The end of 2022 has seen everyday Australians feel the impact of poor cybersecurity policy and implementation. The way we think about cybersecurity needs to change, according to archTIS COO Kurt Mueffelmann.

The last few months have been dominated by cybersecurity news in Australia. The attention brought to our industry and some long-standing issues are welcome. It is a shame that it takes major information breaches to incentivise action from policy makers and boards.

What was interesting to us here at archTIS (ASX:AR9) was the antiquated way cybersecurity itself was often discussed both in the media and online.

Focusing on how the organisation was breached is natural, however, the framing of the debate was often that there was a malicious hacker who ‘forced’ their way in through a security vulnerability.

In neither the Optus or Medibank breaches was this really the case. As a nation we need to update the way we think about cybersecurity and what it means to be ‘secure’.

With so many new eyes on our industry and as it’s the end of a tumultuous year for breaches, it’s worth putting forward our view of the cybersecurity landscape, where we fit in and how we should all think about cybersecurity in 2023 and beyond.

Cyber security, insider threats and information security

The type of ‘cybersecurity’ that most of us will have come across is a consumer antivirus software package or router firewall rule, that relies on spotting incoming viruses and other malicious attacks on your personal computer and stopping them in their tracks at the ‘perimeter’ of your PC or network.

As time has moved on, it has become clear that attackers have changed tactics to bypass the ever-improving perimeter security.

As appears to be the case with Medibank, rather than attempting to break in, the attackers (REvil) got their hands on a prominent person’s credentials and utilised those to execute its ransomware. This is what the industry calls ‘insider threats’, and they fall into roughly three buckets:

  • Negligent insiders, who inadvertently compromise data. The employee that sends a sensitive file to the wrong recipient is the classic example here.
  • Malicious insiders, who are individuals that join an organisation with the intent of gaining access to intellectual property and data, to commit fraud, sabotage or other acts of espionage.
  • Compromised insiders, whose credentials are unknowingly stolen and used by a bad actor.

This is where information security (like we provide at archTIS) comes into play.

To put it simply: we’ve built very good locks (perimeter security), and now we need to stop attackers who are focused on stealing the keys to those locks from getting access to the data which is what they are really after (information security).

Defending against insider threats – the world of information security

Defending against these different types of insider threats requires a completely different strategy to traditional cybersecurity approaches. They present a challenging set of questions for cybersecurity professionals:

  • How do organisations secure sensitive data when a trusted user’s credentials are compromised by an unidentified third party?
  • What can organisations do to ensure a sensitive file isn’t inadvertently shared with someone who shouldn’t have access?
  • How do organisations strike the right balance of providing contractors and other trusted third parties with the access they need to do their work without impacting productivity or security?

These questions are answered through more modern data-centric approaches to keeping information secure, such as encryption and attribute-based access control (ABAC).

Encryption of information is decades old.

It’s a static security approach. Information is encrypted or it isn’t, and it can only be accessed by someone with a key. Just like a password, if the hacker has the key for the encryption, it is ineffective.

In recent years, more intelligent information security options such as attribute based access control (ABAC) have been developed. An ABAC approach evaluates attributes (characteristics) including the sensitivity of the data itself and the security posture of the user requesting access to decide what type of access should be given, what can be done with it, and when it can be done.

It’s a far more in-depth approach to access, rather than the simple ‘key = access’ approach.

The advantage of an ABAC-based security approach is that access permissions can be adjusted to the sensitivity of the file and the conditions of the user at the time of access.

An incredibly important database (such as Medibank’s customer details) could have ABAC enabled so that access is only given when a specific security clearance, time of day, location and device type is utilised to determine who is able to access, edit, download, or share a particular file.

For example, if an authenticated user is trying to access a sensitive file they own, but it is outside of business hours and they are using a different device in another country, file access will be denied – effectively thwarting the efforts of a hacker using stolen credentials.

This makes it immeasurably harder for an outsider to impersonate a key member of staff and steal information.

Data-centric security technologies like those developed by archTIS are why we always take the position of accepting that breach of a network is inevitable, but the theft of valuable information is not.

Decoupling this decades-old association in both boardroom and media discourse will take time. Keeping data secure is a vital part of a globalised world of business. Moving from ‘hackers and theft’ to ‘insider threats and access’ is how we will make it happen.

This story was developed in collaboration with archTIS, a Stockhead advertiser at the time of publishing.

This story does not constitute financial product advice. You should consider obtaining independent advice before making any financial decisions.