It has been a big year for security, with outbreaks like the WannaCry ransomware, NotPetya malware, as well as the Equifax hack dominating headlines around the world and causing a stir in boardrooms.
While awareness of the importance of security among decision makers has never been higher, the Telstra Security Report 2018 found that businesses are still having difficulty addressing today’s security challenges and effectively preparing for the future.
During a recent interview, Neil Campbell, Telstra’s Director of Global Security Solutions, spoke about the state of security in 2018, the Telstra Security Report’s key findings and what Australian businesses can expect in the year ahead.
Prompted by what can only be described as a turbulent year in security, this year’s Security Report was Telstra’s most comprehensive, surveying more than 1,250 security professionals in 13 countries. What were its key findings?
Neil Campbell: The most interesting finding in our Security Report this year was that 60 percent of respondents had suffered a business-interrupting security incident in the last 12 months, and that is quite significant because when you think about a business interruption, that means lost wages, lost productivity and lost opportunity.
Not many businesses can sustain an interruption for multiple days without a huge impact on their viability.
Additionally, 77 percent of respondents suspected that they had an incident in the last 12 months but could not prove it. This speaks to the difficulty Australian businesses are experiencing in rapidly identifying threats, and then being able to resolve incidents in a timely manner. We expect these two core challenges to continue through the coming year, as attacks increase in sophistication.
What are the major attack types targeting Australian businesses and how can they keep their data secure?
Neil Campbell: In 2017, Business Email Compromise (BEC) and other phishing attacks, together with ransomware, were the most common threats to Australian businesses.
We are also seeing more and more it is also about the loss of the data that the businesses hold. Not just data about the business, so things like intellectual property, but in particular data about their customers, which is now under greater scrutiny through new legislation such as the European Union’s General Data Protection regulation (GDPR) and Australia’s Notifiable Data Breaches (NDB) scheme.
The first, crucial step to protecting this data is simply understanding where it is. As businesses move more of their data into the cloud, they cannot think in terms of the old castle paradigm anymore: “If it is on the inside of my network it is safe, if it is on the outside it is not safe”.
Now that their data and their customers’ data are stored in multiple places, both on premises and off premises, they have to adapt their thinking about data security, they have to adapt the controls that they use, and they have to get a lot better at having those security controls follow the data to wherever it is needed.
It can be very difficult for a company to work out where its critical information is that it needs to protect, and therefore difficult to allocate the resources to do so and I see this being an ongoing challenge.
In a world of increasingly sophisticated attacks targeting non-technical staff, how can businesses best promote organisational security awareness?
Neil Campbell: Cybersecurity is an ever-evolving field. New attacks are created, new defences must be created to counter them. One trend that remains consistent is the exploitation of people. When we think about the two major findings from the Telstra Security Report, they were the rise of business email compromise and the rise of ransomware.
Both of those attacks rely on tricking people into clicking on links. We will see that grow over the following years, because as technology gets better and better, criminals will rely more and more on individuals and their security awareness as a form of attack.
One thing you can do in your organisation to help with this is make sure that you have a strong security education program that addresses both physical and cybersecurity, and also run cybersecurity drills and run tests. Do not single out individuals, but look for major change in security culture over time.
How will new legislation, such as the GDPR and NDB, change the way businesses think about security in the coming year?
Neil Campbell: The NDB amendment to the Privacy Act requires that businesses report both to the affected customers and to the Privacy Commissioner on any situation where they believe that a person’s information has been accessed unlawfully by a third party. The General Data Protection Regulation imposes even broader requirements.
That is significant because previously it was up to the organisation as to whether or not they communicated a data breach. Now it is law, and what that means is we will see a marked increase in the media of announcements of hacking incidents, of access of personally identifiable information, which will bring with it a lot more consternation I think in the community. This means a lot more inspection, but most beneficially a lot more rigour in the way that organisations protect personally identifiable information.
In addition to the actual protection of data, this new legislation will require companies to spend more time dealing with compliance, whether it is new policies and procedures or increasingly complex reporting requirements.
Over the next year, businesses should try and find overlaps in reporting to make it more efficient.
Another key trend identified in the Security Report is the ongoing convergence of cyber and electronic security. Why are these two fields converging and what are the benefits for businesses that embrace the converged approach?
Neil Campbell: Security convergence is an interesting topic. What we are talking about is bringing together the traditional physical security world – alarms, door access and CCTV – with the cybersecurity world, and those two disciplines grew up in very different ways over very different time frames. What we are seeing in the market is a trend toward bringing those two disciplines together so that you can get a much better visibility across your entire security estate.
There is a huge enthusiasm in Australia for security convergence. One reason is cost effectiveness, and the other reason is that one and one equals three in this case – bringing together what were disparate disciplines means that you get a total view of security which creates a much greater level of visibility for the organisation.
So, for instance, if somebody attempts to log on to an account in a building in Melbourne, we would be able to check and see if that person had entered that building. It is that kind of use case that is driving convergence.
The emergence of Internet of Things (IoT) has been one of the key stories in security over the last few years. How can organisations adopting these devices ensure that they are not a security liability?
Neil Campbell: One of the challenges with IoT devices is that the firmware they are shipped with is often the firmware they have for life. So, whatever vulnerabilities are present, and whatever vulnerabilities are subsequently discovered, they are vulnerable too for the life of the device. In the world of cybersecurity, we are used to dealing with that and we patch regularly.
In the world of IoT, we are not so sophisticated yet, but we will get there.
This article was prepared and originally published by Telstra IN:SIGHT, an online publication delivering business leaders the trends, opinion and analysis that enables them to thrive through technology. For more articles like this, visit insight.telstra.com