Six cyber security predictions for 2021
Cyber-attacks by criminal and foreign entities have now become a real and present threat, capable of endangering the survival of organisations in Australia. 2020 saw major cyber-attacks and breaches affect Australian companies and governments – magnified by the impacts of COVID-19 on business IT systems.
- Growing cyber-risk appetite culture
Current approaches to assessing and reporting cyber risk and exposure are manual, dated and based on technology-based controls, measurements and metrics. These do little to help management understand the effectiveness of deployed cyber controls and which cyber controls contribute more than others to reducing certain cyber risk exposures. As such, they don’t help decision-makers understand the true level of cyber risk exposure.
Globally, boards are now looking to executive teams to provide better visibility of incidents through enriched, risk driven reporting. With growing investment in cyber security and accountability placed on boards and executives, managers are looking to implement Cyber Risk Appetite programs and reporting that identifies critical systems and data. The aim is to demonstrate the effectiveness of controls in place to protect and reduce risk, as well as identifying when an organisation is operating outside its risk tolerance. This will help leaders ensure they are focusing their resources on the areas of biggest “bang-for-buck”.
- Cyber-confidence a priority
The antidote for attacks is Cyber Confidence: embracing security as a business enabler to build customer trust. This means building operational resilience – and getting the basics right: patching critical systems, access management, policy hardening, and updating anti-virus software.
Many organisations have already invested in enterprise cyber controls, but 2021 will see the movement towards assurance of cyber resilience. More mature businesses will deploy technologies like AI and machine learning to build real-time continuous visibility into the effectiveness of cyber defences and controls.
The perennial issues of identity management and third-party security will continue to play an important role. The accelerated trend to the cloud and digital transformation means that organisations will need to carefully decide which critical applications can and can’t move.
- Stricter regulatory scrutiny
2021 will bring a reckoning for cyber and the way organisations deal with it. Regulators have already acted: APRA has brought in Prudential Standard CPS 234, and issued guidance that the financial services industry needs to do more.
To date APRA hasn’t been prescriptive on the security it wishes to see, apart from the CPG 234 guide. This will change with a set of “non-negotiable cyber practices”. APRA has advised that starting next year, it will be asking boards to engage an external audit firm to conduct a thorough review of their CPS 234 compliance and report back to both APRA and the board.
The Reserve Bank of Australia has also released the CORIE framework, based on a UK regulatory framework that emphasises the requirements for banks to be cyber-resilient.
There will be increased focus and scrutiny towards protecting Australia’s critical infrastructure with increasing demands and new government powers to direct owners and operators to provide regular cyber reporting and specified interventions in response to a cyber security incident. In certain circumstances they will be able to directly intervene.
- Scrutiny of third-party security
Cracks are emerging in traditional approaches to third-party security. Increasing complexity and integration within digital systems has exposed a variety of limitations, such as inconsistent standards and varied approaches to control evaluation. Australian businesses are suffering from third party risk assessment fatigue which will result in a move towards automation through Governance, Risk and Compliance (GRC) and Third-Party Risk Management (TPRM) platforms.
Regulators will become increasingly stringent in their approach to overseeing third-party security programs. Supply chain resiliency, strength of the second line challenge capability and assurance over the quality evidence of third parties will be among the key areas of focus. Organisations are also rethinking how they share security information with clients, keeping better track of which clients have access to what data outside their environments.
- Rampaging ransomware
Ransomware continues to be one of the fastest growing threats facing Australian businesses. For organisations in today’s hyper-connected, digitally enabled world, cybersecurity attacks are no longer a question of “if”, but “when”. During the past 12 months there has been an escalation in the use of ransomware in sophisticated, targeted attacks not only with small/medium business but also major Australian organisations and governments.
The disruptions caused by COVID-19 and the installation of weaker system security, due to the quick adoption of solutions, to enable remote working means companies are even more at risk of a cyber security incident. There will continue to be a rise in ransomware as a key attack vector in 2021 with major Australian business and government agencies impacted.
- Operational resilience
The disruptions and volatility of the past year have increased awareness of the need for operational resilience. Organisations need to be able to effectively manage a major incident or crisis, such as a protracted outage, asset loss, or cyber-attack. This means having a plan to respond to a crisis and including how to integrate with third parties (such as suppliers and industry bodies) to manage a shared issues.
Organisations need to be able to adapt and respond rapidly to fast-changing circumstance, including adverse situations. They will need assurance that suppliers can maintain their business through major shocks, as well as how customers will respond to supply issues. Will they wait for service to resume, or go elsewhere?
As cyber threats increase, all organisations’ leadership, mental toughness, tolerance of additional demands and community support must be equipped to deal with a major incident.