As published on CSO.com.au
Survey shows strong focus on business risk, but technological controls are also needed to stop external attackers who use internal credentials with impunity
Security professionals need to stop thinking about cybersecurity threats as being internally or externally focused and understand that the two forms of attack are intrinsically related, a cybersecurity expert has advised in the wake of survey findings suggesting Australian executives see internal threats as the biggest perceived threat to information security.
A recent straw poll, conducted by security consultancy Content Security amongst attendees at AISA’s recent Australian Cyber Conference 2018, found that 29 percent of respondents believe internal threats will be the biggest attack threat through the end of 2019.
That was well ahead of those concerned about privileged account exploitation (20 percent), ransomware (18 percent), and zero-day threats (17 percent) – but CEO and co-founder Louis Abdilla warned that categorising the threats risks glossing over the interconnectedness of those threats.
“In today’s security landscape, the distinction between inside and outside cyber threat no longer matters,” he explained.
“This is because attackers are actively seeking to pose as legitimate insiders. They do this by stealing and exploiting privileged accounts – the same credentials used to manage and run an organisation’s IT infrastructure.”
The survey also queried attendees on their proposed plans for security investments, with 52 percent of businesses saying they would spend at least $500,000 on cybersecurity and breach prevention next year.
Fully 28 percent named SIEM and security operations centres (SOCs) as the most critical technology investment over the next 12 months, with multi-factor authentication (23 percent) and vulnerability management (21 percent) also showing strongly.
And while this level of investment confirmed that businesses are investing in cybersecurity protections as a business priority, fully 45 percent said they were aligning their compliance efforts to either ISO 27001 or NIST risk-management frameworks; by contrast, just 1 in 10 said they were following the guidelines of the Australian Signals Directorate’s Essential Eight strategies, which are more technically prescriptive.
The increasing prevalence of business-focused strategy frameworks has been reflected in a push to deliver more, and more comprehensive, privacy frameworks that position data management and privacy as a business risk rather than an esoteric IT issue.
The new notifiable data breach (NDB) scheme and EU general data protection regulation (GDPR) have this year tightened reporting requirements around data breaches, no doubt influencing the investment in risk-focused security platforms.
The coming year will lend further weight to growing privacy obligations, with tighter new privacy regulations in California adding to the chorus of pro-privacy voices.
New obligations, such as the Australian Prudential Regulation Authority (APRA) push to make boards responsible for an organisation’s information security, will add further pressure to this trend.
However, Abdilla warns, the blurring distinction between internal and external compromises means the right balance is not to focus exclusively on business risk or technological controls, but a bit of both as appropriate for the environment.
“With more Australian organisations looking to increase their maturity, security frameworks and standards provide a foundation to develop a strong cyber security strategy,” Abdilla said. “Ultimately, we should always encourage good security habits and train employees on best practices and how to spot common attacks.”
Automate Your Cyber Defences Webinar
Cybersecurity struggles to keep up as attacks continue to disrupt business. Spending on security feels endless, without clear risk reduction; operations teams and analysts are overburdened; and security tools that weren’t designed for automation require analysts to manually stitch together insights from many disconnected sources before acting. Join our webinar session and learn how you can prevent successful cyberattacks through automation