Will the threat landscape continue to evolve in 2023 and beyond?
Michael Warnock, Commercial Director at Daltrey, returns to the podcast to share his insights on the most recent cybersecurity breaches and describes what decision-makers should focus on in the year to come.
What are your observations of the current threat landscape?
There’s been a dramatic shift in the last two-and-a-half years throughout COVID, with a rapid move to work from anywhere, anytime, on any device – that changed the landscape. So for CISOs, how they needed to defend their organisation was turned on its head overnight.
Identity, or the virtual front door as I describe it, is ultimately where organisations need to start on the Zero Trust journey. So the major change straight away was: “How do we defend the new way of working and people using any device – how do we secure that?” The other factor is the changing landscape in Australia. On a geopolitical level, we have definitely seen ourselves becoming more of a target for international adversaries.
So there’s an aggressive risk element out there. From Daltrey’s perspective, that presents us with a great opportunity to bring up a modernised approach to the way enterprises and government are defending their critical assets.
In the last few weeks, we’ve seen cyber breaches against Uber, American Airlines, the GTA 6 development leak from Rockstar, and then obviously right on our doorstep is the Optus hack. Was this level of high-profile breaches always an inevitability, or is it something more unique to the current landscape in the very immediate term?
It’s a wake-up call to these organisations to ensure they’ve got the policies, the practices and the people ready to deal with these situations. Unfortunately, as we’re seeing in some of those examples, the basics haven’t been adhered to. The bad guys are really clever at finding out who’s got weak cyber defences. Whether it be for ransomware monetisation or simply to take capabilities off the air, they’ll always go after those weak assets.
So for me it’s absolutely a wake-up call, an inevitability of the digitalisation of business. And it comes back to that post-COVID way of working. The way businesses are operating is highly digitalised, so without modern, robust cyber-defences in place, the weak underbellies are being found out.
Unfortunately, we’re still seeing in many of those situations that the root cause is weak usernames and passwords, stolen credentials through phishing attacks, et cetera. Once somebody’s into the organisation, they are able to create new profiles, move laterally across the business and wreak havoc.
It’s also important to identify that there is no such thing as an impenetrable wall. You can’t defend against every cyber risk . No one has an infinite cyber-defence budget, so you have to be quite selective. But again, what I’m seeing in a number of these attacks is that the basics just haven’t been adopted and the bad guys get very good at working out who to attack.
Looking ahead to 2023, I think it’s a fair to say the landscape will continue to be threatening. How do you see things changing? Or is it more about organisations recognising that it’s time to commit a real budget to cybersecurity in a meaningful way?
The attack vectors are not going to diminish in any way. They’re only going to increase if there’s money to be made. People will go chasing that money.
In 2023, I see a continued increase in ransomware-style attacks, as well as further digitalisation of products and services driven through the need to operate in a post-COVID world. We’ll continue to provide the bad guys with a platform where they can find weak points of entry.
On the flip side, customers, staff and sub-contractors are now operating in a way where they can work from anywhere, so they also want to have the flexibility to be able to access what they need, when they need it in order to get their jobs done. That adds another challenge – this notion of securing the organisation. But you’ve also got to ensure that access and authentication remain frictionless.
There’s going to be a continued increase in cyberattacks. That means organisations have to ensure the right investments, policies and procedures are in place. They must have the ability to recognise an attack, and the capability to respond and remediate.
The adoption of technology is an important aspect as well. You’ve got to make sure that if you do put a different control in place, you’re able to take the user on the journey. As we know, if they don’t adopt the technology, they find ways to go around it, which ultimately diminishes your return on investment.
Finally, Australia in particular will continue to play a role in the geopolitical landscape. I remember a few years ago I was speaking at a Law Institute event in Tasmania and somebody said, “Why would a bad guy come after us? We’re a long way from anywhere else in the world.” Geography is not a defence. That’s really important for organisations to understand, particularly here in Australia. We are a connected world.
Who does the responsibility sit with for this type of risk? You and I both understand that a lot of it lies with the CISO, but we’re hearing more of the CRO pop up in conversations around cybersecurity. What’s your perspective on that?
In the last couple of years I’ve seen the compliance and regulatory obligations of the market really step up. An example would be notifiable data breach reporting.
There’s ultimately a fiduciary responsibility on management – the board and the executives of the organisation – to step up and enhance the security controls. I’m pretty confident if you look into companies listed on the ASX200, many of them will have cybersecurity risk registers in place, and they will be reviewed every month by the board. Ultimately, that risk register falls under the owner of risks – the risk manager.
The risk management side of cyber is definitely a significant change. Yes, the traditional forms of protection come from the CIO, but the role of the risk team is to ensure mitigation and defence strategies are in place, and remediation and rectification strategies are solid.
Want more insight into the world of cybersecurity, digital identity, biometrics and more? Get your fix with the IDentity Today podcast, hosted by Daltrey CEO Blair Crawford. Listen via Apple Podcasts, Spotify or your favourite podcast app.