For the Sake of its Cybersecurity, Australia Must Come Together

Originally published by CXO REvolutionaries.

Written by Heng Mok, CISO APJ, Zscaler.

The pandemic has exacerbated existing security problems

As the cybersecurity threatscape continues to become more complex and challenging, the media have primarily focused on the struggles faced by businesses. But COVID-19 responses also had the unintended consequence of slowing the rate of incoming professional talent, including security talent, as borders were closed to impede the virus’ spread.

Australia, where I live, is an excellent case in point. Not until late 2021 did Australia’s borders fully reopen, and even now, immigration officials face a tsunami of an estimated million visa applications. This means that, just as Australian organisations have had to confront a broad range of new security difficulties, they’ve also had to cope with a shortfall of security talent with which to respond.

The predictable outcome is that Australia has, in recent months, become a major target for cybercriminals, leading to several high-profile breaches. Examples since only September include:

• Australian telecommunications giant Optus, the number two player in the country’s telecom space, lost control over the personal data of an estimated 10 million customers (more than a third of the national population) in a ransomware cyber-attack.
• Australia’s largest health insurance underwriter, Medibank, similarly reported all of its 14 million customer accounts had been accessed (more than half the national population) in a breach.
• ForceNet, an Australian defence e-communications platform, was hit with yet another ransomware attack, the full consequences of which have yet to be assessed and quantified.

And these instances are far from isolated; Australia’s Cyber Security Centre (ACSC) reports that year-over-year statistics reflect a dramatic increase in both attacks and losses. Specifically, ransomware incidents climbed by a whopping 75% annually, overall breaches by 13%, financial losses from compromised business e-mail to AU $98 million, and other cybercrime losses to 14% overall.

The ACSC characterises the quality of the attacks as advanced: “Evidence suggests that exploitation was conducted by multiple actors, including state-sponsored and criminal entities, much of which was likely automated. Sophisticated actors sought to access user login data, with the likely intent to gain more persistent access once the compromise was remediated.”

To stem the tide of financial and data loss, the Australian government has responded by introducing stricter penalties for compromised companies, up to AU $50 million in some cases. "When Australians are asked to hand over their personal data," the Australian attorney general's office said in a statement, "they have a right to expect it will be protected."

In essence, the federal government has opted to respond with a stick rather than a carrot while organisations are asked to fend for themselves with fewer resources.

Bolstering security through a collective defence mindset

This introduces an obvious question: How can nations facing this double challenge of escalating cybercrime and a pandemic-driven security talent shortfall best respond?

Superficially, it might seem that you can’t improve security without hiring new security professionals, and you can’t hire new professionals when it’s challenging to bring talent into the country. Fortunately, there are compelling alternatives to direct security hires for bolstering security on a holistic level. None is a complete substitute, but necessity requires we explore some such strategies.

First, the security community should embrace an ideology of collective defence in Australia and beyond. Today’s enterprises are global, and they should respond to the threat of cybercrime like it. Private businesses and governments are not in competition to be more secure. They both benefit from making it so. As such, they should engage in information sharing, community building, standard development, and any other practice that helps protect citizens and customers from cyber threats.

In addition to a collective defence mindset, companies in a position to fine-tune their operating model to reduce risk should consider targeted strategic sourcing as an option to ensure gaps in security services are managed. Every tool and partner needs to be put under the lens of a strategic partnership, control effectiveness, and a collective mindset.

Consider zero trust architectures (ZTA), for example. Broadly defined, ZTA is a digital architecture in which access privileges are never assumed, but instead actively interrogated at every request for access based on all available context. All entities, whether machines or end users, must prove they are who they say they are before any type of network transaction occurs, such as viewing database records, copying or deleting files, or executing applications.

Properly implemented, ZTA can deliver significant improvements in end-to-end security while reducing complexities introduced by point solutions and inefficient network setups. It has the power to limit the blast radius of any breaches that do occur, shielding organisations from some of the most painful consequences of an attack.

By choosing a security partner already well versed in all the relevant complexities, organisations can achieve a best-in-class ZTA in relatively short order. And they can do that without having to staff up, dramatically increase security training, or worry about how effective the strategy will continue to be in the future.

Australia would benefit from taking both a more collaborative and more modern approach to the twin threats of rising cybercrime and shrinking resources. By fostering cooperation between leading businesses, governmental organisations, and the experts who’ve developed leading security solutions and best practices, society as a whole will make more progress toward its goals than any penalty could prompt.

Cyber is a team sport and, as a nation, we must work together to solve security challenges – efficiently and comprehensively – before cybercriminals can do more significant damage.