When the Federal Government released its updated Cyber Security Strategy late last year, it was a pivotal moment in the nation’s cybersecurity journey.
The strategy included several key measures to help protect Australian consumers and organisations. These ranged from greater support and guidance for local businesses to improve their cyber resilience, campaigns to attract skilled migrants in a bid to address the local talent shortage, and greater intelligence sharing with international partners to stay ahead of the latest attack campaigns.
While these are all important steps in safeguarding the nation, when it comes to improving the cyber resilience of the government itself, the most profound change was setting a target to have a “Zero Trust culture” embedded across the Australian public service by 2030.
This strategy follows that of the U.S., which, in 2021, initiated a government-wide effort to implement baseline security practices and migrate the Federal Government towards a Zero Trust architecture. It was seen as so important to the administration that it was issued as an executive order from President Joe Biden himself.
So, what exactly is Zero Trust?
Zero Trust Architecture is an approach to cybersecurity built on one fundamental principle: despite best efforts, data breaches are inevitable (if they haven’t already occurred).
With that in mind, the Zero Trust security model eliminates any implicit trust within a network and allows approved users access to only the bare minimum they need to perform their jobs.
In doing so, the impact of any stolen device or compromised user credential is severely limited, as an attacker would only be able to gain access to a small, contained element of the network.
To put it another way, think about your family’s home. Let’s say you’ve locked your gate. If a thief jumped over your fence, would the door to your home be open? Would your most important documents and valuables lie in plain sight?
Prior to Zero Trust Architecture, the approach to cybersecurity was to lock the gate and leave everything inside the perimeter easily accessible. This new approach secures not only the gate but also the front door and windows, ensuring the safekeeping of the most sensitive and valuable assets.
This mitigates the impacts of any breach. Breaches will still occur, but the damage will be a minor inconvenience rather than a catastrophic event.
The timing of the government’s shift towards limiting access to malicious intruders is critical, particularly considering an evolution in the cyber attacker’s playbook.
In recent years, there has been a marked increase in attackers targeting backup data in their campaigns.
This trend is particularly pronounced in ransomware attacks, as backups of critical data allow the victim to recover their operations from a point in time before the attack—without having to pay a ransom.
Unfortunately, data from recent Rubik research found that of the Australian organisations that experienced a cyberattack in 2022, 98% saw the malicious actors attempt to compromise their backup data. In 87% of cases, they were at least partially successful.
Zero Trust Architecture helps to protect this critical last line of defence because there is rarely a reason for anyone, beyond a minimal subset of users, to have account privileges that allow access to backup data.
So, while a zero-trust architecture protects many parts of an organisation, the role it plays in keeping backup data secure is perhaps the most important.
In fact, data backups are so fundamental to cyber resilience that they’re the only measure in the Australian Signals Directorate’s Essential Eight to address recovery. The other seven measures, while important, all relate to prevention before the fact rather than recovery after an attack.
With all this in mind, the government’s 2030 commitment to adopt a zero-trust approach is a step in the right direction. That said, cyber resilience needs to be at the top of the agenda, made a priority, and any bureaucracy moved to make it happen as soon as possible.
Findings from Rubrik’s latest Zero Labs Report suggest the Federal Government’s shift towards Zero Trust can’t happen soon enough. The vast majority (88%) of Australian IT and security leaders believe their organisation’s current data growth is outpacing their ability to secure this data and manage risk. Their data growth is significantly higher than the global average of 66%.
As more critical public-facing government services move to digital platforms, ensuring personal data security—and the platforms’ resilience—has never been more critical.
Succeeding in these aims requires a shift in mindset that accepts breaches as inevitable. Most critically, however, this has to be achieved as soon as possible because attackers won’t be just sitting around waiting for 2030.