It\u2019s a sad fact of life in 2021 that cyberattacks are inevitable and data breaches are highly likely. So why are so many businesses focused on keeping cybercriminals out, instead of limiting what they can do once they get in? <\/p>\n\n\n\n
Most enterprises are aware of the need to protect themselves from cyberattacks, and employ some form of perimeter security to that end, whether that\u2019s in the form of network firewalls, anti-malware software, intrusion detection and prevention systems, or all of the above. <\/p>\n\n\n\n
Over time, and in line with the WFH explosion, that perimeter security mindset has expanded to endpoint security \u2013 the practice of securing network-enabled devices like desktop computers, laptops and mobile devices from attack. <\/p>\n\n\n\n
But despite these efforts to keep bad actors out of their environment, businesses are falling prey to cyberattacks with alarming regularity. A recent Australian Institute of Criminology report<\/a> estimated the total annual economic impact of cybercrime in Australia at $3.5 billion, while the FBI reported a 400% increase<\/a> in cybercrime after the onset of COVID-19. <\/p>\n\n\n\n A report into the economic impact of cybercrime by McAfee and the Center for Strategic and International Studies (CSIS) found the global losses from cybercrime had reached almost $1 trillion by the end of 2020<\/a>, while the number of groups launching ransomware attacks grew month on month throughout 2020<\/a>. <\/p>\n\n\n\n Cybercrime is spiralling out of control, despite significant investments in perimeter security \u2013 and there\u2019s a simple reason for that. <\/p>\n\n\n\n The reality is that you can have all the protection mechanisms in the world in place, but one human interaction can bypass all of them. <\/p>\n\n\n\n That\u2019s not to say perimeter security isn\u2019t important. Of course it is \u2013 there\u2019s no point making a cybercriminal\u2019s life any easier for them, and perimeter security certainly plays a role in reducing risk. It\u2019s just not the be-all and end-all that some businesses might think.<\/p>\n\n\n\n The ever-increasing interconnectivity of networks, and the sharing of information across them, is providing cybercriminals with more opportunities to seize data, as this data is often less secure while in motion (i.e. actively moving from one location to another). <\/p>\n\n\n\n And while networks have become more secure, social engineering \u2013 the old-fashioned art of the con, exploiting human error and psychology \u2013 remains the most effective way to bypass an organisation\u2019s defences. <\/p>\n\n\n\n Social engineering is less of a hack, in the traditional sense, than it is a trick. A phishing email is a social engineering scam, for instance. And as the world becomes more connected, and more information about a business\u2019 employees becomes available online, it becomes easier for attackers to trawl for details that will make these tricks more compelling and convincing. <\/p>\n\n\n\n Once an attacker finds their way into your infrastructure through a careless or compromised user on the inside (or even, for that matter, a malicious user like a disgruntled employee), perimeter security is powerless to do anything about it. <\/p>\n\n\n\n Cybersecurity expert Mathias Gaertner, Director of the Technical Advisory Board at the Australian Computer Society (ACS), says perimeter security fails to take into account the human factor<\/a>. <\/p>\n\n\n\n \u201cWith ransomware, it\u2019s usually the user who invites in the intruder through clicking a link in a phishing email that installs spyware,\u201d he said. \u201cThis constitutes a breach which a firewall can\u2019t work against.<\/p>\n\n\n\n \u201cIt\u2019s like a castle with a moat, but everyone inside has the freedom to do whatever they want within those walls.\u201d <\/p>\n\n\n\n Cryptoloc founder Jamie Wilson agrees that perimeter security has its limitations<\/a>. <\/p>\n\n\n\n \u201cThink of it like a house,\u201d he says. \u201cThe perfect home security system has got CCTV cameras, bars and security screens on the windows, double deadlocks on the door, a massive fence and maybe even a couple of vicious dogs. Those are your perimeter controls.<\/p>\n\n\n\n \u201cBut the weakest link in that security system is the person who\u2019s already inside the home, and is scammed into letting a criminal walk through the front door. Well, it\u2019s the same with an employee who opens a phishing email, or connects to the wrong IoT device \u2013 before you know it, the cybercriminals are inside your system, and your perimeter controls that were supposed to stop anyone from getting in can\u2019t protect you.\u201d<\/p>\n\n\n\n As soon as an attacker can convince a user to do something for the attacker\u2019s benefit, they\u2019ve effectively bypassed whatever perimeter security controls an organisation might have in place \u2013 but there is still a way for that organisation to take back control. <\/p>\n\n\n\n Ultimately, the key to overcoming the limits of perimeter security is to put data security first.<\/p>\n\n\n\n After all, your data is your bedrock \u2013 it\u2019s the reason you have perimeter security controls in place in the first place, and it\u2019s what cybercriminals are after when they attempt to breach those controls. <\/p>\n\n\n\nThe limits of perimeter security <\/h3>\n\n\n\n
Beyond perimeter security <\/h3>\n\n\n\n