Five things you need to know to secure your workplace in 2022

Posted by Murray Mills, on 4th Feb 2022, in Security Services

If 2021 challenged your cyber security operations and posture, the next 12 months are unlikely to provide much respite. But help and guidance is at hand.

With 2021 behind us, it’s worth reflecting on the year that was, exploring what we’ve learned and what can be applied to your strategic planning for the next 12 months.

Most organisations spent the year digitally transforming and adopting cloud-based systems to enable work-from-anywhere scenarios.

Words like productivity and continuity permeated all technology and business conversations.

But so did security. With workforces distributed and working in new hybrid models, using technology systems they may have been unfamiliar with, an effective security solution for this environment was critical.

Organisations recognised this, but so did attackers. One survey found 73% of Australian organisations fell victim to cyber attacks targeting remote workers in the past year, suggesting far more work is needed to layer additional protections, build resiliency and raise internal security awareness.

Ultimately, as Gartner notes, long-term work-from-home “requires a total reboot of policies and security tools suitable for the modern remote workspace.”

Protect your business against pervasive cyber threats with the right managed security service provider (MSSP) in Australia.

Tecala is leading the Managed Cyber Security Service industry with our Security Assessment sessions. We use them as the basis for crafting security strategic roadmaps that tailor a security journey to an organisation’s specific needs over forward years. The roadmap takes organisations from where they are now to where they want to be; is aligned to key threat mitigation frameworks such as the Essential Eight or the CIS Controls; and is designed to help organisations address the substantial challenges and security headwinds they are now facing.

While every review and roadmap is different, just as every organisation’s needs are different, we have identified some common trends among the organisations we work with from a security perspective.

In the interest of openness and intelligence sharing, we’ve decided to list the top five here as they may be useful in reflecting on your own journeys to date and identifying gaps that may require external assistance or additional resourcing to close in the year ahead.

Cyber Security

Five things you need to know to secure your workplace in 2022.

Security standards will actually become standard

Organisations presently have a range of standard frameworks to choose from and benchmark cyber security readiness. These include domestic frameworks like the Essential Eight, as well as overseas ones such as the Centre for Internet Controls (CIS) 18 and the National Institute of Standards and Technology – NIST – framework.

There’s considerable repetition and overlap between the different frameworks, such that meeting the requirements of one would likely place an organisation well on the path to complying with the others as well. Whatever framework an organisation chooses, it is likely to serve them well.

However, within the small-to-medium enterprise market, the Essential Eight and CIS Top are currently favoured because they are generally considered more business-friendly.

Only a year ago, awareness of these frameworks was practically non-existent outside of an organisation’s security function. Today, however, it is more common to hear even C-Level executives discussing the security standards they are endeavouring to meet.

In 2022, we expect to see these standards become more tightly integrated into ways of doing business. For example, where company A wants to utilise company B’s services, they may ask company B to undertake a third-party risk assessment that includes portions of these frameworks. The message is effectively: meet security best practice or we won’t connect with you or integrate with your services. I expect to see more examples of this in 2022 and beyond.

Multi-layered approaches will become the pinnacle of best practice

When organisations undertake reviews and test their alignment to the security standards and frameworks, it quickly becomes apparent that more work is needed to increase levels of protection.

In my mind, the adoption of multi-layered approaches to security go hand-in-hand with the increased use of these frameworks.

Multi-layering isn’t about the number of tools an organisation has. Instead, it’s about understanding the spectrum of threats and risk levels and creating security processes to effectively mitigate against them. It’s an approach to securing the organisation, and one that more often than not, leads an organisation down the path of Modern Management.

Modern Management will come into its own

I spent much of 2021 talking about Modern Management, and there’s a good reason for that: 80% of the projects that we undertook this year were centred around Modern Management. There’s no reason to believe that level of interest won’t carry through into 2022 as well.

Modern Management is an umbrella term for a collection of strategies, services and software that is designed to help businesses to deploy and manage assets in the ‘new world’. It can be used to protect employees and the devices and systems they are logged into, regardless of what they are doing, where they are doing it from, and what they’re working on.

It also ensures that all people and devices requesting authorisation to connect to an organisation’s network or applications meet appropriate security standards before they can login, and then that they can only access resources that are appropriate to their level and associated permissions.

To some extent, organisations may still be refining what work in 2022 looks like. We see organisations recruiting for fully-remote workers that will rarely, if ever, attend an office. We also see employees prioritising flexibility over more conventional workplace benefits.

With so many future ways of working still up for negotiation, organisations will need to adapt their approach to Modern Management as well. It may have gotten them this far, but will require changes to fit with what the workplace of 2022 will look like.

Security awareness reaches the board

The next two trends are related: the increased visibility of cybersecurity issues within organisations, and liability challenges that stem from that.

This year, more than any other before it, cybersecurity became an issue for the board of directors and C-Level executives.

Ransomware’s role in that cannot be under-estimated: executives have now seen enough times now the devastating consequences of a successful infection at other similarly-sized and similarly-resourced firms, and are far more aware of the risks and levels of sustainable investment and top-down support required to mitigate against these risks and drive a security-first culture internally.

Other drivers are more direct, such as a proposal on the table to make company directors personally liable for cyber security incidents. Directors of Australian financial sector participants also face direct pressure to skill up on cyber security: “Boards need to strengthen their ability to oversee cyber resilience. Ultimately, …boards [are expected] to have the same level of confidence in reviewing and challenging information security issues as they do when governing other business issues,” Australia’s corporate watchdog recently wrote.

The intersection of governance and cybersecurity will only increase in importance in 2022. Cyber security will be a top-down problem that must be taken seriously and for which responsibility will ultimately sit with the board and C-Level executives.

It will become harder and more costly to get cyber insurance

On the other side, escalating ransoms and mop-up costs have cyber insurers de-risking as much as possible. Too many organisations are being compromised and running up multi-million dollar clean-up bills they expect insurers to meet.

Payouts have halved in some cases, while premiums have skyrocketed; industry body CIAB saw cyber premiums rise 27.6% in the three months to September 30 alone.

At the same time, Insurers are trimming exclusions, testing contractual clauses before the courts, and forcing those seeking cover to constantly improve their baseline security capabilities and technology to reduce the risk of compromise.

We have seen during recent cyber insurance renewals, that insurance companies are aligning questions to CIS and Essential 8 frameworks. The alignment to frameworks is catching some companies out. when asked to provide evidence of MFA enforcement and Vulnerability Management capabilities for example.

All of which is to say that cyber insurance is a rapidly evolving space both in Australia and overseas, and 2022 will make or break the business models that have brought us to this point. There may be very real ramifications for the ability of organisations to secure cost-effective cover as a result, and that, in turn, is likely to lead to a fresh round of investments in cybersecurity aimed at reducing liability and mitigating against professional and organisational risk all around.

Assess your vulnerability to attack. Protect your reputation.

Working to a risk assessment matrix, we’ll clearly identify where your business is most susceptible to breach or attack.

Our assessment follows 3 Steps:

Where and how your business operations create your potential for risk.
We’ll explain the two primary security frameworks and how to apply them to your organisation
Define next steps: Achieve peace of mind with a tailored Strategic Security Roadmap for your business

Don’t be tomorrow’s headline. Book your session today.

Report

A ‘Shot in the Arm’ for Cyber Security

Businesses and practitioners alike need a ‘pick-me-up’ – a confidence booster to get back on top of security risks and challenges, and to stay there. Let the Tecala Cyber Security Report be your stimulus for change.

READ Blog

blog

How Tecala’s unique ‘Maturity Assessment’ methodology is driving better client outcomes

We take the time needed to properly understand the challenges faced by prospective clients before tailoring solutions to match.

READ blog