New threats to data and critical infrastructure

The COVID-19 pandemic has radically changed the way organisations operate, presenting both challenges and opportunities. We may be moving past lockdowns and work-from-home mandates, but remote or hybrid work is sticking, with employees relishing the benefits of a flexible, modern workplace. But with greater benefits come greater risks.

While the swift move to digital communication and cloud storage may be a permanent fixture of the approaching post-pandemic era, so is our increasing reliance on data. Data is now an organisation’s greatest asset; however, it can paradoxically be its biggest burden. This will become increasingly apparent as the on-demand economy expands, generating an immense amount of data and creating new vulnerabilities — and along for the ride are slick cybercriminals intent on exploiting the situation.

Organisations are being forced to confront the evolving threat landscape and respond quickly to avoid data breaches, fraud and ransomware attacks. Cybersecurity strategies are trying to keep pace, but prevention is not enough; as we look to the future, mitigating impact with cyber resilience is vital.

New threats to data

In a 2021 survey commissioned by Dell Technologies, 66% of data decision-makers regarded their businesses as data-driven and said “data is the lifeblood of their organisation”. The past two years have cemented data as a primary asset for organisations, with 44% saying the pandemic significantly increased the data it needs to capture. This influx of data has left organisations vulnerable, with the door wide open for cybercriminals even as the pandemic wanes.

In fact, cyber attacks are one of the fastest-growing crimes in the world. In 2021, businesses suffered 50% more cyber attacks per week than in the previous year, and by 2025, cybercrimes are expected to cost the world $10.5 trillion annually. The Australian Cyber Security Centre (ACSC) is encouraging Australian organisations to urgently adopt an enhanced cybersecurity posture in 2022 to mitigate threats posed by a range of malicious cyber actors.

Cybercriminals have been jumping at the opportunity presented by the worldwide shift to remote work and cloud storage, with an abundance of sensitive data available at their fingertips. Remote work means endpoint security includes other Internet of Things (IoT) devices that can access the same Wi-Fi network as employees, leaving IT departments scrambling to maintain adequate security measures. In our new normal of at-home work, a single vulnerability or misstep can have severe consequences.

Most concerning, ransomware has been dubbed a ‘digital pandemic’, with attacks increasing by nearly 500% since the start of the pandemic. Across the globe, ransomware attacks are hitting critical infrastructure hardest — the payoff for criminals is huge, and the targets are easy.

Protecting critical infrastructure

As organisations become increasingly digitised and vulnerable to attack, critical infrastructure, the backbone of economies, is put at risk. Gartner predicts that by 2024, there will be a cyber attack on critical infrastructure so damaging that a member of the G20 will respond with a physical attack.

Though that prediction is troubling, precognition isn’t needed to see the danger at hand. The ACSC reports that approximately 25% of cyber incidents from 2020–2021 targeted critical infrastructure and essential services, including healthcare, food distribution and energy sectors.

The vulnerability of these services and the potential damage to the economy is cause for alarm, with the risk of harm or loss of life underpinning anxieties as organisations and government leaders attempt to manage the issue.

In response to the increasing cyber threat, the Department of Home Affairs introduced the Security Legislation Amendment (Critical Infrastructure) Bill in November 2020. The bill expanded the coverage from four sectors to include 11 critical infrastructure sectors. More recently, the 2022 Critical Infrastructure Protection Bill was introduced. If passed, entities may be forced to follow the suggested cybersecurity risk management program.

As mandates attempt to match the threat, providing cybersecurity solutions to avoid attacks, the core of the problem is not being addressed: the digital world is here to stay. A 2021 global survey conducted by PwC found that only 10% of respondents wanted to return to a traditional work environment. With the digitised world becoming a permanent fixture, for many large organisations, an attack isn’t a matter of ‘if’ but ‘when’.

Cyber resilience over cybersecurity

In the 2020–2021 financial year, cyber attacks had a more profound impact on victims, correlating with the increase in attacks against large organisations and critical infrastructure. The problem then is not just an increase in attacks but an increase in impact. Given this, cybersecurity is no longer enough. Organisations, particularly those responsible for critical infrastructure, need cyber resilience.

To reduce impact and increase the chance for a quick recovery, organisations need to identify critical capabilities and isolate their most sensitive data, then work to protect it from attack first and foremost. Looking at the interconnectedness of systems will highlight areas of vulnerability and potential points of weakness; creating an adaptable strategy to reduce these vulnerabilities will go a long way to increase resilience.

However, large organisations have been hesitant to add leading technologies to their repertoire to combat the issue. This is troubling given that automation, artificial intelligence, machine learning and cloud services are some of the top ways to protect and recover data to increase cyber resiliency. Though change and innovation may have created these new threats to data, they will also be the things to save it.

As the post-pandemic era approaches, organisations and leaders must address the threats to our data and critical infrastructure while supporting and empowering the increasingly digitised landscape. Though the pandemic created challenges, the positive change in workplaces and rapid advancements in technology are astounding. Protecting our future in this new world means protecting our data, and the test of true strength isn’t how well we avoid a situation — but how well and how quickly we recover from it.

Image credit: ©stock.adobe.com/au/forestgraphic