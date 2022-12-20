It shouldn't have taken the theft of almost a third of the nation's private data for Australian enterprises to realise traditional cyber security strategies have left the emperor with no clothes.
But it has, and here we are.
As millions of Australians worry about their identity being stolen or their bank accounts being emptied, it's clear that resilience is a real issue for Australian enterprises. Recently, more than 120 Australian cyber security leaders were surveyed and 96 per cent reported they were concerned they wouldn't be able to maintain business continuity if they were breached in the next year.
That's an alarming statistic and it's worth exploring how we got to this point and where we go from here.
Digital Maginot Line
For years, the accepted wisdom in enterprise cyber security has been to pursue a strategy of risk minimisation. Essentially, this boils down to implementing a "fortress mentality" of building the biggest digital walls to try and make the business completely impervious to cyberattacks.
Unfortunately, this strategy - as we've seen multiple times in recent weeks - is doomed to fail. All those perimeter security investments serve as a digital Maginot Line. They might minimise the risk of a cyberattack occurring, but that risk will never be zero.
Herein lies another problem with this approach. How do you measure the percentage risk reduction with each new brick in the wall?
With such a strong sense of security invested into perimeter defences, little thought has been given to what happens once an attacker skirts the business' boundary.
This is where the fortress mentality truly collapses.
Trust nothing, verify always
Although it is important to protect the perimeter, it is equally important to protect the data inside the organisation. Data is always the ultimate goal of an attacker. They don't breach your defences for the thrill of it, they do it to gain access to your data.
And what do they do once they've gained access? In the case of ransomware, which is the most destructive cyber attack according to the ACSC, there are two main end games: encryption or exfiltration.
In the encryption variety, the attacker locks up critical data, taking the business offline until a ransom is paid or the victim is able to recover from backups or data copies.
In the exfiltration version, which is what we've seen recently, hackers steal sensitive information and extort the victim with the threat of that information being publicly leaked.
Traditional cyber security strategies neglect to address the impact of an attack in both these scenarios. The impact isn't the breach itself, it's what happens to data once the attackers are in.
This is why a new approach is needed. Zero Trust Data Security principles bring security to the point of data and, in doing so, significantly reduce the impact of even the most sophisticated attacks.
The first step in this approach is accepting, despite the cliché, that it is a matter of when not if a business will be breached. Once this mindset has been accepted, the way sensitive data is protected changes drastically.
Using the encryption model of ransomware as an example, Zero Trust Data Security principles would see the organisation implement air-gapped and immutable data copies of all their sensitive data. Then, when data is encrypted, business resilience is assured as operations can be rapidly recovered from a save point prior to infection. Rather than take days, weeks, or months to restore the business, this could be achieved in hours.
Applying Zero Trust principles through sensitive data discovery to the exfiltration context can also greatly minimise an attack's impact. There are multiple elements to this, but they need to be implemented before the breach occurs. The first is finding answers to the questions "what data do I hold?" and "where do I hold it?"
Emperor's new clothes
Many of the current breaches we're seeing are so catastrophic because these two critical questions couldn't be answered. How can you possibly protect sensitive data if you don't know where or what it is?
Once you can answer these questions, you can apply the appropriate security levels to each category of data according to the organisation's risk appetite. Rather than an attacker gaining access to driver's licenses, passports, credit card numbers, and medical histories, instead they might only gain access to information that would otherwise be available in the Yellow Pages or other public domains.
Crucially for boards and business leaders, an organisation's cyber resilience can be measured.
For example, you can run test scenarios on critical data becoming encrypted and report the time it takes to recover. Knowing the recovery time, measured against the organisation's Recovery Time Objective, these metrics can be reported and shared with auditors, insurance providers, or regulators.
Alternatively, if you can answer the where and what questions when it comes to sensitive data and implement the appropriate security policies before a breach, you can be confident that an otherwise catastrophic data event will only be a minor inconvenience and well within your organisation's acceptable risk tolerance threshold. This all boils down to business resilience. When an attacker breaches the network, will you have confidence in your ability to recover, or will you continue admiring the emperor's new clothes?
