The focus is now firmly on the customer and offering them better service and better protection, particularly with the new paradigm of “everything-as-a-service” – where everything is offered in cloud-based, consumer-based models.
2019 saw significant increases in privacy breaches, alongside increased legislation impacting banking, financial services and critical infrastructure. Operating models are changing with business now operating in an “outside-in architecture”. As organisations continue to digitalise, they’re placing increased trust in third and fourth parties who support critical systems and data – and they need to have confidence in those parties.
The focus is now firmly on the customer, and offering them better service and better protection, particularly with the new paradigm of “everything-as-a-service” – where everything is offered in cloud-based, consumer-based models.
As such, cyber security continues to be top of mind for boards, with tightening regulations a key driver. Growing awareness of consumer data rights, the Privacy Act, and the new Prudential Standard CPS 234 for Information Security impose serious legal and ethical requirements on organisations, not to mention the risk of brand damage and financial loss from cyber-attacks.
Ransomware continues to be one of the fastest growing threats for Australian businesses and there will also be an increase in geopolitical and cyber warfare. The Internet of Things will also see an explosion of incidents in 2020. Continually identifying and patching vulnerabilities in billions of devices will be an immense task. Many organisations will struggle to identify just how many connected devices they have.
Clearly governments and businesses have no choice but to sit up and take notice. But what kind of action will this translate into and how will Australia be affected? We have five predictions for cyber security in Australia in 2020.
1. Identity as the new firewall
With everything moving to ‘as a service’ and less control on applications and network – identity, role based access and the use of UBA (user behaviour analytics) to detect anomalies is the new security frontier. Identity will be at the cornerstone of business strategy and growth agendas this year, converging HR, risk and cyber.
There will be renewed focus on traditional employee identity governance and management, privileged access management, and more importantly customer, student and citizen identity.
2. Protecting the data wherever it resides
Data is the ‘currency in security’ and is the core focus of threat actors. Data is critical to business maintaining competitive edge through operational efficiencies and providing better products and services to customers. The volumes of data are increasing exponentially with AI and machine learning.
Along with this is a shift to ‘everything as code’ as organisations continue to digitise and operate with an ‘outside-in architecture’, essentially living on the web. This will lead to renewed focus on data governance and management. Organisations will look to place security on the data so that the data is protected wherever it resides, securely accessible only by people authorised to access it.
3. Need for Resilient Artificial Intelligence (AI)
Artificial Intelligence and machine learning are transforming the world of business. But Australian organisations need a comprehensive strategy to ensure intelligent automation does not expose them to financial, operational or reputational risk. Focus will be on how to govern the automation program and identify, monitor and mitigate risk to the business throughout the automation journey.
Cyber criminals are also using AI to manipulate security weaknesses. Traditional security and protection mechanisms may not be sufficient to deal with the next generation of attacks. Investing in cyber security will be part of the innovation budget, part of every digital adoption.
4. Business ecosystem remains a challenge
The supplier and partner ecosystem, in which most Australian companies operate, is becoming more complex, more integrated, and more interdependent. The focus is on securing the business ecosystem, given the increased potential for a supplier or partner compromise to disrupt your business. Customers and regulators can be unforgiving when that leads to a breach of customer data or a failure of your critical business services, even if the breach was not your fault or directly within your organisation.
A tick-box approach to embedding third-party assurance will become unworkable. Risk scoring services are immature and controls on third parties remain inconsistent or ineffective. There’s a need for a fundamental shift in the security model to one that takes account of the extended enterprise, which characterises business today.
5. Cyber insurance comes to the forefront
Cyber security is going to be top of mind for boards. With digital transformation part of everyone’s strategy, cyber security has to be treated as a business risk – which means defining a company’s appetite for cyber risk. Some advanced organisations are already looking at it as a risk and governance and defining key metrics for measuring and reporting deviance to cyber risk appetite.
Australian business and boards will increasingly look to the cyber insurance sector as cyber security moves up the value tree, and is no longer seen as “just a matter for the IT department”. The CISO (chief information security officer) will now report directly to the CRO, CFO or CEO, not the CIO, becoming a bridge between business owners and cyber security. Adroit Market Research has tipped the cybersecurity insurance market to explode from around $4 billion in premiums globally in 2019 to more than $23 billion by 2025. We also anticipate insurers becoming more selective in just what and who they’re prepared to insure as cyber insurance comes of age.
Actively managing customer trust amidst constant and accelerating digital technological disruption will present Australian organisations with fresh challenges and new revenue opportunities. Trust has become central to customer experience, and businesses are increasingly demonstrating a commitment to trust through their cyber agenda.
But we will still need to focus on the basics. Whilst organisations are investing in cyber many will struggle with good cyber hygiene across their ecosystem, including patching, anti-virus, policy hardening, identity etc. Those failing to implement the Essential Eight of risk mitigations as recommended by the Australian Cyber Security Centre (ACSC) will be easy targets for threat actors.
For more information on cyber-related matters, please reach out to the authors - KPMG’s partner, national lead, cyber security services, Gordon Archibald and partner, cyber security services, Katherine Robins