Given the pace of change, scale of digitalisation and evolution of sophisticated new cyber threats, it’s no longer a matter of ‘if’ but ‘when’ an attack will strike.
According to Gartner, cyber security was the number one priority in A/NZ when it came to CIOs’ investment plans during 2022.
However, whether customers are fully equipped to deal with the aftermath remains up for debate. While some Australian customers are attempting to mitigate an attack’s impact on business operations, many still are not.
Dell Technologies A/NZ senior manager of data protection and cyber resilience sales, Andrew Hood, shared one of the biggest challenges customers face is lack of knowledge.
“That is, until the inevitable day that they face a cyber-attack of their own and must deal with the consequences,” Hood said.
For instance, a customer had anticipated their IT challenges but were not expecting the high personal costs that a recovery operation put on employees.
“Some of their team had very little sleep in the days directly after their attack and were facing burnout by the end of the week,” Hood said. “This is where the value that we as an industry, vendors and partners, bring to our customers. We need to share our learning with customers and help them prepare.”
Legacy applications and outdated infrastructure that don’t have the same cyber protections as newer counterparts, are creating vulnerabilities within a customer’s environment but also can be some of the hardest services to restore once compromised.
In the event of a cyber attack customers need to have a plan on how they can restore their business operations as quickly as possible, Hood advised.
“We believe the only way to be prepared is by having a clean, air-gapped and immutable copy of their data from which they can restore from,” Hood said. “Having confidence in your ability to be able to restore and being able to prove it, will help with cyber regulations and lower Insurance premiums.”
In addition to legacy apps, Thomas Peer CEO Udara Dharmadasa pointed to a few challenges for businesses as they cyber resilience in the form of multi cloud and outsourced ‘as-a-service’ environments.
“Cyber will become a necessity rather than a value add and customers will expect cyber to be considered in every conversation,” he said.
As Data#3 account executive Gerard McDonald pointed out many IT managers from smaller businesses were struggling to afford security coverage when trying to handle it in-house.
“Many are looking to leverage third party managed SOC and Manage Detection Response (MDR) services to get the 24x7 coverage and cost effective access to the right tools and platforms,” he said.
Added to this is the disconnection between risk and compliance, Loop Secure CEO Patrick Butler added.
“Until business leaders can quantify and understand where and what the actual risk is to them, most businesses look to generic compliance standards and ask their IT and security teams to align to and implement these,” Butler said.
“But these compliance standards can only get you so far, and without top-down business led cybersecurity risk management the issue companies face is that they will often be allocating cybersecurity spend in the wrong areas, or not providing enough resources to adequately manage their risk within tolerable thresholds.”
This leads to many breaches that are witnessed in the market because organisations have not adequately understood where they are at risk, even among organisations who are compliant with cybersecurity standards, Butler explained.
“This places them on the back foot when it comes to responding to a breach. These organisations are not prepared due to the lack of focus on their risk areas, allowing risk to be realised in the form of a breach,” he said.
“And when it comes to resilience to breaches, proper risk management will work towards trying to eliminate the chance of breaches, but also importantly create an environment whereby if a breach does occur the layered controls limit the scope of the damage and allow the business to identify and recover from it faster thereby also limiting the potential for extended damage and impact.”
Compliance risk and insurance
At the same time, customers are forced to deal with ever-changing compliance regulations that have caused wide-ranging implications for data ownership and cyber security insurance.
As a result, it has become critical for partners to proactively safeguard themselves and their customers against a damaging attack that renders data unrecoverable.
Furthermore, Data#3’s McDonald highlighted some of the challenges with implementing a cyber resilience strategy for customers revolved around costs associated with reporting to and complying with policies set by organisations such as Cyber NSW.
One area McDonald pointed out where managed service providers can create a point of difference in the market related to the use of on-shore resources and platforms to meet sovereignty rules.
Understanding that compliance is often a toolbox of controls to be selected and applied based on the way businesses use technology and their unique risks, is a course to navigate.
Trying to apply all cybersecurity controls to a business without context can prove to be very difficult, costly and will often restrict the business and garner workarounds from the business leading to unknown risk, Butler pointed out.
Additionally, the challenge with cyber insurance is that it is a rapidly changing environment.
“We are seeing large insurers exit the cyber insurance market altogether due to the increasing costs of breaches, and those insurers that continue to provide coverage are themselves undertaking risk assessments on their client prior to offering coverage,” Butler said.
“If you lose customers due to a breach then the insurance at best is only going to cover a limited time period, with the longer-term damage and loss of profits left as a risk you can’t insure against."
Following proper business-led risk management will reduce the need to call on an insurer in the first place and assists in demonstrating to insurers that you understand and have adequately managed your risk resulting in lower premiums.
In the case of a breach, a resilience plan will limit the scope and breadth of the breach and reduce the risk of coverage not being provided due to complex policy exclusions being triggered.
Olympus Technology Services director Paulo Mpliokas highlighted cyber liability insurance was an “evolving beast to keep on top of policies, wording, what’s included and excluded can be challenging.”
The global skills shortage combined with normalisation of remote work means that A/NZ companies are now competing on a global scale for talent.
As Bulter said, solving the cybersecurity challenge requires great people, not just technology.
Continuing skills shortages across all areas of cybersecurity mean that businesses will find it increasingly costly and challenging to implement adequate cybersecurity risk management and the subsequent security controls stemming from these programs.
This will lead to further reliance on building partnerships with security firms that are able to attract and retain this limited talent
“We need to help our customers by offering them more cyber resilience services for them to consume from us. Services such as Cyber Consulting Services, Managed Services, and Cyber Vault Hosting services, so that if they can’t find security professionals of their own, they can at least feel secure that their critical data is in the hands of trusted security professionals at all times,” Hood said.
As Blazeclan managing partner Amit Bassi put it, the A/NZ market is quite federated when it comes to managing cyber resilience and preparedness to address impact.
“Enterprises are well prepared to deal with the unwanted situations like ransomware attacks by leveraging external partners to manage and resolve situations. Some enterprises though have over-engineered cyber security which has a huge impact on the organisation’s agility,” Bassi said.
“SMBs have invested in the definition of policies and procedures but lack awareness and constant compliance leaving them vulnerable to cyberattacks.”
The challenge is SMB’s perception that policies are enough and cyber initiatives are only a one-time investment.
“It’s time to uplift maturity across governance, controls and operations. The statement of applicability and risk management will be key for every organisation," Bassi said.
Dell Technologies Hood concluded cyber security services will evolve across consumption models.
“Instead of having to learn and do everything themselves, customers will have options on how they would like to consume cyber security capabilities,” Hood said. “They will be able to build security protections and cyber vaults of their own on premise or have them built in the cloud, either with the public cloud providers or by local cloud service providers.”
For Olympus Technology Services director Paulo Mpliokas their experience aligns with assuring clients they have a partner they can trust with the requisite skills to manage a cyber situation and provide support in the event of an attack. “For us its about ensuring that cyber security and resilience isn’t a separate product or service of offering,” he said. “It’s built into each and every engagement and service that we offer to our clients. "