There’s a perfect cyber security storm happening. The Australian Cyber Security Centre (ACSC) recorded more than 13,500 reports of cyber attacks on Australian businesses and consumers in the three months from July to September this year. That’s about one report every 10 minutes, a number that’s no doubt significantly higher if we factor the silent victims.
Meanwhile, there just aren’t enough infosecurity experts out there to defend against the continued proliferation of cyber crime. That’s pushed technology infrastructure and operations teams onto the front line.
Prepare for the worst
The industry has well and truly accepted the notion that it’s not about ‘if’ you’re hit, but ‘when’ you’re hit. Although it might sound daunting, that means ditching the idea of an impenetrable perimeter, and instead preparing your organisation to properly manage the consequences once a breach does occur.
The good news is in the last few years, organisations have increased information security budgets due to the increased amount of attention attacks are generating, compounded by the need for reporting introduced by the NDB scheme, GDPR, and similar initiatives. In fact, security spend reached $3.5 billion in 2018, a figure Gartner predict will jump almost 10 per cent to $3.9bn this year.
So where should this money go? Ultimately, it should form part of a robust, multi-faceted program in which the continuity of business-critical infrastructure is maintained when the worst occurs.
Plugging a sinking ship
Ships are built so they can continue to sail despite damage incurred in a storm or otherwise. There’s an inherent resilience incorporated into the design to ensure it can reach its destination amid deprecation, while protecting the people aboard. Cars protect their cargo in similar ways, with crumple zones to decrease significant structural damage while limiting impact on passengers.
This type of resilience can be replicated in the cyber security strategies of Australian companies, and it comes down to passive survivability. When you consider that the ACSC identifies email compromise and ransomware among the top issues reported by businesses, it is critical to establish an infrastructure that can bounce back against an attack you simply can’t stop.
After all, there’s no longer a limited frontier to protect. With the number of cloud services and mobile and Internet of Things (IoT) devices on a continued surge, not only is the potential scope of threat vectors expanded, but so too is the volume of data which can be attacked. According to IDC, the world will be creating 175 zettabytes of data every year by 2025, boosting the scope for potential vulnerabilities.
Passive survivability gives you a defensible infrastructure to hold the fort, so to speak. While it’s not going to replace security controls or your security program, it is the safety net that keeps the business upright when it all goes wrong.
So where do you start?
Prioritising is paramount
First thing’s first: your infosecurity team and infrastructure and operations team need to meet. All too often, this only happens after a breach has already occurred, instantly putting those personnel on the back foot. To get ahead of the criminals, the people who keep the systems running must rank the importance of processes and workloads because the fact is that not everything in your business is priority number one.
You need to understand what the most important process is for your business, what applications support it, and build the infrastructure around that.
The next step in the process is to be able to bounce back really quickly. Can you rely on your backup? Unless you’re protecting it, it’s going to be hit next. Examine the existing architecture and implement compartmentalisation and isolation of backup infrastructure and immutability of data. Ensure the backup administrator accounts are using unique credentials in case domain administrator accounts are compromised. Can you bootstrap critical infrastructure such as AD, DNS, and time servers? How fast? We’re talking mass assembly line process here – live mounting large numbers of machines for example to establish the application dependency chains needed. Does your backup let you instantly recover?
Brace for the breach
When considering how to protect ourselves from a cyber attack, we should follow the same logic as we do with other vital and valuable assets. Just as we try to protect our bodies from ailments by following the widespread advice that taking preventative measures is more effective than treatment (or so we should), protecting our businesses from cyber attack should also be something we’re starting to be aware of long before an attack actually takes place.
At the same time, we must not be naïve to think a security infrastructure – no matter how expensive or the number of bells and whistles built in – is immune. By combining passive survivability with attack identification, remediation and instant recovery, what we have is a safety net to effectively manage the impact of threats and attacks. Up front preparation will have an amplified effect when it comes to saving the team time and resources, and ultimately preventing an incident to escalate into a catastrophe.