When it comes to security, there is no finish line
Byline: Jim Cook, Regional ANZ Director, Malwarebytes
The introduction of the Notifiable Data Breaches Scheme (NDBS) in February 2018 focused the attention of Australian businesses on security. Since that time, there have been more than 800 breaches reported – the majority of them from the healthcare sector.
With this focus in mind, the business sector is asking itself what can be done to beef up security and minimise the exposure of the organisation, and its customers, to threats such as malware, phishing and cryptomining scams.
The answer is that there’s a lot a company can do, and we’ll come to that shortly, but it’s also worth bearing in mind that when it comes to security, there is no finish line. With threats constantly evolving, we will not reach a point where the security problem is “fixed” entirely. Instead, businesses need to approach security as something that needs to be managed and constantly monitored, understanding that new challenges will always appear.
Businesses must adapt, and shake up the measures they are using to protect themselves. Australian companies are already spending more on security than they have in previous years, with the average budget for a 2,500-person organisation rising to $462,000 in 2017 and a further increase of 19 per cent anticipated in 2018. However despite these positive steps forward, Australia is still spending less than the global average on security by around 14 per cent.
Clearly, Australia has some catching up to do.
So what can be done to improve a company’s security posture? Given that the goalposts are always moving, and that board attention is now being placed on a company’s security efforts, one of the most important steps that a security team can take is working on communication with the business as a whole.
From the board room to the bullpen
Communication is important, because the business and its management needs to understand security threats, and the result of any security breach, in a language it can understand. It’s all about the “why.” This means creating clarity around both the environment being defended, and also about the priorities of the business, and how the work of the security team directly supports these priorities. In other words, it’s answering the question of why security is important, and what the ramifications of poor security are.
For security leaders, the best way to achieve clarity on business issues is to engage in a peer network. This peer network can provide insights into how other organisations are defending themselves, as well as the issues they have faced and the techniques they have used to maintain a secure environment.
Engaging in employee education is also a key pillar in a company’s security platform. Education means teaching people about cybersecurity. This means understanding what malware is and how it is spread, as well as becoming clear on how social engineering can induce people to give up passwords and other credentials to hackers and other bad actors.
As well as providing their staff with the information and tools that they need to be across cyber threats, it is important that businesses also remember to seek external help to bolster their security measures. Smaller companies might consider hiring a security consultant, or outsource security to another company to allow their IT teams to get back to business, rather than monitoring day-to-day security concerns. The Australian government also supports a number of initiatives that connect small businesses with Managed service providers (MSPs), who can help SMBs to manage any security threats without exhausting their internal resources.
Secure from all sides
The final step that companies can take to protect themselves is to use end-to-end security and endpoint protection. This software needs to embrace both the desktop, as well as the BYOD mobile phones and tablets that staff are using every day on the corporate network and with corporate applications. Because of the rise of these BYOD devices, the traditional barriers of protection are no longer enough. We’ve moved beyond the standard corporate security perimeters, and these mobile devices, if not protected, can easily be infected externally and then brought into the business environment to ultimately compromise the ecosystem.
Android handsets in particular need protection, as the latest Malwarebytes Cybercrime Tactics and Techniques (CTNT) report has shown that in Asia Pacific for the first quarter of 2018, Android ransomware is the cyber threat that has increased the most, rising by 1173 per cent compared to the final quarter of 2017.
The reality is that there is no finishing line for security, and while businesses still view security as an issue that can be solved, they will continue to leave themselves open to the next wave of evolving risk. A business’s security efforts need to constantly adapt to match the threats it faces. With communication, education and the appropriate tools, an organisation can meet the threats it encounters, protecting both the business and its customers.