In collaboration with Ecosystem, Fastly has released new research showing that 75% of Australian businesses are now experiencing a vastly increased attack surface caused by their reliance on web-based applications.
The researchers say that large attack surfaces are routinely sought out and tested by attackers looking for less secure entry points to corporate IT environments.
According to the research, organizations in Australia have massively migrated to more decentralized IT architectures in the past two years. However, they are still grappling with some of the cybersecurity implications of these digital and cloud-first operational models.
According to the report, cloud, web applications, and the APIs that enable these apps to integrate and exchange data feature heavily in the risk and challenge assessments by CIOs, IT directors, and technology leaders of Australian organizations.
API endpoints, cloud service provider authentication, and open-source enterprise software are significant risks and potential entry points for attackers. Inadequate controls around these architectural elements and a lack of operational maturity and reliance on traditional defensive postures have left Australian business leaders on the edge and fearful of attack.
The survey shows that 65% of large companies in Australia view nation-state attacks as very high or high risk to their organizations. There is also concern among leaders of all sizes about credential stuffing, which attackers can use to compromise cloud accounts and individual as-a-service logins.
The research also shows that:
Digital has dominated IT strategies for the past two years. Still, it means working securely in a majority or full web or cloud-based environment with heightened risk tolerances and inconvenience to security teams. IT leaders expect to pay more attention to web application security in the next two years, but more likely in 2023. Application security often comes second in the competition for attention and funding. More than half (53%) of IT leaders say they will prioritize other digital transformation projects over application security by 2022, while 39% say other business initiatives outside of IT will be prioritized at the expense of cybersecurity. Over 40% of leaders still view cloud misconfiguration as one of the top five cybersecurity challenges. Despite the attention and focus this issue has received in recent years and the emergence of low-code/no-code platforms and configurations, cloud environments remain complex, and errors or misunderstandings can cause even experienced engineers to experience cost overruns and unintended risks of data exposure. This is higher for enterprises (41%) than for large (22%) and medium (26%) organizations. The main challenge to managing application security initiatives is complexity. Overall, 55% of leaders say too many third parties are involved in the end-to-end security of their applications, highlighting the new reality of working in a cloud, web, and API-driven world.
According to the researchers, this is because a typical response of decision-makers to the increasing complexity of their technology environments is to deploy additional new security solutions. However, that approach means that nearly half of the Australian companies have more than 50 cybersecurity tools and suffer from warning fatigue and high false positive rates.
The researchers argue that organizations need a current cybersecurity posture that enables them to anticipate threats before they occur and react immediately when attacks occur. They need security controls capable of automatically detecting, detecting, responding to, and responding to access requests, authentication needs, and external and internal threats.
The management and application of these controls should also be highly automated to improve coverage and consistency and reduce the burden on Security Operations Centers (SOCs) and cybersecurity professionals.
Fastly Area Vice President Australia and New Zealand Derek Rast said: “As Australian companies get deeper and deeper into digital transformations, they face a well-known problem: the challenges of securing a rapidly growing number of mission-critical cloud services and API-centric applications.
“The tools these companies use to secure their digital-first, cloud-first, and microservices-based architectures must evolve. Traditional web applications and API security tools fall short in this regard. Leveraging Web Application Firewalls (WAFs) and Content Delivery Networks (CDNs) must be part of a holistic, deep-rooted security strategy.”
The researchers say an illustration of the cyber maturity challenges Australian businesses face is the lack of consistency in the operational parameters, powers, and readiness of cyber threat and incident response teams.
The report finds that one in three cyber threat response teams lack the support of key internal stakeholders, are unclear about incident management escalation points, and lack the authority to seize or disconnect equipment and monitor suspicious activity, including from the senior management.
Additionally, when it comes to cyber threat response planning:
Only 54% have a full plan with legal and corporate communications teams, 50% practice the program at least once a year, the other half practice less often or not at all, and 48% have a schedule for additions and improvements to the plan, keeping senior leaders responsible for making the improvements
The report finds that enterprises are more likely than large or medium-sized organizations to have a multi-stakeholder plan that has been properly practiced. However, they are more likely subject to regulated incident planning and response requirements. This is supported in the study by identifying compliance as a major cybersecurity challenge facing organizations.
Medium-sized and large organizations are more likely than enterprises to rethink how they deploy applications and business logic to end-users and actively pursue that target state.
The research shows that 64% of midsize organizations and 56% of large organizations embrace edge computing, moving business logic from application servers to an edge cache. In contrast, only 43% of companies do the same – 10% below the general average.
Moving business logic from the backend to the edge improves application performance. It can significantly reduce an organization’s risk as user requests are routed through a single front door rather than to any number of servers hosting the application.
The survey reflects the views of 200 cybersecurity decision-makers in Australia, mostly CIOs, IT directors, and similar titles. It was commissioned by Fastly and conducted in April-May 2022. It covers organizations of three sizes: medium (101 to 499 employees), large (500 to 999), and enterprise (more than 1000 employees).
