On June 19 , in front of national and global media , Australian Prime Minister Scott Morrison made clear that , in the face of mounting evidence of ongoing state-sponsored cyber attacks on Australia ’ s public bodies and academia , national cyber defences needed to dramatically step up .

Subsequently , the 2020 Cyber Security Strategy has made it clear that the Government plans to introduce cyber security regulations for corporations . Other major economies in APAC have already made similar moves ; Singapore , for instance , created an information hub for critical infrastructure security in 2019 .

But what exactly are the threats that we need to defend against ? AV-TEST Institute registers over 350,000 new malicious programs , malware , and unwanted programs per day . The good news is that it doesn ’ t really matter how many external threats there are . The most ‘ successful ’ attacks in recent years , from NotPetya and WannaCry to Mirai , generally have a first-mover advantage of some kind . They take advantage of existing , unknown and / or unpatched software vulnerabilities or find unsecured pathways into personal computers or networks .

In a scenario like this , your anti-malware defences being up-to-date won ’ t be effective protection . Equally , all the endpoint protection in the world won ’ t stop a phishing attack on an executive or a highly-privileged member of your IT infrastructure team , and phishing remains a key piece of weaponry for attackers , featuring in 22 % of breaches reported in Verizon ’ s 2020 Data Breach Investigations Report .

How , then , should APAC organisations respond and step up to protect their critical data and assets ?

The first step is to stop wasting energy on attempting to prevent all attacks . This will only perpetuate the failing perimeter defence model ; a model that has been with us , unchanged , even as the environment has evolved around us .

The reality is that the perimeter as-was no longer exists and thus cannot be effectively defended . Instead , forward-looking IT leadership focuses security strategy on being able to contain attacks that threaten critical data and assets .

This is particularly important in the context of the pandemic-driven new normal and our digital transformation as a whole .

As more of what we do as consumers moves online and as companies adopt Software-as-a-Service tools with their own security settings and user privileges , we create more reasons and more targets for attackers to go after as they aim to get a foothold into organisations .

In particular , there is a need to focus on securing identity since it now defines the organisational perimeter . If attackers can steal the credentials associated with an employee or customer identity , they have a way in to an organisation ’ s infrastructure . More importantly , they are then far more likely to be able to find and compromise the real prize : the privileged credentials that are the pathway to the critical data and assets they are after .

Businesses in APAC must focus less on the ‘ who ’ is conducting an attack , and more on the ‘ how ’. ‘ How ’, in this case , is how to protect critical data and assets . Attribution is a political issue – one that is better handled by governments . What should concern us is whether we ’ re securing what is really important to the organisation . www . intelligentcio . com INTELLIGENTCIO

Intelligent CIO APAC Issue 03 | Page 33

THOMAS FIKENTSCHER , REGIONAL DIRECTOR A / NZ , CYBERARK

On June 19 , in front of national and global media , Australian Prime Minister Scott Morrison made clear that , in the face of mounting evidence of ongoing state-sponsored cyber attacks on Australia ’ s public bodies and academia , national cyber defences needed to dramatically step up .