With the benefit of hindsight, we can now look back and understand some of the cyber security missteps of 2023 to understand what we’re missing and how we can learn from our mistakes.

According to the ASD, the top three causes of cyber incidents in Australia in 2023 were email compromise, business email compromise fraud, and online banking fraud. From Verizon’s DBIR report, we can see that APAC’s top patterns observed in over 93% of breaches were social engineering, system intrusion, and basic web application attacks.

The costs of a breach are rising too. IBM’s Cost of a Data Breach report found that data breaches have gone up in cost by 2.3%, however, it’s gone up 15.3% in the last 3 years, or an average increase of 5.1%. Companies have passed on these costs to customers – with 57% increasing the price of their goods and services after a breach. And yet despite the increased risk and costs, it’s still taking organisations 277 days on average to identify and contain a data breach.

So overall, we see things didn’t get any better in 2023, if anything, they got slightly worse. Is it because organisations aren’t spending enough on cyber security? I don’t believe that’s the case. Gartner has shown that globally, organisations spent 14.2% more on cyber security than the previous year. Executives are no longer asking “Why do we need to spend money on cyber” and are instead asking “How much money do you need to reduce our risk?” The support is there, and the money is there too.

So why are the number of breaches not reducing at the same rate we’re increasing our spending? Why is it still the basics like email compromise, web application attacks, and social engineering that are letting us down each year? It’s because our systems, users, data, and assets are much harder to reach and protect than ever before. The perimeter has expanded, our attack surface is far larger and many of our existing technologies, and security controls just cannot keep up. To address this, it’s time we modernise our security strategy.

Our security strategy must embrace and adapt to the modern technology world and threat landscape, and we must enable secure digital transformation.

What Does ‘Modernising Security’ Mean?

Modernising security means understanding and accepting that our organisations have evolved. In today’s world, data, users, and devices operate without the constraints of time or location. There’s a constant risk of attackers getting inside our SaaS, PaaS, IaaS, user endpoints, and on-premises systems at any moment, challenging the traditional idea of securing a fixed perimeter.

It’s crucial to recognise that technology initiatives are no longer limited to IT departments. Valuable data can be found outside of secure data centres, and sometimes in even less secure places. Unlike in the past, applications are no longer solely housed in data centres; they are spread out. Modern security should align with the goals of digital transformation, supporting progress instead of creating obstacles.

In summary, modernising security is about dealing with a much broader range of potential attacks and adapting to the fact that organisations now seek more freedom than ever in their operations. It’s about securing data, users, and technology in a world that’s constantly changing and interconnected far and wide.

Why Do We Need to Modernise?

A big reason for needing a more modern security strategy is that simply shutting down innovative business technologies or restricting access can backfire, turning security into a roadblock for business. This leads to the risk of losing a security team’s most important defensive weapon – which isn’t a tool or technology – it’s their power of influence within an organisation. In today’s world, where collaboration and innovation are key, being too strict with security measures can limit business growth, make it harder to implement controls, and slow down business cases to adapt to new cyber threats – which we can simply no longer afford.

On top of that, the bad guys have gotten smarter, and dealing with the complexity of old security methods is leaving organisations vulnerable. Complexity is security’s worst enemy (next to attackers, of course), because too many alerts, constant patching, and dealing with outdated technology make our security architecture confusing. This not only makes it harder to spot threats in a reasonable timeframe but also increases operational costs and the ability to enact positive change. Studies show that sticking with overly complex security architectures can cost organisations around 31.6% more in the event of a data breach, adding up to a hefty $1.44 million burden.

Modernising cybersecurity strategies isn’t just about using the latest tech, it’s a strategic must-do. It’s about finding the right balance between encouraging innovation, keeping things running smoothly, and building robust defences against the ever-growing range of cyber threats. It’s a shift towards being proactive, flexible, and covering all the bases to handle the dynamic digital landscape in Australia, ensuring that organisations stay resilient against the constantly evolving world of cyber challenges. Essentially, it’s about being secure, adaptable, and seamless all at once.

The Ingredients of a Modern Security Strategy

So, what ingredients do we need in our recipe to cook up a modern security architecture and strategy?

• Leading with an identity-driven access strategy: Whilst the heart of organisational cyber security used to be the network, today it’s identity. Due to the traditional perimeter dissolving, identity is the security control that sits in front of all our valuable assets. Organisations should ensure they have robust identity systems, centralised identities, consistent and adaptive access policies, and an identity-focused roadmap with dedicated resources to execute – because strong identity controls take time and need the right focus.

• Addressing the expanded attack surface: The move to Cloud has spread our assets far and wide, attackers find vulnerabilities and assets before we can. That’s why misconfiguration risk is at an all-time high. Organisations should look beyond waiting for the next penetration test to find the surprises and move into continuous asset discovery methods as well as automated monitoring and healing of misconfigurations.

• Making security perimeter-less: Any security controls that only work effectively in certain places, such as policies and tools that require on-prem or VPN connectivity, need to be earmarked for retirement. Visibility, protection, and control across any user, device, or data should be the same, anywhere.

• Enabling secure digital transformation: We must enable our business securely whilst also having empathy towards the business impact of cyber security controls and enabling secure digital transformation through fair and reasonable policies. How can we do this without the additional risk that usually brings? The answer is through in-depth context so that our systems and engineers can make the right decisions, at the right time, and based on the right context. We’re now seeing a trend towards security improving user experience rather than reducing or simply maintaining it, particularly around approaches such as Zero Trust.

• Modern threats need modern defences: There have been some amazing technologies released in the last five to ten years that have certainly made our security team’s life easier. But we must never rest on our laurels. The pioneers in our industry will always remember a time when a problem looked ‘solved’ and then the attackers pivoted, and it came right back to bite us. Our tried-and-true security mechanisms are starting to be bypassed again, including MFA through AITM (Adversary-in-the-Middle) attacks, EDR (Endpoint Detect & Response) bypasses built into malware, or malicious emails getting through our secure gateways. We must take our security to the next level, practice defence in depth, and stay ahead of attackers. Remember that thinking “out of the box” only gets you so far.

There’s no doubt that the global shift in how we live and work represents challenges for many organisations’ cyber security teams, but it also represents enormous opportunities. We’ve seen controls that were previously difficult to implement, such as application control, network segmentation, external remote access, identity governance, and cloud workload security become possible and far easier to implement than ever before. We see artificial intelligence adding real tangible value in our efforts to increase defences around risk scoring and create efficiencies in threat hunting – meaning cyber security teams can do more with less. To top it all off, we are seeing that security can make the user experience more seamless for an organisation with reduced cost and complexity – something near impossible in the past without added risk. The time is now to implement a modern, robust security architecture – because it is now within reach for any organisation of any size.