Protecting data not just an IT problem

We live in a time when terms like phishing, ransomware, viruses and worms are part of the everyday lexicon — and not only among IT professionals. Cyber attacks in Australia are accelerating, with the state of the nation’s cybersecurity coming under greater scrutiny.

Millions of Australians have been impacted by several high-profile incidents — Optus and Medibank to name just two — which have exposed their customers’ personal data to hackers. While the federal government continues to take active steps towards revamping privacy rules and imposing greater penalties, analysts have described the recent incidents as a ‘hacking frenzy’, not helped by the current cybersecurity skills shortage.

But is the state of cybersecurity in Australia really that bad? To me, the answer is definitely no.

What we are seeing today is a challenge that has been with us for far too long. For businesses, governments and individuals, cyber breaches are inevitable in spite of best-laid plans. In my observations, a fundamental issue here has been the deflection of cybersecurity as being solely an IT function and responsibility. Historically, this may have been accurate; but as more transactions are conducted online, issues surrounding the protection of data and personally identifiable information (PII) are really a wider business problem.

Business development short cuts lead to long-term cybersecurity headaches

A common dilemma encountered is when businesses hastily sign off on the development of new applications or customer service products, overlooking PII vulnerabilities. This pressure to cut corners might seem unlikely to end up as a breach at the time, but when it does, the consequences are severe. The Optus and Medibank breaches are cases in point, where the number of accounts hit was reportedly equivalent to 56% of the population.

When I see leaks that come from testing or development environments with access to production data that’s not been scrubbed of PII, it usually means a short cut has been taken due to timeframe for delivery or budget. Admittedly, some people do ask — is it not the responsibility of the security operations centre (SOC) to identify unauthorised access to these environments? It’s a valid query which highlights yet more challenges faced by cybersecurity teams.

Firstly, lateral movement and unauthorised access are very difficult to identify in the modern enterprise network. This is because most SOCs are inundated with security alerts at a rate which can’t quickly pinpoint which one of these is an actual cyber attack or breach. This is something I hear from Chief ISOs all the time — and the problem is only getting worse.

Added to this is the other massive challenge of an undersized cybersecurity workforce. Our own survey of Australian security leaders revealed that over 96% of employees in ANZ organisations are facing increased pressure to keep their organisation safe. 52% of surveyed Australians — and 48% of surveyed New Zealanders — say they are in constant firefighting mode, leading to greater anxiety. The immense remote worker mobilisation during COVID lockdowns also led to the acceleration of cloud-based services, widening attack surface as threat actors became increasingly familiar with environments such as AWS Azure and Google Cloud.

Nonetheless, the deeper PII challenge still remains the prioritisation of revenue vs cybersecurity. IT teams and developers are remarkably skilled at deploying infrastructure and developing codes faster than ever. But this is also leading to security blindspots burdening overstretched IT security teams and resources. It’s important to know what is malicious by analysing detection patterns unique to your environment in order to surface relevant events, reducing blindspots and noise.

Caring about protecting PII

Security breaches will continue to make headlines as hackers find new ways of exploiting critical assets inside an organisation. It’s widely understood that data is the new gold for malicious actors, and PII that is not publicly available is the ultimate jackpot. When left unsecured, sensitive PII information such as tax information records, employee payroll or insurance details can be exploited in a number of ways, including ransomware and phishing attempts for criminal financial gain. Organisations need to think like a hacker; to go beyond signatures and anomalies to understand attacker behaviour and zero in on attacker TTPs across the cyber kill chain. That’s why organisations like our customer Churches of Christ in Queensland are deploying more advanced data protection and threat detection capabilities, leveraging AI and machine learning to safeguard volumes of confidential information.

Ultimately, for security decision-makers today, it’s about focusing on what’s urgent by having a view of threats by severity and impact, which enables analysts to focus on responding to the most critical threats to reduce business risk.

So what can businesses do to protect their PII? Here are my top tips:

1. Defending your organisation against PII breaches is a collective business responsibility — not just an IT concern. Ensure that employees are aware and sensitised to their responsibilities in protecting their own and the company’s data.
2. Accept that a data breach is likely and attackers can gain access to systems, but make sure you can identify issues and act immediately. Adopting metrics such as mean time to detection and mean time to remediation can quickly provide the SOC insights, such as the security tools that may not be very responsive at the time of attack, and help redesign strategy.
3. Look beyond data loss prevention solutions as these don’t solve every cybersecurity issue. Adopt holistic security measures that provide visibility of the entire enterprise, including on-premise, SaaS, IaaS and PaaS, to ensure you can view lateral movement between environments and within toolsets.
4. Use AI-driven Attack Signal Intelligence to prioritise real threats and not just simple anomaly detection. Intelligent threat detection technology helps cyber teams think like an attacker, going beyond signatures and anomalies to understand attacker behaviour and analyse detection patterns unique to your environment. AI-driven prioritisation also helps reduce alert noise, so security teams focus on threats by severity.
5. Lastly but most importantly is the ability to respond within all these environments in the event of an attack. Detection is useless without response; ensure the business continuously works with cybersecurity teams to ensure the right skills are in place to prevent colossal damage.

Image credit: iStock.com/gorodenkoff