.avif)
GRC
If you only look at the flashy headlines, the cyber security industry is winning. Ransomware numbers are down. RedLine stealer has been dismantled. The head of LockBit identified. The Medibank hacker (sic) publicly shamed. But in an industry where winning and losing is defined by one question - are we enabling all companies to become more secure, the reality is far more complicated.
The Illusion of Progress
Why Australia’s businesses are still losing the cyber war
If you only look at the flashy headlines, the cyber security industry is winning. Ransomware numbers are down. RedLine stealer has been dismantled. The head of LockBit identified. The Medibank hacker (sic) publicly shamed. But in an industry where winning and losing is defined by one question - are we enabling all companies to become more secure, the reality is far more complicated.
The growing divide
The divide between companies with effective and ineffective cyber security programs is significant. The top players have the expertise and the resources to engage with Government agencies and contribute to the profession.
The rookies aren’t even making it past the starting line. Snowballing compliance burdens and ill-fitting expert advice are preventing companies with fewer resources from making progress. Much to the exasperation of the Federal Government, small- and medium-sized businesses remain naïve and inexperienced regarding the dangers they face using modern I.T. infrastructure.
“The divide between companies with effective and ineffective cyber security programs is significant.”
Lack of Awareness
The family-run winery does not understand the significance of allowing lax configurations to remain in their environment. What does “disabling legacy authentication in Microsoft365” mean anyway?
Adding to this lack of expertise, over the last 12 months we have witnessed the troubling trend of “Trickle Down Cyber Security.” As larger companies become more regulated, they are implementing third-party risk management programs and pushing onerous compliance burdens down the supply chain.
Compliance without context
Does your small- or medium-sized business want to bid on a contract? Please send over your ISO 27001 certificate, SOC 2 Type 2 Report, and your business continuity plan. This is a common introduction to cyber security for many small- or medium-sized Australian businesses if they have been lucky enough to avoid getting hacked.
Now aware of the requirements, the person at the SMB who was unfortunate enough to Google ISO 27001 is tasked with implementing the ISMS, organising certification, and responding to the UpGuard questionnaires.
The net result is a cumbersome and unworkable information security framework implementation. Significant resources spent to win a contract, but lack of attention to basic technical controls means the business is no more secure than it was before the addition of 30 new policies and procedures.
“Significant resources spent to win a contract, but lack of attention to basic technical controls means the business is no more secure than it was before.”
Industry accountability
The cyber security industry is also to blame for this boondoggle. Too many organisations are out looking to make a quick buck and provide generic guidance without taking the time to understand the organization’s I.T. infrastructure or how their business operates.
Governments must take a hard look at the programs and initiatives they are rolling out. If the intended recipients don’t understand how to apply the advice, or worse yet, even where it find it, it’s a wasted effort. Guidance needs to be written in plain English, contextualised to the size and maturity of the business, and delivered through channels that business owners actually use.
Threat actors are aware of this security gap, and they are looking for low-hanging fruit. They need their payday, after all. When threat actors discover that no multi-factor authentication exists on remote connection services, firewall access is exposed on the internet, or systems are out-of-date and insecure, they see dollar signs. Smaller companies make easier targets, and they tend to suffer more severe consequences.
Lifting the supply chain
If we want supply chain security to meaningfully improve, larger organisations must invest in educating their suppliers, providing funding or resources where possible, and adjusting their expectations based on the realities of operating a small business.
Otherwise, we’re just creating compliance theatre that checks a box but doesn’t lift the security needle. True uplift means rolling up sleeves and getting involved, and not outsourcing accountability to the nearest procurement team. Just the other day the Victorian Government was asking a three-person startup if they had completed an IRAP assessment.
Lastly, the security community must do better in making cyber advice accessible and relevant. That starts by understanding that a five-person accounting firm doesn’t have a CISO and can’t afford a GRC consultant. Advice needs to be pragmatic, actionable and based on real-world environments, not ideal-state architectures or what the ISO standard says.
The real challenge
If we can’t bridge the gap between what’s technically perfect and what’s practically possible, we’ll keep seeing the same headline: “Family business crippled by ransomware, pays ransom”.
This is the biggest challenge the industry faces now.
Provide practical, easy to implement cyber security programs to those businesses that do not know they need them.
“Smaller companies make easier targets, and they tend to suffer more severe consequences.”
The Illusion of Progress
Why Australia’s businesses are still losing the cyber war
If you only look at the flashy headlines, the cyber security industry is winning. Ransomware numbers are down. RedLine stealer has been dismantled. The head of LockBit identified. The Medibank hacker (sic) publicly shamed. But in an industry where winning and losing is defined by one question - are we enabling all companies to become more secure, the reality is far more complicated.
The growing divide
The divide between companies with effective and ineffective cyber security programs is significant. The top players have the expertise and the resources to engage with Government agencies and contribute to the profession.
The rookies aren’t even making it past the starting line. Snowballing compliance burdens and ill-fitting expert advice are preventing companies with fewer resources from making progress. Much to the exasperation of the Federal Government, small- and medium-sized businesses remain naïve and inexperienced regarding the dangers they face using modern I.T. infrastructure.
“The divide between companies with effective and ineffective cyber security programs is significant.”
Lack of Awareness
The family-run winery does not understand the significance of allowing lax configurations to remain in their environment. What does “disabling legacy authentication in Microsoft365” mean anyway?
Adding to this lack of expertise, over the last 12 months we have witnessed the troubling trend of “Trickle Down Cyber Security.” As larger companies become more regulated, they are implementing third-party risk management programs and pushing onerous compliance burdens down the supply chain.
Compliance without context
Does your small- or medium-sized business want to bid on a contract? Please send over your ISO 27001 certificate, SOC 2 Type 2 Report, and your business continuity plan. This is a common introduction to cyber security for many small- or medium-sized Australian businesses if they have been lucky enough to avoid getting hacked.
Now aware of the requirements, the person at the SMB who was unfortunate enough to Google ISO 27001 is tasked with implementing the ISMS, organising certification, and responding to the UpGuard questionnaires.
The net result is a cumbersome and unworkable information security framework implementation. Significant resources spent to win a contract, but lack of attention to basic technical controls means the business is no more secure than it was before the addition of 30 new policies and procedures.
“Significant resources spent to win a contract, but lack of attention to basic technical controls means the business is no more secure than it was before.”
Industry accountability
The cyber security industry is also to blame for this boondoggle. Too many organisations are out looking to make a quick buck and provide generic guidance without taking the time to understand the organization’s I.T. infrastructure or how their business operates.
Governments must take a hard look at the programs and initiatives they are rolling out. If the intended recipients don’t understand how to apply the advice, or worse yet, even where it find it, it’s a wasted effort. Guidance needs to be written in plain English, contextualised to the size and maturity of the business, and delivered through channels that business owners actually use.
Threat actors are aware of this security gap, and they are looking for low-hanging fruit. They need their payday, after all. When threat actors discover that no multi-factor authentication exists on remote connection services, firewall access is exposed on the internet, or systems are out-of-date and insecure, they see dollar signs. Smaller companies make easier targets, and they tend to suffer more severe consequences.
Lifting the supply chain
If we want supply chain security to meaningfully improve, larger organisations must invest in educating their suppliers, providing funding or resources where possible, and adjusting their expectations based on the realities of operating a small business.
Otherwise, we’re just creating compliance theatre that checks a box but doesn’t lift the security needle. True uplift means rolling up sleeves and getting involved, and not outsourcing accountability to the nearest procurement team. Just the other day the Victorian Government was asking a three-person startup if they had completed an IRAP assessment.
Lastly, the security community must do better in making cyber advice accessible and relevant. That starts by understanding that a five-person accounting firm doesn’t have a CISO and can’t afford a GRC consultant. Advice needs to be pragmatic, actionable and based on real-world environments, not ideal-state architectures or what the ISO standard says.
The real challenge
If we can’t bridge the gap between what’s technically perfect and what’s practically possible, we’ll keep seeing the same headline: “Family business crippled by ransomware, pays ransom”.
This is the biggest challenge the industry faces now.
Provide practical, easy to implement cyber security programs to those businesses that do not know they need them.
“Smaller companies make easier targets, and they tend to suffer more severe consequences.”
