At the turn of the millennium, the biggest cybersecurity threats were taking place at the network layer, such as wormhole and routing attacks, which could easily be minimised by IT’s iron grip on application access and complete visibility across the network. Unfortunately, as we have learnt from the recent WannaCry ransomware attack that wreaked havoc around the globe, today’s security landscape is a stark contrast to the halcyon days of IT security.
With the influx of cloud-based applications, coupled with strong movements to embrace digitisation and Bring-Your-Own-Devices trends, cybersecurity attacks are now occurring across multiple layers beyond the traditional network perimeter. A 2016 Ponemon report found that, globally 50 per cent of respondents cited that application layer attacks are now more frequent and 60 per cent said they are more severe than those at the network layer. According to Cisco’s Annual Cybersecurity Report 2017, globally more than half of security professionals identified mobile devices (58 per cent), data in public cloud (57 per cent), and cloud infrastructure (57 per cent) to be their biggest sources of concerns when it comes to cyberattacks.
Expanding threats in an application-centric world
Today’s breed of cybercriminals have grown to become more malicious, and their attacks more frequent, complex, and expensive to rectify — because the rewards are so lucrative. As companies continue to store increasing amounts of data digitally, IT security spend increases accordingly on firewalls and antivirus programs — protecting information like a moat and castle protects the keep. However, today’s cloud-based and app-based environments provide an easy target to sidestep traditional network security, meaning the perimeter of protection has expanded. Today’s conversation therefore should not be about the need to invest in cybersecurity, but the need to invest in the right places.
The national Computer Emergency Response Team (CERT) responded to 14,804 cyber security incidents impacting Australian business between July 2015 and June 2016, 418 of which involved systems of national interest and critical infrastructure. Last year, the Australian Crime Commission estimated the annual cost of cybercrime to Australia to be more than $1 billion in direct costs. The price of poor cybersecurity is clear.
On Friday, May 12 2017, the world’s most extensive cyberattack in recent memory, WannaCry, hit 200,000 victims in 150 countries, infecting organisations with ransomware, most notably targeting the UK’s National Health Service and Spanish telecommunications provider, Telefónica. At least twelve Australian businesses were reported to have been impacted, with a number of unconfirmed reports in New Zealand. The total monetary value of the damage is still unknown; however, the incident has been a hard lesson on the importance of investing in cybersecurity.
Losses go beyond monetary
Worryingly, EY’s Global Information Security Survey 2016-17 report found that only 50 per cent of organisations believed they could likely predict and detect a sophisticated cyberattack, and 64 per cent do not have, or only have an informal threat intelligence program. The real issue here is not the lack of cybersecurity investment — cybersecurity already accounts for a significant portion of business IT spend, and the government recently pledged a further $15 million in funding to protect Australia’s small business sector as criminals’ focus shifts to SMEs. The real issue is the lack of preparedness to protect against threats that come with today’s application-driven environment.
In a bid to protect consumers and businesses from the fallout from this, in February 2017, the Australian government passed the Notifiable Data Breaches Bill, requiring any organisation that is accountable to the Privacy Act to inform the Australian Information Commissioner, customers and the public if their data has been compromised. Reputational damage due to a mandatory disclosure should therefore serve as a further incentive for smarter cybersecurity measures.
Back in 2007, Jason Spaltro, then the Executive Director of Information Security at Sony Pictures Entertainment, famously said it was a “valid business decision to accept the risks of a security breach”, and that he “would not invest $10 million to avoid a potential $1 million loss”. How times have changed. This was before the company suffered a major cybersecurity breach in 2014, where hackers stole and leaked pre-released movies, individuals’ private information and sensitive documents. The total loss? Almost US$100 million in revenue, and a lot more in intangible and hidden costs. This includes loss of customers, difficulty acquiring new customers, and investor flight among others.
Protecting the new perimeter
In order to invest smarter in cybersecurity solutions, the first step is to prioritise what you need to protect. For instance, in an app-centric environment, you should identify all apps in your network, whether deployed by IT or shadow apps installed by employees, and secure those you deem to be most valuable and vulnerable. Secondly, security assessments must be part of your application development framework, and not an afterthought. Having secure applications will not only protect your data but even more importantly, will enhance your customers experience and their confidence in your brand.
It is also important to keep in mind that cybersecurity is everyone’s responsibility, not just IT. On-going conversations among different business units, from finance to senior management, as well as staff training allow you to better identify critical vulnerabilities, understand end-user behaviour, plan for efficient and robust cybersecurity strategy, and get the support needed to roll out business-wide security initiatives. Ultimately, a smart cybersecurity investment will be integrated into every aspect of the organisation to ensure that you retain your customers’ trust and protect your bottom line.
Rob Malkin is Managing Director of ANZ at F5 Networks
Reader comments on this site are moderated before publication to promote lively and civil debate. We encourage your comments but submitting one does not guarantee publication. We publish hundreds of comments daily, and if a comment is rejected it is likely because it does not meet with our comment guidelines, which you can read here. No correspondence will be entered into if a comment is declined.