One of the consequences of the business and social disruption of 2020 has been the significant lift in cybersecurity risks, as malicious actors have sought to capitalise on individuals working from home and networks increasingly cloud-orientated. As noted by the Australian government in March: “Since early March 2020, there has been a significant increase in COVID-19 themed malicious cyber activity across Australia,” and these threats, along with the ongoing push towards cyber-readiness for Australian businesses, led the government to announce a $1.35 billion Cyber Enhanced Situational Awareness and Response package.
This is an issue that is of great interest at the board level of organisations, and CIOs need to have answers. As noted in a report on the escalating cybersecurity threat, the Institute of Company Directors of Australia wrote “The fourth edition of the ASX Corporate Governance Council’s Corporate Governance Principles and Recommendations highlights the requirement for directors to regularly assess the skills, knowledge and experience required to deal with new and emerging business and governance issues. Cybersecurity should be one of these key issues.
“Boards do not necessarily need to include IT professionals among their ranks, but as a consequence of the accelerating frequency of cyber-attacks and cybercrime, directors need greater depth of understanding of these risks.”
What CIOs need to be able to answer
One of the most common vectors for an attack on the enterprise is via the individual, with phishing and social engineering techniques being used to obtain passwords and “legitimate” access to a network.
At the same time, a key priority for CIOs and IT in 2020 has been one of flexibility and enablement – how can they open the network to allow remote access, and what can be shifted to cloud-based environments? This has resulted in a massive expansion of the “surface area” of most enterprises, and that too has added to the IT risk that organisations need answers to.
Standard solutions around security are not adequate – a firewall doesn’t provide protection if the malicious actor already has access, and the explosion of threats has made reactive solutions, like anti-viruses, inefficient. On the other hand, if security is too tight and cumbersome, then the CIO and IT team run the risk of employees looking for less restrictive solutions to do their work, and in circumventing the security, open that data to a great deal of risk over insecure public cloud services.
The solution isn’t necessarily obvious. According to an Oracle and KPMG Cloud Threat report, 78 per cent of organisations use more than 50 cybersecurity products to protect the environment, so it can be difficult to narrow down exactly where the solution to this pressing challenge might be. However, many security teams will find their answers from taking a new look at the Identity and Access Management (IAM) systems that the enterprise is using.
The benefits of efficient IAM to the modern enterprise
A zero-trust approach to each device is a necessary answer to the proliferation of BYOD devices and the decline of the physical perimeter. At the same time, the user experience needs to be efficient. Employees can’t waste time resetting one of the dozens of passwords that they need for the various applications in the environment. The customer certainly shouldn’t need to wait for an employee to work out how to login to a CRM system or similar to access their data. And, critically, as far as the CEO and board is concerned, accountability needs to be high – the CIO needs to be able to demonstrate clearly defined processes around access and how changes to access (when new people are brought on or existing employees leave) is handled. Furthermore, there needs to be clear audit trails to support governance requirements.
A well-designed and implemented IAM solution will address all these challenges, and offer the CIO a number of other cybersecurity benefits, including:
Security is a governance concern, and company directors have noticed that COVID-19 has escalated the risk profile of IT security to extreme levels. CIOs will be called on to provide highly accountable solutions that put the users, rather than the network, devices or “perimeter” at the centre of the security strategy. For many CIOs, improving the use of IAM will address the concerns that their board have while enabling the organisation to work in the way that modern conditions demand.