Millions of dollars in government funding and internal budgets are channeled into cybersecurity to build resilience against advanced threats, reflecting how serious this problem has become.
The latest Australian federal budget includes nearly $9.9 billion to improve the country’s cybersecurity and intelligence capabilities. Gartner finds that 73% of CIOs in New Zealand expect cybersecurity to be their largest technology investment by 2022.
Meanwhile, the number of threats continues to skyrocket. In 2021, 8,831 incidents were reported to CERT NZ, an increase of 13% from 2020. Individuals, small businesses, and large organizations across New Zealand submitted incident reports. On the other side of the ditch in Australia, the ACSC received more than 67,500 cybercrime reports in the fiscal year 2020/21, an increase of nearly 13% from the previous year.
Cybersecurity threats have become more sophisticated and devastating, even for large companies with significant IT budgets. The commentary on the topic can be overwhelmingly negative and complicated.
To separate fact from fiction and provide actionable, tangible steps for creating a smarter security strategy, Vectra released its A/NZ Security Leaders Research Report. This is part of a larger global survey of 1,800 security decision-makers and aims to uncover how today’s organizations tackle complex, modern cyber threats.
Exposing the security issues
According to Vectra research, the same digital transformation enabling innovation has dramatically increased the attack surface. From the rapid spread of the cloud to the growing adoption of microservices, DevOps, and APIs, new opportunities are opening for cybercriminals to take advantage of.
To take an extreme example, in Australia, a report from the Australian Cyber Security Center (ACSC) found that a quarter of cyber incidents reported to security officials within a year targeted critical infrastructure, leading to potentially significant disruption to essential services, loss of business and the potential for damage or loss of life. This trend is following in New Zealand, with the annual National Cyber Security Center (NCSC) Threat Report showing that in the 2020/21 year, there were 404 incidents affecting nationally important organizations, a 15% increase from last year’s total.
Today’s violations can disrupt business operations, damage supply chains, damage customer confidence, and expose companies to regulatory fines. Cyber attacks often cost companies a huge amount, so they may not recover. In 2021, the global cost of data breaches rose from $3.86 million to $4.24 million, and ransomware attacks resulting in stolen data and prolonged operational outages could cost many times more. Some companies have reported millions of losses. This evidence alone shows why cybersecurity is now a board-level issue.
It has become abundantly clear within this threat landscape that the old ways of defending operations no longer work. Whether it’s system exploitation, phishing, using stolen accounts, or bypassing multi-factor authentication (MFA), there’s always a way in, and once inside, attackers are masters of hiding. To adequately defend against threats, security leaders and teams must evolve.
Four key factors that will drive change
We’re aware. The Vectra report found that most respondents (85%) felt traditional approaches would not protect against modern threats in Australia and New Zealand. Only 40% believed their security tools would protect them. More than half (58%) reported buying a security solution that failed at least once, 60% feared their devices had missed something, and 57% believed it might or probably have been hacked while not realizing it.
These findings make it clear that security leaders are thinking about security, aware that they are lagging, and looking for a better approach. The report also highlighted four key changes that cybersecurity organizations could benefit from.
To begin with, a change in thinking is required. Often culture and mindset can be pushed aside instead of a technological solution, but this is not good enough. Security leaders must consider how to refocus their approach to threats, understand that attackers have the resources to infiltrate even the most robust perimeters, and build a strong foundation. This starts at the employee level, first with the organization’s leaders and then with the final hire. A strong corporate culture with a security-first mindset will go a long way in building a strategy that works.
Legacy tooling and thinking is a barriers in the new threat landscape. Part of the shift in thinking understands that an initial approach to prevention will no longer suffice. Yet many organizations invest too much in a doomed prevention strategy that tacitly fails, leaving them susceptible to breach. We need to move to detection rather than prevention and protect against attackers the way they work instead of how you think they are.
Another key focus for security leaders is their relationship with c-suite management and governance. As the propensity and cost of breaches increase, these key stakeholders are becoming aware of cyber-attack risks, but they are not the experts. Security leaders must find effective ways to communicate and educate risks on mitigating them best and gain critical support for their strategies.
Finally, the report found that legislation and guidelines provide a useful starting point for businesses, with policies and regulations ensuring that companies have a basic layer of security within their organization. Still, greater industry involvement and experience can help make code more effective and provide a better understanding of the threat landscape so leaders can implement effective detection and response plans.
Finding a way forward
Real resilience starts with the right attitude. Many cybersecurity professionals understand they can no longer rely on outdated, prevention-based tools, government advice, or ancient board input.
By accepting this, CISOs can start creating the right conditions for effective cyber risk management and stopping breaches before they have a major impact. By doing this, organizations can continue developing their culture and security strategy to protect against threats and win in their expertise.