The World Economic Forum recently pointed out that cyberattacks rank first among global human-caused risks and this year, it’s expected cybercrime will cost the world US $11.4 million each minute. Let that sink in for one moment.
It’s no wonder cybersecurity has emerged as one of the hottest topics for Australian boardrooms – especially in the context of accelerated digitisation and prolific cybercriminal activity driven by Covid-19.
At the same time, geo-political pressures on Australia to adopt internationally recognised cybersecurity standards and build safer critical infrastructure are growing.
An increase in cybersecurity is needed. Yet, no matter what we do, the stats keep showing more successful attacks, more data breaches, and more system compromises.
What are we missing?
To quote the immortal words of Albert Einstein, “the definition of insanity is doing the same thing over and over again and expecting different results.”
For years we’ve been adding more security layers on top of each other, and on top of systems not organically designed to be secure, in the hope that one day we’ll reduce our vulnerabilities. Yet, the issue gets bigger each day.
Those security layers, while needed, only help us keep up with the rising complexity of the threat landscape, not get on top – or ahead – of it.
Something else needs to be done to drive a different outcome. It won’t happen overnight, but it is critical we change what we’re doing, as well as our overall cybersecurity thinking.
Are we repeating the same mistakes over again?
As a nation we understand the importance of ramping up cybersecurity however, on the whole, we still have a relatively passive posture towards it.
What we’ve done so far is much like car safety before the 1970s; investing resources in making driving safer by insisting people pass driving tests, fining drivers for bad behaviour, while also adding road speed limits, stop signs, and traffic lights.
When it comes to cyber, we’ve continuously focused on user awareness, user access control, traffic monitoring, protecting endpoint devices, data networks and computing infrastructure.
While those have their place, just like driver training and licensing plays a role in road safety today, they do not shift the cyber-incident needle materially. Governments, organisations and people are still having more fatal accidents – in a cyber sense.
In the same way car safety needed to go deeper in the 60s, so too does our cybersecurity approach.
Embedded safety learnings from the EH Holden days
Auto industry lessons from the past may teach us how to fundamentally improve safety and remove the roadblocks from our current ineffective cybersecurity approach.
Prior to the 1970s, there was a direct correlation between the number of cars registered and the number of road fatalities. This was despite safety features being available on many vehicles as premium options, mandatory licensing of drivers, and investment in better road signage and infrastructure, which is very similar to what we’re seeing in cybersecurity today.
Then something changed. Car ownership exploded in Australia – a large part of it driven by the EH Holden which would become one of the most successful cars Holden ever built – very much like today’s accelerated digitisation of our economy.
In just a few years every family owned a car (Holden produced more than 256,959 EH models in 18 months), the road toll proportionally rose, and it became apparent a change was needed to improve auto safety.
It took years, but government and manufacturers finally realised that safety needed to be embedded into every car if they were to reduce the community cost and reputational damage of car related deaths.
From the late 1960s until today, we’ve seen both the legislative and industrial embedding of safety features into the vehicles themselves.
Starting with mandates on the likes of seat belts, collapsible steering columns, and airbags, to later manufacturers proactively embedding advanced safety features such as ESC, adaptive cruise control, and anti-collision systems (manufacturers came to realise it was good for business).
This took safety out of the hands of the drivers and road conditions.
Embedded security lessons for cyber
We need a new approach that doesn’t expect every person who attends cybersecurity awareness training to be the cybersecurity equivalent of Lewis Hamilton.
Often when it comes to digital systems, it’s the data itself we are trying to protect from accidental or deliberate damage to its confidentiality, integrity or availability.
Some data-dependent organisations today – very (very) few though – have recognised the need for embedding security and have invested in digital systems that are fundamentally different in their approach. These systems codify security using data encryption, anonymisation, and access controls. They no longer rely solely on user behaviour or computing infrastructure.
If we want to protect our digital economy we need to stop thinking of cybersecurity as a user problem, or as something that can be fixed through infrastructure. We need to start embedding it in digital business processes and systems.
Just like the EH Holden had the potential to be much safer, all the tools for embedding safety into digital systems and data platform already exist – the missing piece is the realisation and will by industry and government to re-think, re-frame our cybersecurity strategy: it’s time to embed, not add on.
Brian Grant is ANZ Director for Digital Security at Thales