Designing for risk is becoming increasingly vital in digital transformation, yet Australian businesses don’t feel that their systems are prepared for a major security threat.

As organisations have accelerated digital transformations in response to COVID-19, they are also facing an ever-increasing array of cyber threats. Recent research suggests that Australian businesses are not confident about their preparedness for cyber threats, as a major research study has revealed that only 29% of respondents felt highly prepared for an IT security threat, while 36% said they had complete transparency around risk vulnerability in cybersecurity.

The critical challenges highlighted by the Fortinet Networking and Cybersecurity Adoption Index research study show that while technology is critical for helping businesses to transform and increase their preparedness for a rapidly changing business landscape, the weak link for many is in the processes that are used to manage the evolving nature of cyber risks.

The findings echo similar findings from a 2021 Thales Data Threat Report, in which only 20% of respondents indicated that their security infrastructure was very prepared to deal with them.

Why? Existing infrastructure had to pivot dramatically during the early months of the pandemic to enable workforces to work remotely and there was significant pressure to make infrastructure more accessible. Organisations had to move quickly to provide that access and for many, traditional forms of access such as VMware, VPN and virtual desktops dominated the first solutions available to enable staff to continue to work. However, most of these approaches lack the granular control required to manage a large, dispersed workforce.

Making access a priority has raised the risk for many organisations. According to the report, the investment priorities were varied: 33% selected infrastructure/cloud as the most important investment, 22% coupled external cloud-based infrastructure with on-premises resources, 44% selected Zero Trust network access/software-defined perimeter as the leading tech solution, 42% selected cloud-based access management and 41% considered conditional access based around location, threats and activity.

The challenges of managing security risks

As organisations grapple with cyber risk and implement risk mitigation programs to address it, there are four project disciplines that typically intersect: Technology, data, process, and organisational change.

Data and infrastructure security is a material consideration for any business when it is planning or executing its digital transformation and security strategies, particularly in terms of architecture, platforms, integration across tools and platforms, and cyber risk. For example, the organisation must consider:

  • Making a commitment to managing and planning for cybersecurity risks and mitigating vulnerabilities that can put the entire system at risk
  • Whether it has the resources, expertise, budget, and capability to manage its own cybersecurity along with stakeholder understanding of ‘now’ vs ‘future’ risk
  • How to manage remote, collocated, and hybrid workforces and how they both interact and introduce potential vulnerabilities to the system
  • Where investment has already been made and where future investment will be required

When assessing the risks to data in the cloud it will vary depending on several factors:

  • The sensitivity of the data to be stored or processed
  • The criticality of the business process and
  • How the chosen service provider has implemented their specific cloud services

These are complex layers to get right in any project, not just high-risk projects.

However, process and organisational change are as vital to the process as technology and data. Maintaining availability and business functionality must be looked at in the context of what the business needs to operate. These are important considerations when assessing whether the solution being considered or implemented is robust and secure enough to not put critical data and processes at risk in the event of a failure.

The cloud is part of the answer, however not all of it

As mentioned above, many organisations were in the process of moving to cloud-based solutions before the pandemic, whilst others have had to accelerate digital transformation projects to enable remote work to occur.

Brute-force attacks and intrusion by a third party is a vital consideration when choosing the organisation’s cloud model. It’s important to understand the pros and cons of a less secure public cloud vs the most secure private cloud option to gain insight into the cost and benefits of securing not only data but to prevent or mitigate against risks to business technology infrastructure. Consideration should also be given to:

  • The sensitivity of an organisation’s data
  • Legislative requirements
  • Physical location where the data is stored and
  • The local laws regarding access and the applications of encryption technologies
  • The heightened activity that has occurred as COVID-19 has seen a surge of organisations move onto cloud platforms and a commensurate increase in the risks

While there may be concern around the use of a public cloud model, organisations may discover that the public cloud may have stronger data protection than they can afford under a hybrid or private cloud model.

However, it’s not just about securing the data from unwanted attacks and access from third parties. Consideration should also be given to where a hybrid cloud is used (or a shared private cloud) as to what limitations are in place to prevent access to the data from others sharing the cloud and even the vendor’s employees.

Where multiple IT services operate to provide a business service, organisations need to ensure that each component has the appropriate SLA in place to meet their requirements. Where vendors are involved, there are several critical points to investigate:

  • The systems a vendor will deploy
  • Evidence of their actual response and resolution times and
  • Their business continuity plans are all worthy of investigation.
  • Any touchpoints or handover points that may slip between the cracks in terms of support during an incident.

Often it is how vendors respond when things go wrong that is the true measure of the quality of the service they are providing.

Process and change management are critical to successfully mitigating cyber risk

Australian businesses face constant and increasing threats from ransomware, phishing, spyware and stalker ware, adware and deep fakes. Response time to critical threats or incidents is absolutely a critical component of any platform.

However, equally important is ensuring that people within an organisation understand that while technology and data protection are critical to reducing the risk, it is also important that process and changing how we manage risk is understood at both an organisational and individual level.

We believe that quality thought leadership is worth sharing and encourage you to share with your colleagues. If you’re interested in republishing our content, here’s what’s okay and what’s not okay.

To speak to our team about how we can help your business deliver better projects, please contact us.

About Quay

Quay Consulting
Quay Consulting is a professional services business specialising in the project landscape, transforming strategy into fit-for-purpose delivery. Meet our team ...