Despite businesses spending top dollar on new cyber security products, organisations that have not yet ingrained a culture of cyber security among their employees will still face critical cyber security risks, says Ken Mizota, regional CTO, Asia-Pacific and Japan at Rapid7.
With many Australian businesses just beginning to navigate their cyber security frameworks, one regional cyber security executive has warned against companies “throwing money at the problem” to overcome cyber risk at the expense of meaningful business changes.
Speaking to Cyber Security Connect, Ken Mizota, regional chief technology officer, Asia-Pacific and Japan at Rapid7, explained that companies need to develop cyber security frameworks that encompass every unique element of a business to best reduce risk.
To the expert, many cyber security risks arise from the day-to-day business operations of the company, leaving organisations vulnerable if they are over reliant on technology.
“If I doubled my budget, would risk actually decrease? By and large no, because the problems that many Australian businesses face isn’t about money or technology, but they’re operational,” Mizota explained.
To Mizota, if a business fails to embed cyber security into the day-to-day practices, the organisation will face an “uphill battle” despite additional cyber spend.
This has arisen because organisations have siloed cyber security as a separate business function, he explained, resulting in poor cyber security practices at a broader organisational level.
“My postulate is that cyber security doesn't work because it isn’t embedded in the business right now. It’s not in the culture of the company, it’s treated as a bolt on,” he continued.
Indeed, cyber risks will continue rising, with Rapid7 observing an uptick in the use of ransomware by criminals to extort money from organisations. This has been very evident in Australia with the high-profile attacks on Optus and Medibank.
“If you look at the rise of commodity ransomware, and the ransomware economy, these are not by and large, sophisticated nation state actors. However, the attackers themselves are criminals,” Mizota explained.
However, while organisations will likely see an increase in user risk, Mizota explains that there are silver linings for Australian businesses.
“Australia has a fairly strong governance regime in terms of cyber security. There’s an awareness within government of the importance of building cyber security practices into organisations right across the spectrum,” he explained.
“This includes framework regulations, recommendations such as the Essential Eight, and organisations such as the Australian Signals Directorate issuing timely guidance and instructions in the event of a breach.”
Australian organisational interests are now shifting to how they resource themselves to address the compliance frameworks and avoid the potential punitive damages now coming through the regulators. This includes figuring out how you have productivity from your security operations centre and your investments without compromising that security efficacy and exposing your organisation.