Not too long ago, cyber security was an afterthought, a software installation that was often left to expire, or run in the background only to pop-up at inconvenient times.
But recent high profile attacks – and the very real world consequences that come with them – have demanded the attention of everyone from large enterprise CEOs to small business owners, and the cybersecurity industry has capitalised on the opportunity.
In Australia, 80% of CEOs rate cyber security as a top investment priority and place it amongst the top five risk areas for their business, according to the latest KPMG CEO Outlook survey.
However, ResponSight founder and CEO Jeff Paine believes investment shouldn’t be the only way companies think about combating cybersecurity threats, especially when criminals now rely more on manipulating human behaviour than breaking through security systems.
ResponSight’s technology uses behavioural analytics to detect changes in user behaviour that could signal the system is compromised. If behaviour suddenly becomes anomalous it could indicate malware or an attacker.
Paine said this turns the focus to the user’s relationship with technology, rather than relying on software to find a “needle in a needle stack”.
“The old idea of security was like castles and moats. You build really strong walls and then the bad guys won’t get in and we’ll be able to protect everything inside the castle, and that’s great. It used to work really well,” Paine said.
“But over time, attacks increased in volume and it became harder to identify friend from foe.
“The bad guys were simply faster than the good guys and the technologies couldn’t keep pace with the bad guys ability to adapt.”
Paine said that regardless of scale or sophistication, cyberattacks are always motivated by one of two things: “there’s the commercially motivated attacker or the disruptive, hacktivist style attacker”.
While it’s estimated that cybercrime costs the Australian economy up to $1 billion annually, this doesn’t mean the targets are always large enterprises.
“In Australia, there’s still a bit of complacency and naivety about even the idea that [small businesses] will get attacked, because they think ‘we’re only a small compared to the global market, so we’ll never get attacked.’ But attackers don’t actually think like that.
“They’re just targets on the internet that are easy to find weaknesses in and only after the breach has occurred do they figure out how to leverage it for either disruptive gain or commercial gain.”
Business Council of Australia CEO Jennifer Westacott says organisations large and small face cyber risks, and that our supply chains “are only as strong as the weakest link”.
“For that reason, developing cyber security capabilities and skills will be one of the defining characteristics of Australia’s ability to stay strong in an increasingly digitised world,” she says.
Don’t think about cybersecurity as a ‘tech problem’
Paine said as well as user error, common issues include poorly secured networks and poor detection for attacks – which are risks that can be mitigated with a change in the mindset of cybersecurity being a “tech problem”.
“Security’s become a daily problem and it shouldn’t be. It should be built in. It should be the way organisations think about governance, managing risk and mitigating issues,” he said.
While many small businesses may be wary of the costs of cybersecurity, Paine said there are many things smaller businesses can do to avoid becoming an easy target, which will be even more important when Australia’s impending mandatory data breach notification law comes into play.
It is critical to understand where your attack points are going to be. This could mean employee training, the types of hardware or software you use or how you store customer data.
Businesses shouldn’t think of cybersecurity as a set and forget function, but as a consistent element in governance and risk management activities, that can scale up as the business grows, and be proactive in dealing with potential threats online.
“Security and risk don’t bolt on very well. They do need to be thought about as part of the design, whether it’s a platform business, a cloud business or even a physical product business,” Paine said.