5 minute read
A cyber attack's name may change, but the reason it happens doesn't.
By Garett Paton Director Data Protection Solutions at Dell Technologies, ANZ
As Albert Einstein didn’t say, the definition of insanity is “to do the same thing over and over again and expect different results.” (Sidenote, it was a mystery novelist Rita Mae Brown who said, or at least wrote it,). And yet, when it comes to cyber security this is essentially the approach: not addressing the fundamental problems that create the vulnerabilities in the first place and then being surprised by an attack year after year.
Now, it might seem strange to say that security does not always change dramatically over the years. No one can have missed the often-devastating attacks that have been front page news for much of 2021. And similarly, we’re seeing cyber-attacks used in conjunction with traditional warfare in modern conflicts.
However, while the scale of the attacks has changed, the security industry is still facing the same problems it has for the past 20+ years.
So, what has changed and what hasn’t?
The difference now is that the cost of complacency is now too high. In February, cybersecurity authorities in Australia, the US and UK issued a joint advisory highlighting the increased globalised threat of ransomware. They noted that Australian organisations of all sizes were potential targets, not just the “big fish”. Despite the high-profile examples, threats are hitting all levels of business
And sure, ransomware attackers may be tweaking their methods to increase impact, by targeting the cloud, the supply chain or managed service providers. But they still use the same approach. Even in a year as unpredictable as 2021, the threats organisations and individuals faced were fundamentally the same as they’ve been for decades: phishing and fraud. The difference is they were updated to be attractive to today’s targets.
The fact is, it is still too easy for adversaries to access an organisations’ networks and cause harm, and often through a known vulnerability. Without addressing these issues, hackers will continue their successful efforts
In a nutshell, technology departments must get better at quickly identifying and fixing vulnerabilities before they can be exploited. In turn, tech providers must get more proficient at developing secure and resilient technology.
When security is embedded into all technology, organisations are better positioned to identify, protect, detect and respond to threats. In essence, there three longstanding problems our industry needs to resolve now
Plug the workforce gap
A hacker’s potential to cause harm is unlimited, so defenders must get it right every time. This requires impressive defences, but most organisations struggle to find enough cyber talent to build it.
Talent may be the biggest issue facing our industry. According to not-for-profit AustCyber, nearly 17,000 more cyber security workers will be needed by 2026. As well as relying on graduates, organisations need to investing in training programs and developing employees in transferable skills. That way, organisations can transition interested employees from non-traditional security backgrounds like risk, IT, data analytics or engineering roles into security positions. More broadly, nations and educational institutions should invest in cybersecurity as a long-term strategic priority. It’s essential to the safety and stability of our digitally dependent future.
But it’s clear there still won’t be enough people to plug all the gaps, so it needs to be done in parallel with identifying areas to reduce labour dependency, such as automation using artificial intelligence and machine learning.
Manage Vulnerabilities
While IT governance processes such as asset inventory and patch management are simple in concept, we as an industry tend to struggle with these basics –a win for the hackers. Organisations need awareness of technology deployments and their dependency on them. This extends beyond IT managed systems to anything plugged into corporate networks, as well as third-party cloud services.
Further, the discussion around patching should focus on speed and prioritisation. It commonly takes weeks, if not months, for organisations to patch vulnerabilities, whereas hackers are on vulnerabilities within hours or days of their publication.
It’s imperative to know what technology the company has at all times in near-real time, and to find and patch vulnerabilities within hours. While this level of excellence exceeds industry standards, organisations need to practice this effectively to defend against today’s threats.
According to not-for-profit AustCyber, nearly 17,000 more cyber security workers will be needed by 2026. As well as relying on graduates, organisations need to investing in training programs and developing employees in transferable skills.
Building More Secure Technology
At the heart of many vulnerabilities are systems that were not designed with security in mind. They often use inadequate design and development practices. This issue only gets worse as the number of companies developing technology explodes with the digitisation of “smart” product lines across every sector. From appliance companies to watch makers, everyone develops code now.
Technology providers must develop technology that’s intrinsically more secure and resilient, designed with the foresight on how these devices will connect into networks that are likely crawling with hackers. An intrinsic security approach results in technology that’s less likely to have security bugs, but also that fails with fewer consequences when vulnerabilities are inevitably discovered.
Additionally, intrinsically more secure technologies reduce the need for the multitude of security tools that most organisations require, which in turn reduces the skilled cyber labour needed to operate them.
This illustrates the harmony and interplay that exists between these three fundamental security areas, where only by implementing each in concert will we realise the full potential of this opportunity. But we can’t do it alone, we need to work together to solve the problems that affect us all, such as the coalition of countries, including Australia that have pledged to help Ukraine.
Of course, we should always have one eye on the threats around the corner. But we should also spend our time solving the long-standing problems that hurt us every day, rather than pontificate about problems that don’t yet exist. With a renewed focus on getting the fundamentals right, organisations can begin to get the upper hand.