Good always triumphs over evil, or so we're told. The hero always slays the dragon. If that's the case, why have the criminal groups that prowl the dark web proven so successful in their attacks while the task of overcoming the threats seems insurmountable?
The answer is simple: they are well organised, and they communicate. They communicate to share or trade information to improve tactics. They communicate warnings and suspicious activities. To pool resources and work more efficiently. Amateur cyber criminals seek advice from more effective, experienced criminals.
This level of communication and collaboration allows them to develop new and more sophisticated ways to bypass security measures and exploit vulnerabilities.
As it stands, we are barely keeping pace with the complexities needed to combat cyber attacks, let alone outrun them. What we do know is that attacks continue to grow in size, scale, and sophistication.
So, as long as these communities of cyber criminals share and collaborate in an efficient way, we must adopt similar practices and collaborate more effectively to shore up our defences as part of a global community.
If we are going to make inroads against these criminals, we need to get better at sharing to establish a sense of trust. This means sharing information between governments, think tanks, organisations, and more about potential threats, vulnerabilities, and attacks - war stories - as well as the sharing of expertise, resources, and proven best practices.
The task is not small; however, it is doable. As a starting point, boards and management suites should ensure active input from the organisation's chief information security officer (CISO).
With predications that 40 per cent of boards will have a dedicated cyber security committee by 2025, now is the time to examine the benefits of CISO visibility. It's more than just advice to be offered, CISOs can drive initiatives to address an organisation's risk posture, educate on emerging threats, and assist in the management of post-breach damage.
A 2022 board perspective report suggested Australia had the lowest level of CISO representation at the board level, while only 54 per cent of Australians were confident their boards understand the risks posed by cyber threats.
With cyber security a concern clearly needing action from the top down, organisations can be better equipped to develop clear policies around security. This is necessary within every organisation, no matter how large or small, and they should be simple.
The next step is to identify where the critically sensitive data is, and what systems are in place to manage it. What are the security controls around those systems? Where is the greatest area of risk and how is it more protected?
Fortunately, collaboration progress is being made - the Albanese government's recent announcement of a new national cyber office helmed by a co-ordinator for cyber security was an important step for a more holistic approach to cyber defence.
The 2023-2030 Australian Cyber Security Strategy also highlights an opportunity to bring together legal requirements and standards specific to cyber security across industry and government. With this strategy comes the potential for focus on building international cyber partnerships, a point reinforced in the Defence Strategic Review, released in April, which had a large focus on cyber.
An important aspect of this collaboration is education. Cyber security has become a top priority for organisations, however, much of that focus and responsibility has been placed solely on the shoulders of those in IT.
Make no mistake, every employee, regardless of their job title, is on the front line of protecting the organisation's sensitive information, data, and overall cyber safety. This becomes even more critical as workplace flexibility sees people continue to work remotely.
The threats are evolving as potential attack surfaces increase. The tactics are evolving too. We all need to be aware of the latest trends and threats. People then must be trained in the skills needed to identify weak cyber hygiene and to remain vigilant of the tactics used by attackers, like social engineering techniques or tricking employees into installing malware.
The time to do this is now, as organisations are increasingly required to comply with regulatory requirements with regards to cybersecurity.
Many industries are subject to specific regulations intended to mandate the protection of sensitive data, and failure to comply with these regulations can result in significant penalties and fines, not to mention the financial and reputational damage that can result from a cyber attack alone. By providing education and training to all employees, organisations can be one step closer to compliance as well as safety.
These dragons can be slayed, but only if we work together as they do.
