What do storms, volcanoes and cyber attacks have in common? All can have a devastating impact on society and all have claimed a spot on the World Economic Forum’s top global risks of 2018 list. Last year, the global cost of cybercrime was estimated to exceed $600 billion, equating to around 0.8 per cent of global GDP. An eye-watering amount.
The cyber threat is very real. So much so that Alastair MacGibbon, head of Australian Cyber Security Centre, believes “cybersecurity is the greatest existential threat facing the Australian economy and society.” Cybercrime is the fastest growing and most prolific category of crime against Australians, with one in four impacted every year.
Individuals aren’t the only ones with a target on their backs. Australia’s leading scientific research agency, CSIRO, recently reported that it had recorded 13 million security incidents in the space of 30 days as foreign actors seek out prized information.
This unrelenting barrage of new cyber risks is reflected in the Vulnerability Intelligence Report from Tenable Research, which reveals that, in 2017 alone, an average of 41 new vulnerabilities were published every single day, hitting a total of 15,038 for the year. Breaches in the first half of 2018 have risen 27 per cent, compared to the same period last year, with vulnerabilities on track to reach more than 19,000 this year.
As the number of vulnerabilities continues to grow, so does the need for more intelligent security practices. The harsh reality is that most high-profile breaches could have been prevented through better cyber hygiene, with ServiceNow reporting that an alarming 57 per cent of successful breaches could have been prevented by installing an available patch.
Managing vulnerabilities has become a challenge of scale, volume and velocity. While trying to remediate each and every vulnerability isn’t realistic, actively prioritising the threats that pose the most risk to the business is possible with actionable intelligence.
Cutting through the noise
Prioritising which vulnerabilities to remediate is becoming increasingly challenging due to the sheer volume. On average, an enterprise uncovers 870 vulnerabilities per day across 960 assets. And of those, more than 100 vulnerabilities are rated as critical. No mean feat even for the most experienced CISO.
To make matters worse, in 2017, public exploits were available for seven per cent of all vulnerabilities, meaning the vast majority of all vulnerabilities only posed a theoretical risk. This creates a needle in the haystack scenario that leaves security teams frantically searching for the vulnerabilities that could be weaponised by threat actors.
Without actionable intelligence, prioritising which vulnerabilities should be fixed first is left to guesswork. Real intelligence is lacking from many modern vulnerability management programs, resulting in real-world implications. Of the 57 per cent of enterprises who experienced a breach, 34 per cent stated they were aware of the vulnerability that led to their breach before it happened.
As the number of vulnerabilities grows, so too does the imperative for Australia to get smart on cybersecurity. Traditional and outdated vulnerability management techniques can no longer address the needs of increasingly complex and evolving digital enterprises. With the security of Australian organisations on the line, there is an onus on CISOs to adopt modern approaches, such as Cyber Exposure, to ensure they’re able to identify assets and vulnerabilities before they are compromised.
Bede Hackney is country manager, ANZ, at Tenable.