SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
The attack surface: 2019's biggest security threat
Fri, 15th Feb 2019
FYI, this story is more than a year old

As businesses expand, so does their attack surface – and that may be the biggest cybersecurity risk of them all, according to Aon's 2019 Cyber Security Risk Report.

Aon's national practice lead for cyber insurance Michael Parrant says that businesses are adopting technology at a rapid pace, but that also means there are also a growing number of ‘touch points' within a business that can be exploited.

“We believe the future of cyber risk management must be proactive, oriented around sharing threat intelligence, and collaborating within and across enterprises and industries; ceaselessly hunting for bad actors; and raising the bar on preparedness for the inevitable day when a strike does come,” says Parrant.

However, the last few years have brought increased regulatory oversights such as the European Union's GDPR and Australia's Notifiable Data Breaches scheme.

Parrant believes these provide increased financial and reputational motivation for local businesses to take action.

The report points out a number of areas that businesses should focus on to reduce their cybersecurity risk in 2019.

Technology. As integrated technologies such as ‘X-as-a-service' (XaaS) and ‘Infrastructure-as-a-service' (IaaS) continue to transform bricks-and-mortar industries, it is important that each assesses its own unique exposures rather than try and adopt an off-the-shelf strategy to manage and mitigate risks.   Supply chain. As cloud-based services and sharing become more common, extending to sharing data between companies and their suppliers, it is important that due diligence is carried out by the lead organisation to ensure the risk of third part cyber security failures are minimised.   Internet of Things (IoT). The pace of adoption of IoT devices continues to accelerate and is likely to pick up even more as the 5G mobile standard becomes commonplace. However, the 5G network will not improve security. It brings about its own challenges – more devices connected means much higher volumes of data to manage and secure. Future, AI-enabled security measures will prove invaluable in tracking, isolating and securing organisations' data networks.   Business operations. A significant proportion of industrial infrastructure is aging and unable to withstand the sophistication of today's malware attacks. As firms expand their IT and OT presence and become more connected, they are creating greater points of attack for malicious agents. It will be important for companies to fully audit all their IT and OT assets and, where possible, fully separate the two.   Employees. An organisation's staff – at all levels – remain one of the most common causes of security breaches, whether accidental or intentional. Firms are held accountable for the actions of their employees, and therefore it is vital that they develop stringent controls over internal access to and control of the data they are collecting.   Mergers - Acquisitions. Globally M-A deal values are predicted to top US$4 trillion in 2019, which offers an indication of the size and speed of the market. It is vital that the appropriate cyber due diligence be done when companies undertake the process of acquiring others if they want to ensure seamless transitions in the future.   Regulatory. Organisations are increasingly competing in a global marketplace, multiplying their exposure and risk compared to solely domestic operations. And, as high profile and substantial fines last year have shown, regulators are no longer willing to give up the chase at the border. Most firms need to be informed and compliant with a raft of regulations in whichever market they are operating in.   Board of directors. The Buck Stops Here is still an important truth in terms of directors - officers when it comes to ensuring data security practices and regulatory compliance. Gratifyingly cyber security is increasingly understood and acted upon at board level but more leading from the top is required.