At the CLOUDSEC conference in Sydney this month, the threats to security enterprises and organisations now face was described in the strongest terms.
As Simon Piff, vice president of security practice at research firm IDC put it in his analyst keynote: “A state of war has been declared”.
Keeping systems and data safe has become a critical issue for every business, which are facing constant attacks that can be very familiar or never seen before.
“The bad guys are not playing by the rules,” Piff said. “This is a particular problem because security as a whole is too reactive and slow to adapt. We need to do a better job at protecting ourselves.”
The rise of the Internet of Things and cloud computing bring with them whole new vulnerabilities to worry about. Ransomware is growing at an alarming rate, especially in Australia. Data is not where it used to be, with applications operating outside the perimeter giving little visibility, and shadow IT is the new norm. And then there’s the lack of security talent both locally and globally. The ‘bad guys’ are arming themselves with new tools, and are targeting an ever-growing attack surface.
The security stakes are increasingly high, said Bob Flores, former CTO with the Central Intelligence Agency (CIA) in the US, and now managing partner for Cognitio Corp, in his talk on the security threats from a global perspective.
Citing the result of the recent Petya ransomware attack on pharmaceutical company Merck, which meant it had to halt the manufacture and distribution of a hepatitis vaccine, Flores said: "Ransomware is literally killing people. This is a big deal, we cannot ignore this."
As Dhanya Thakkar, vice president APAC & MMEA at Trend Micro said in his morning keynote, that makes a lot of CISOs and security professionals rightly feel like they are superheroes – The Avengers to be exact – having to “drive innovation and change with a focus on business outcomes, and at the same time carry immense pressure, as consequences of failure have increased,” he said.
“Does all that mean businesses are in a no-win situation?” asked Dhanya Thakkar, vice president APAC & MMEA at Trend Micro.
Far from it, he added, but beating the enemy does require a more nimble approach and the ability to change to the circumstance.
Focus on time to detect - and take advantage of an adaptive protection architecture, Thakkar suggested; explore application control; use machine learning and artificial intelligence to your benefit in the 'battle of algorithms'; remember that servers are not endpoints; and that threat prevention is now an integral part of network defence; share intelligence across security controls; and gain centralised visibility and control (without being overwhelmed with data and dashboards).
The increased threat was a huge opportunity for businesses and the Australian economy as a whole, said Craig Davies, CEO of the government backed Australian Cybersecurity Growth Network.
During his time at the network, Davies said the number of cyber security firms in Australia had grown from 15 to 120.
The organisation predicts that over the next 10 years, the size of Australia’s cyber security sector could potentially triple, reaching annual revenue of $6 billion by 2026 — up from $2 billion today. That effort would be helped if businesses were willing to give local firms a fair-go.
Security could also prove a competitive advantage with the right approach, discussed a panel of experts including Dr Sally Ernst, co-founder of the Australian Cyber Security Network; Angela Donohoe, CIO of BPAY Group; Geoff Tribble, emerging technology director at Auckland Transport; Katherine Robins, partner cyber risk advisory for Deloitte Australia; Peter Coroneos of Coroneos Cyber Intelligence; and Rob Livingstone of Livingstone Advisory.
The panel discussed a range of issues facing cyber security professionals including the upcoming Data Breach Notification Laws, which come into effect in February next year.
A question on the conference app survey asked: Which of the following best reflects your organisations position regarding the Notifiable Data Breach legislation?
Nearly a quarter (23 per cent) of attendees said they were impacted by the legislation and had implemented processes, while 33 per were still working on them.
The message from the panel to the 25 per cent who thought they were outside of the scope of the legislation and the 18 per cent who weren’t sure: check immediately and prepare your business as soon as possible.
Kate Healy, principal cyber security consultant at Aleron and Puneet Kukreja, national cyber leader of banking at Deloitte Australia took a deeper dive into the legislation, as well as the launch of General Data Protection Regulation in Europe, and discussed how cloud could help in achieving some of the new laws’ requirements.
Making a connection
Throughout the keynotes and break-out sessions – which included talks from the likes of Amazon AWS, Microsoft Azure, AusCERT, VMware, StorageCraft and Tech Mahindra – was a recurring message to the cyber security community to work together and collaborate.
That message was heard loud and clear by the 1,000 plus attendees, as they discussed strategy, networked with peers and partook in hands-on demonstrations of the latest security technologies on the solutions showcase.