There has been a national spike in the number of security incidents across Australia as we approach the half point of 2020.
At the same time, after years of progress in digital transformation projects and now the recent surge in remote access working, businesses are more reliant than ever on their technology systems.
Hackers are capitalising on this reliance and the increased digital footprint now available in their hunting grounds. The money being lost to organised crime is staggering. In Australia the 2019 the average cost of a breach to mid-sized companies (501-1000 employees) was AUD$2,183,546 according to the 2019 IBM cost of a data breach report.
With the latest 2020 Verizon DBIR we have seen organised criminal groups behind 55% of breaches last year, with the lion share (45%) of these breaches featuring hacking.
So how can we address this unrelenting wave of attacks? Defending company assets requires broad coverage, with the Loop cybersecurity model recommending balance across 3 key pillars;
- Active management of a security program;
- Continual focus on detecting and responding to threats; and
- Ongoing operation and regular testing of cybersecurity controls.
If we look at this last point, it is clear that the approach to defence testing for many companies has gaps. Time and time again penetration tests are conducted against limited targets, with limited scopes. Whilst these testing regimes are critical to solid cybersecurity hygiene, companies must expand their thinking if we are to build resilience against the attacks emanating from organised crime.
It is unwise to think that a determined attacker will limit their scope when targeting a specific company, they are not bound by penetration testing ‘rules of engagement’. If we are to properly understand their most likely avenues of attack so that we can test our ability to defend, detect and respond, then we must think like a real-world attacker when we test our company defences.
To avoid doing this leaves the significant risk of serious financial and reputational damage to our organisation.
Companies must expand their thinking on annual testing regimes, to incorporate simulated exercises alongside the existing and necessary penetration testing program. These exercises must simulate the type of adversary likely to target your company, so that your ability to defend against their tradecraft can be understood.
To learn about the range of simulated engagements recommended for your organisation, join our upcoming webinar Adversarial Simulation Testing: Effective Ways to Improve Company Cybersecurity Resiliency: