Despite massive investments in cyber security products and services, major data breaches continue to make headlines at an alarming rate. From Optus to Medibank, we’ve seen high-profile Australian companies grappling with the fallout of cyber attacks that exposed millions of customer records.
So what’s going wrong? Why do these breaches keep happening, even as organisations pour money into the latest security technologies and consultants? The answer lies in a fundamental disconnect between how cyber security programs are being implemented versus their core intent.
At the heart of frameworks like ISO 27001 is a risk-based approach to identifying and protecting an organisation’s critical information assets. However, many companies are skipping the crucial foundational steps of thoroughly understanding their risk landscape. Instead, they are rushing to implement high-priced tools and controls without first defining what they are actually trying to protect and why.
The Allure of Shiny New Solutions
The cyber security industry is overflowing with slick marketing from major technology vendors promising silver bullet solutions to all an organisation’s problems. With deep marketing budgets, just look at who is sponsoring Formula 1 teams now days, these vendors can make a compelling case for their latest high-tech products.
Couple that with internal pressures from boards and executives demanding action in the wake of highly publicised breaches, and it’s easy to see why companies get seduced by the appeal of new tools rather than taking a step back to re-evaluate their core risk posture first.
Lacking Fundamentals and Accountability
Another factor enabling this misguided approach is a lack of understanding and accountability around cyber security fundamentals within many organisations. While technical staff may be well-versed in using the latest products, there is often a shortage of expertise in core risk management principles.
Conducting a proper risk assessment requires input from across the organisation – from the “boring” back-office teams to the creative product visionaries. Only by understanding a company’s unique value drivers and mapping potential threats to those assets can an effective cyber strategy be developed.
However, this critical exercise is frequently bypassed or paid lip service. Overconfident consultants repurpose generic policies and control frameworks, presenting them as proprietary “best practices.” Auditors lack the time and context to properly validate whether the controls in place actually map to the true risk profile.
A Lack of Real Consequences
Finally, there is little meaningful consequence for companies that fail to take cyber security risk seriously and suffer a breach as a result. Despite predictions of massive fines, firings, and lawsuits in the wake of incidents like the Optus breach, the reality is that little changes. The Medibank data breach occurred in 2022 and exposed highly sensitive health data of millions of Australians, yet it has taken June 2024 for action to be filed, and any victory is likely to be appealed.
CEOs may be pushed out, but boards remain intact. Shareholders still receive dividends. Customers grumble but largely remain inert. With such a tepid response, it reinforces a mindset that investing heavily in cyber security fundamentals is not worth the effort for the C-suite.
Getting Back to Basics
To break this cycle of perpetual breaches, organisations need to re-focus on the core tenets of risk-based cyber security embodied in ISO 27001 and other leading frameworks:
Thoroughly understand your information assets and their value to the business. What are the “crown jewels” that enable your unique value proposition? Involve stakeholders from across departments.
Conduct a comprehensive risk assessment. Map potential threats to those critical assets and evaluate the likelihood and impact to your operations. Prioritise based on risk rather than fear.
Align investments to risks. Once you understand your risk landscape, you can make informed decisions about which security controls and products to invest in – and which are unnecessary.
Implement controls through a structured program. Adopt a formal process for implementing, monitoring, and continually improving your cyber security posture based on evolving risks.
Only by first establishing these fundamentals can organisations start to get cyber security right. While perhaps less tantalising than being dazzled by a vendor’s latest AI-powered cloud analytics platform, it is the unglamorous work of understanding and managing risk that will truly prevent breaches.
There is no shortcut, no magic product that can compensate for skipping these basics. Until boards and executives face real accountability for cyber incidents, overcoming the inertia and taking a hard look at cyber security fundamentals will remain an uphill battle.
But it is a battle that must be fought. As the frequency and severity of breaches continues to escalate, getting back to basics on managing information risk is the only way forward for organisations hoping to avoid being the next headline.
At Active Directions, we understand that effective cyber security starts with a strong foundation. Our expert consultancy services are designed to help your business implement comprehensive risk management frameworks and tailor security measures to your specific needs. Reach out today to learn more about how we can help secure your future with comprehensive, expert-led cyber security solutions.
