The recent 2023 Commonwealth Cyber Security Posture report unveiled critical insights into the current state of cybersecurity in organisations. A particularly striking point from the executive summary is the decrease in reporting of cybersecurity incidents to the Australian Signals Directorate (ASD). Only 42% of entities reported at least half of their incidents in 2023, compared to 51% in 2022. This decline is concerning, especially in the backdrop of significant public compromises. Transparency in reporting breaches is vital. It aligns with the Zero Trust principle of “assume breach,” ensuring safety in digital transactions. When businesses and individuals aim to prevent breaches, reporting them should not be a cause for apprehension but a step towards resilience. The report also sheds light on adherence to the Essential 8 mitigation strategies across various organisations:
Regular Backups: 71% of entities implemented this to Maturity Level 2 with compensating controls, and 65% without.
Restrict Administrative Privileges: The lowest implementation at Maturity Level 2, with 40% using compensating controls and 28% without.
Configure Microsoft Office Macro Settings: Saw significant improvement with 64% reaching Maturity Level 2 (with compensating controls), a 20% increase from 2022.
Patch Operating Systems: Minimal improvement observed. In 2023, only 46% reached Maturity Level 2, a 1% decline from 2022.
Patch Applications: The least improvement without compensating controls, with only 37% achieving Maturity Level 2 in 2023, a 3% drop from the previous year.
These statistics highlight a crucial aspect: the need for modernisation, especially for on-premises, legacy systems. Transitioning to cloud computing is imperative, as it offers robust solutions for many traditional system vulnerabilities. Cloud transformation, as opposed to mere cloud migration, ensures up-to-date encryption, authentication, and transport protocols. Key strategies for modernisation include:
Modernising your apps and resources so that they run on PaaS/SaaS services eliminates patch maintenance and ensures modern encryption, authentication, and transport protocols.
In this sense, lifting and shifting to virtual machines running on IaaS is a cloud migration, not a cloud transformation and leaves you with many of the patching challenges that exist on-premises.
Modernising your apps allows you to minimise or eliminate your on-premises footprint while simultaneously removing your users from your network.
If your users are off your network, they cannot introduce it to malware.
Modernising your apps and integrating it with a modern Identity Provider like Entra ID facilitates the move to passwordless authentication like Windows Hello for Business or FIDO2 (Passkeys to come).
When users do not use passwords, they cannot give them up to phishing attempts.
Passwordless is achievable even without app modernisation in a lot of cases, but they largely go hand in hand for the most secure outcomes.
For resources that cannot easily move away from legacy on-premises technologies, limiting the methods of access to proxied publishing or access secured by a Zero Trust policy engine like Entra ID’s Conditional Access significantly reduces attack vectors.
Fully embracing Microsoft’s cloud offerings provides deep integration of security controls and detections.
The power of the Defender suite that draws on Microsoft’s own security research, set alongside Sentinel for threat hunting and Purview for data security is unmatchable.
Entra ID provides tight integration of security signals into Conditional Access for real-time authorisation decisions when an access attempt is made.
While the report indicates certain concerning trends, it also opens pathways for strategic improvements. Organisations must prioritise modernising their cybersecurity approaches, leveraging cloud technologies, and maintaining transparent reporting practices to build a more secure digital landscape.
Read the full report: https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/commonwealth-cyber-security-posture-2023