The data you’ve worked hard to secure is facing more threats than ever, and for more reasons than you realise, according to new research from CyberArk. An end-to-end, secure by design regime is the best possible defence.
When it comes to connecting with business partners, Australia is showing the rest of the world how it’s done. The data you’ve worked hard to secure is facing more threats than ever, and for more reasons than you realise, according to new research from CyberArk. An end-to-end, secure by design regime is the best possible defence.
Our famous early adopter mentality – as well as the physical isolation that’s seen us more willing than most to connect with customers and allies across the globe – has made Australia one of the top three multicloud users in the world, with 93 percent of companies planning to use at least three clouds in the coming year.
A quarter of Aussie companies surveyed said they used or are using over 100 Software as a Service (SaaS) providers a number set to hit 75 percent in the next 12months.
This is despite the fact that 55% of respondents saying that they are concerned that managing data in the cloud is more complex than in on-premises environments, as outlined in a CyberArk whitepaper: Identity Security and Cloud Compliance.
But with cyberattacks taking advantage of vulnerabilities where data is moved or shared, we’re also at more risk than ever, with Australia now the second most breached nation on Earth.
How did we get here, and what can we do?
Losing visibility
The first problem is losing sight of your data. While you’ve done your best to ensure systems are secure, and you know partners observe the strict protocols in place for their access, what about their partners, and those companies’ partners in turn? With nearly nine out of 10 Australian organisations reporting identity related breaches stemming from third parties, and eight in 10 in relation to the supply chain – where security might not be so robust – it is clear this is where attackers are targeting your information.
What’s more, Thomas Fikentscher, who heads up identity security provider CyberArk in Australia and New Zealand, says one of the biggest concerns from his customers is the lack of visibility as more software, systems and technologies connect.
“There’s a growing landscape of identities,” he says. “And not just those set up for humans. We also have this massively growing machine to machine connectivity. Across both, the biggest risk is from standing access. A device or individual needs access to a system or for maintenance, for example, and that access never gets revoked. Adversaries know and exploit that.”
And the more partners you connect with and the more identities there are, the more entry points there are. Fikentscher has worked with companies that realise they have tens of thousands of devices connected, with no idea how old or secure they are or how they communicate with other parts of the business.
DigitalX
Digital transformation is the other most likely cause of a breach.
Fikentscher also talks about the situation facing many energy companies today. Traditionally they’ve managed their operational technology, data and teams in highly segregated data siloes. Digitisation introduces the need for information exchange gateways so that data from operational systems can seamlessly flow into a corporate service environment for applications like predictive maintenance.
The other major issue is the sheer number of internet-facing devices connecting. “Some are hard to manage,” Fikentscher says, “We don’t know how some of them behave and some have no security elements built in. It’s very hard to get control of that landscape.”
He also recently worked with a pharmaceutical company that connects directly with doctors and specialists. With the increase in e-health frameworks, he flagged the need for those providers to open their systems to patients, so suddenly, one organisation has potential threat exposure to hundreds of doctors and thousands of patients.
Another major threat vector arises because many digitisation projects call for new software products, which means developers needing to spin cloud and SaaS services up or down to design and test applications, all with what’s essentially admin access, which Fikentscher says is why many breaches start at the software deployment stage.
This approach also appears to be true in companies looking to embrace the AI age, where Large Language Models (LLMs) are being created and connecting to cloud services to access training data in vast numbers, many of them with sensitive or privileged access. Fikentscher has concerns that organisations are naively rushing into AI-centric projects in their race to realise value, rather than prioritising security and building it in by design.
Letter of the law
Because of the nature, cost and disruption of breaches, governments everywhere are writing legislation mandating data security. Australia is no different, especially given its ambition to be the most secure nation in the world by 2030. It’s an approach that’s having impact according to the CyberArk research.
“In highly regulated industries, agencies like ASIC and APHRA take it very seriously and companies are acting accordingly. Infrastructure industries like energy and health are starting to do so because of risk management programmes they must fulfil.
“Outside that, in manufacturing or retail, it’s less the case. Legislation is working, but is it always being enforced? The problem holding us back is complacency in some executive teams and a lack of knowledge in boardrooms.”