvement in visibility. Security teams will need to be able to understand how and where people are using them and for what purposes. Improved visibility will also provide insights into how different teams are using the technology and whether there might be security ramifications that need to be addressed. If any uses are deemed inappropriate, they can be stopped before security issues arise.
During the coming year, we will also be looking at how Generative AI can be put to work to support our customers. Our focus will be on adding AI capabilities to our products so that the security teams using them will augment existing jobs and capabilities.
Using AI as a ‘co-pilot’ will support security professionals with activities ranging from improved detections and incident response to proactive threat hunting. Generative AI will progressively play a significant role in driving efficiencies and bolstering capabilities for security operations teams. Essentially, AI will become an increasingly valuable tool that can be harnessed by organisations to deliver clear competitive advantages.
Steven Kenny, Architect & Engineering Programme Manager, EMEA, Axis Communication
With six years devoted to evangelising cybersecurity, the insight gained in 2023 is that each individual is on a distinct journey in comprehending and acknowledging the risks linked with cyberthreats. The prevailing misperception is that cybersecurity ownership still erroneously rests solely with the IT function.
As the landscape of cybersecurity undergoes continuous evolution and risks escalate, the foremost challenge organisations must tackle revolves around human error. This remains the most pressing concern, likely to be the root cause of cyberattacks. Despite significant time invested in raising awareness about threats, a continual awareness dialogue is imperative. The audience’s maturity varies drastically based on individual roles, company profiles and even geographical locations. It is incorrect to assume a uniform knowledge level, and the belief that everyone has undergone the same cybersecurity journey is flawed. This information is novel to some, underscoring the vital need to persist in presenting such topics and fostering competencies in those less experienced.
Looking ahead, addressing cybersecurity demands strategic investment, and contrary to common belief, it isn’t merely about acquiring more technology with enhanced cybersecurity features – though that can be beneficial. The pivotal investment required is in education, education and more education. Cybersecurity stands as a shared responsibility, extending throughout an organisation and its value chain. Everyone has a role in upholding the cybersecurity posture of the business, which involves establishing internal education courses for all members and ensuring equal awareness of individual responsibilities. These courses should spotlight personal behaviours, heighten risk awareness and provide business tools for support.
True empowerment and smart decision-making in the realm of cybersecurity arise only when individuals thoroughly understand their roles. Through education, employees grasp the business impact and associated risks linked to their decisions. It becomes evident that cybersecurity is a collective responsibility, not solely confined to the IT function.
In moving forward, the absence of a silver bullet for cybersecurity necessitates investment in the areas offering the greatest benefit, emphasising education. This strategic approach equips the workforce to navigate the complexities of cybersecurity, fostering a culture where every individual actively contributes to the organisation’s cybersecurity posture. The journey towards minimising human errors and building a cyber-secure environment is a shared responsibility, grounded in understanding and education.
Jeff Stewart, Field Chief Technology Officer and Vice President of Global Solutions Engineering, SolarWinds
Since January 2021, SolarWinds has been championing Secure by Design, a gold-plated cybersecurity standard that focuses on people, infrastructure and software development, to enhance the strength of the company’s security framework. With this approach, we are not only establishing SolarWinds as a trusted leader in enterprise software security, but by releasing components of this system as open source, we are advancing the cybersecurity maturity of the industry as a whole.
Reflecting on the past year, it’s clear we’ve made great progress in the journey toward a Secure by Design industry. However, challenges and roadblocks persist. Legacy systems, deeply entrenched in many organisations, are difficult to transition to a Secure by Design approach. Many pose vulnerabilities that can be exploited by cybercriminals. Moreover, the threat landscape evolves constantly, making it essential for organisations to stay vigilant.
However, these challenges only strengthen the case for the industry’s shift towards being Secure by Design. Together, we can forge a more secure and trustworthy digital landscape – and safeguard our interconnected world. In the year ahead, we believe organisations should concentrate their efforts on three key focal points to advance in this mission.
First is to ensure the generation of a Software Bill of Materials (SBOM), which is like a receipt of each component, library, tool and process that developers use in the build process. SBOMs are a critical step for improving the security of software products, by providing visibility into their composition. SBOMs introduced a new standard for transparency and openness in the industry, and their adoption is improving.
Second and perhaps more obvious, is the need to invest in security training and the cyber workforce. One of the significant vulnerabilities in any organisation is its employees. But when well trained, they can serve as the first line of defence, and thus a security-aware culture can help safeguard digital assets. It is therefore encouraging to see that a recent report predicted that the global security awareness training market will exceed US$10 billion annually by 2027, increasing tenfold from the US$1 billion figure that Gartner shared for the market’s annual revenue in 2014.
Perhaps most importantly though, the cybersecurity community is increasingly recognising that threats are not limited to a single organisation. They can affect entire industries. As a result, there has been a growing trend of collaboration among organisations to share threat intelligence. By pooling resources and knowledge, we can collectively bolster our defences. This collaborative spirit has been a highlight of the past year, with progress in private companies and the government forming a two-way partnership to thwart cyberthreats.
As threats will continue to evolve, our defences must evolve with them. This is why at SolarWinds, we urge organisations to prioritise Secure by Design principles, invest in cybersecurity talent and technology, and embrace a proactive approach to cybersecurity. The collective responsibility of the cybersecurity community is to work together to build a more secure world, and we’re on the path to do so.