Common Scenarios Where Organisational Oversight Leads To Key Cyber Vulnerabilities
As Australian organisations move into 2024, there's an increasing legislative push for company boards to be more accountable for cybersecurity risk. With the Privacy Act 1988 already safeguarding personal information, the Office of the Australian Information Commissioner (OAIC) can now impose penalties of up to $21 million for major privacy breaches.
Furthermore, the Government’s recent report, ‘Strengthening Australia’s Cyber Security Regulations and Incentives 2022’, revealed a concerning gap: many company boards lack adequate cyber risk understanding.
This pivot towards enhanced cyber responsibility means directors must now view cyber risk management as a crucial part of their duty, similar to their financial oversight roles. Regulators like APRA and ASIC are emphasising the importance of addressing cyber risks as a core systems and control concern. As such, for directors, cyber awareness isn't just an added skill but a professional necessity, bringing reduced vulnerabilities, diminished losses from breaches, expedited data recovery, and improved liability protection.
In our cyber work with Australian organisations we often see the same key vulnerabilities arising, regardless of company size or industry. Perhaps more interestingly these security gaps seem to stem from the same scenarios.
It seems despite the heightened prioritisation of cyber risk in boardrooms from coast to coast, CEOs and CIOs miss these scenarios, leaving them vulnerable to attacks.
The good news is, once identified through a penetration test, these issues can be quickly remedied. With the ongoing support of a cyber partner such as Cythera, executives can ensure that cyber security becomes a proactive process whereby gaps are addressed in your system before they have a chance to be exploited by malicious actors.
Let’s take a look at these 5 common vulnerabilities:
Acquisitions and Technical Debt
When companies merge or acquire new entities, they often inherit what's known as technical debt, including outdated or "shadow IT" systems that are no longer actively used or monitored but still connected to the network. These legacy systems can be rich targets for attackers, especially if they're not properly accounted for. Penetration testing should include a thorough search for such systems by IP address and other identifying information to uncover and address these hidden dangers.
New Service Launches
Launching new web applications or services is a critical time for cybersecurity. Companies often overlook the necessity to rigorously test new services, particularly when they are running behind schedule or over budget. Hastily pushing services live without a thorough penetration test can leave glaring vulnerabilities open to exploitation. It's essential that new services undergo the same rigorous testing as established ones, regardless of project timelines.
Outdated Cybersecurity Partnerships
Relying on a single cybersecurity provider for penetration testing can lead to a narrow perspective on the threat landscape. Cyber threats evolve rapidly, and a singular testing approach may miss new vulnerabilities. It's crucial for organisations to rotate their cybersecurity suppliers regularly to gain fresh insights and uncover potential weaknesses that others may not see.
Overlooking Social Engineering
Cybersecurity isn't just about digital defences. Many organisations fail to consider the human element, such as social engineering tactics. A comprehensive security strategy must include tests for physical breaches. For instance, Cythera recently conducted an exercise where a technician, disguised in telecommunications gear, attempted to gain physical access to a client's network. The client's staff were vigilant and prevented access, showcasing their readiness for such scenarios. However, this isn't always the case, and companies must be prepared for both digital and physical security threats.
When Integration And Connectivity With Third Party Suppliers Is Poor
Third-party risks arise when external entities in an organisation's network - such as vendors, suppliers, and partners -have privileged access to its data, systems, or processes. While a company might have robust cybersecurity defences and remediation protocols, the same may not hold true for its third-party affiliates. These relationships can inadvertently become the weakest link, offering a backdoor to otherwise secure networks.
Consider a recent incident Cythera encountered as the Managed Service Provider for a client. An unnoticed breach occurred via a third-party provider, a relationship that had not been disclosed to us. This third-party acted as an inadvertent Trojan horse, exposing the parent company's network through vulnerabilities in the API layer. This breach illustrates the silent but significant threat that third-party partnerships can pose.
To identify and mitigate these vulnerabilities, Cythera employs rigorous penetration testing. Our approach not only scrutinises internal defences but also extends to third-party connections that can be exploited. In another recent case study our testing revealed substantial risks within the API endpoints, which if left unchecked, could have permitted unauthorised access to thousands of records. By simulating attack scenarios and exploiting the same channels a malicious actor might, Cythera can uncover and help close these gaps.
Cyber risk is the leading risk for Australian SMEs, with the average cost of a cyber incident reported to the ACSC rising to over $39,000 in 2022.
And while CEOs are becoming increasingly cognisant of cyber risks, there is still the risk of reactive security measures.
By engaging in regular penetration testing your organisation can move towards proactive cybersecurity, and ultimately, begin the process of becoming cyber resilient.
Get on the front foot with Cythera and download our free pen testing checklist for 2024 or book a meeting with our cyber resilience team today to learn how penetration testing can prepare you for cyber maturity.
