Shared from the 2/11/2022 Financial Review eEdition

Cyber complexity is the real enemy

Picture

Cybersecurity is at the top of almost every corporate risk register. Businesses of every size and across every vertical need to grapple with an increasingly threatening landscape filled with malicious parties looking for ways to penetrate your systems to steal data or find a way to defraud you of funds.

Facing these challenges is no longer a matter of buying a decent firewall and some endpoint protection software. It takes trained and skilled professionals to understand the risks that matter to you and to implement strategies to protect your critical systems and data.

Against that backdrop, businesses face other challenges. Market pressures often mean new products and services must be delivered faster than ever before.

“In order to shorten to time to market of new products and services, many businesses are adopting new processes based on agile frameworks,’’ says Adrian Petzer, the managing director of leading operations and security management firm DeployPartners.

‘‘This can create new risks as the desire to hit the market quickly can mean security is an afterthought and not baked into new products and services.”

The issue is not that companies don’t care about security. Rather, it’s that they don’t have the time, skills or tools they need to understand the threats and risks and then put robust mitigation strategies in place.

And with the federal government looking to bolster the nation’s cybersecurity posture through heightened focus on the Essential Eight and new legislation that is being considered, it can be challenging to not only do what’s required today but also manage what’s coming next.

Skills are a key element in establishing a robust cybersecurity strategy. Cybersecurity training needs to go further than an annual online training session consisting of a video presentation that’s followed by a short quiz.

A robust training program delivers training about the specific risks your organisation is facing in a way that makes sense for your organisation.

Offering training by using a variety of different tools and methods helps build a security culture into the organisation. And it needs to be tailored to specific functions. The training required by a developer is very different to that required by an accounts team member.

Finding and retaining the skills needed to develop and deliver a strong cybersecurity program is extremely challenging. There is a global shortage of security professionals, with the Information System Security Certification Consortium finding that Australia still has a skills shortfall of about 25,000 people despite significant efforts to breach the gap.

“It can be extremely challenging to find the right resources,” Petzer says. “Working with a competent professional services partner can help bridge that gap. They can also provide great threat intelligent services and provide expert advice on how to manage specific issues.”

For example, the recent Log4j issue that received lots of attention presented businesses with a potential risk. But understanding the actual exposure, what mitigation strategies might be needed and how to protect yourself required lots of research and investigation.

A trusted partner that specialises in issues like this can ensure you have a strong response ready before any potential issues escalate.

“Finding a reliable partner is about more than just fixing problems,’’ Petzer says. ‘‘It’s about being ready for the unknown. For example, a partner that can put in place privileged access management can help minimise the risk of a new, never-seen-before threat.’’

That protection is not just about threats that take advantage of vulnerabilities. In some cases, cyber criminals attack the supply chain and infect software tools and even hardware at the source. For example, hackers distributed a tainted version of Apple’s Xcode development tool, resulting in smartphone apps being distributed with malicious code. More recently, hackers infiltrated the factory of security device maker SolarWinds and added malicious code to the company’s Orion operating system software, which is used by tens of thousands of companies.

Applying Essential Eight recommendations such as privileged access management, application allow-listing and maintenance of patching and updates is becoming harder.

With so many different threats and challenges, businesses often feel that they need to implement a broad range of different tools. The information security landscape is packed with different vendors, each offering their own piece of the cybersecurity puzzle. Choosing the right tools and ensuring they all work together is critical. And then the question is about which systems to operate from the cloud and on-premises.

“Cybersecurity is a team sport,” Petzer says. ‘‘Many companies would benefit from boosting their team with a partner that understands the threat landscape, is experienced in dealing with issues and can work with you to create and implement a strategy that can protect your business.’’

With business moving faster than ever before, and a constantly changing threat landscape, boosting cybersecurity skills across every level of the business is critical. Monitoring the activity of cyber criminals and ensuring you’re aware of new vulnerabilities require specialist skills that are in extremely short supply.

Working with a service provider can overcome many of these challenges and give you confidence to forge ahead, allowing your business to thrive.

See this article in the e-Edition Here