In Australia, public sector spending on IT continues to grow, along with the danger of cyber attacks on government bodies. In September 2021, Gartner forecast that Australian government sector IT spending would exceed $15.5 billion in 2022, an increase of 8.8 percent from 2021. Gartner said the increase would be driven by key programs to “strengthen national cyber response”.
However, throwing money at a problem is not always the best solution. In the case of cyber security and incident response, it can be very difficult to find and retain the level of skilled resources needed to implement high-level protection and respond effectively to any successful breach. And the more tools you have, usually require more people to run them and more people in the SOC to triage the ever growing number of alerts.
And in the unfortunate event of a breach, these skills are often severely tested or non-existent. A successful attack on an organisation imposes massive additional workload on staff and require the use of tools and techniques they might struggle with or do not understand, due to infrequent use or the sheer breadth of security solutions as part of their cyber defences.
Also, it is well-known that organisations are in a continual arms race with cyber criminals, forever investing in new security measures to counter new and evolving attack techniques. Defences that offered adequate protection five years ago may be easily compromised today. Just because something has ML or AI, doesn’t make it a silver bullet!
Recent attacks triggering a wake-up call
Ransomware is one of the most common types of cyber attack because it can be highly lucrative. The Australian Government is well-aware of the growing impact of ransomware, on government entities in particular.
In October 2021 it released a Ransomware Action Plan. In her foreword, Minister for Home Affairs, Karen Andrews, said: “Over the past 12 months, Australia has faced a 15 percent increase in ransomware attacks reported to the Australian Cyber Security Centre.”
The report outlined the capabilities and powers Australia would use to combat ransomware. As part of the plan, the Government created a multi-agency taskforce led by the Australian Federal Police, to mount Australia’s strongest response to the surging ransomware threat. The report also provided information on where victims could go for help.
The release of the report came after a string of significant ransomware attacks on public entities. One of the most high profile attacks hit the Bureau of Meteorology in 2015. It was only a year later that the Australian Signals Directorate released details, saying "CryptoLocker ransomware found on the network represented the most significant threat to the bureau's data retention and continuity of operations.”
In late 2019 the Council of the City of Onkaparinga in South Australia was paralysed by a 'Ryuk' ransomware attack. Recovery took three months.
In June 2020, Transport for NSW was hit with a ransomware attack, with IT systems taken offline to halt the spread of ransomware.
In March 2021 Eastern Health, which operates Box Hill, Maroondah, Healesville and Angliss hospitals, was similarly forced to shut down some of its IT systems following a ransomware attack.
Countering cyber security staff shortages with cyber resilience
The cyber security skills shortage isn't going away, in fact it keeps getting bigger. So Australia's public sector must look for ways it can reduce dependence on human resources and make infrastructure better able to resist disruption and continue operating. This is a culture of cyber resilience.
The Australian Cyber Security Centre defines cyber resilience as “The ability to adapt to disruptions caused by cyber security incidents while maintaining continuous business operations. This includes the ability to detect, manage and recover from cyber security incidents.”
Cyber resilience is an evolving approach rapidly gaining recognition. It brings together information security, business continuity and organisational resilience.
Resilient infrastructure can protect data and maintain business continuity in the face of an attack. It represents a significant step beyond the level of protection offered by traditional cyber security: it is adaptive and proactive, rather than reactive.
There are two key components required to build cyber resilience.
Organisations need real-time visibility into all areas of their IT: hardware, networks, operating systems and applications. After all, you can't protect what you don't know is there. With this real-time visibility, the chances of detecting and neutralising any threat that has breached perimeter defences are much greater.
It's time to swap out traditional endpoint detection and response tools (EDR) for true runtime protection. EDR (and now xDR) tools simply notify organisations of a breach after they've been compromised. By that stage it's already too late (that's like warning someone that an armed robber is present after they’ve already entered the building and stolen goods). Runtime protection on the other hand stops the attack in action before it can cause lasting damage, by understanding exactly how every application should behave, and immediately thwarting unusual activity.
It's important to know that cyber resilience isn’t built overnight – organisations should aim to gradually introduce new tools and techniques over time, to avoid disruption to operations or stalling digital transformation.
