If you track the success of cybercriminals in Australia during the COVID-19 pandemic, you could say that they’re winning the battle against organisations big and small. During the 2020–21 financial year, the Australian Cyber Security Centre (ACSC) received more than 67,500 reports of cybercrime, which is up almost 13 per cent from the year before.
Self-reported losses from cybercrime totalled more than $33 billion during the reporting period, and around a quarter of cyber incidents reported to the ACSC were associated with Australia’s critical infrastructure or essential services.
“We saw numerous healthcare systems and hospitals shut down while dealing with the pandemic, so that just goes to show the seriousness of the threat we’re facing,” says Richard Bergman, Cybersecurity Leader at EY Oceania.
Bergman says the increase in the frequency and impact of cyberattacks in Australia goes hand in hand with a massive cybersecurity skills shortage. According to the 2020 update to Australia’s Cyber Security Sector Competitiveness Plan, the country will need 7,000 new cybersecurity professionals by 2024 to meet demand.
“We just haven’t made enough investment and don’t have enough people to fight cybercrime at scale,” he says. “And Australia needs to rapidly change the equation on that.”
However, since the introduction of the Security Legislation Amendment (Critical Infrastructure Protection) Bill in 2020, Bergman believes more organisations are realising the need to rapidly strengthen their sovereign cybersecurity capabilities.
“We’ve seen a number of organisations increase their funding fivefold or tenfold for a cybersecurity transformation program, or an uplift program, to deal with the changes in the Critical Infrastructure Act, which I think is a good thing,” he says.
“Secondly, we’ve seen a shift to focusing on the all-hazards approach, where you are not just looking at the IT cyber risks, but also looking at your asset-intensive parts of the business and your personnel security. In the past, the industry’s been a little bit narrow-minded in how they tackle it.”
Leveraging existing investments
The EYcybersecurity practice is one of the largest in the region and in the world. The organisation has continued to grow its existing capabilities and add new ones to help organisations in Australia combat cybercrime.
The organistion’s acquisition of SecureWorx in September 2021 has enabled EY to offer clients multicloud services, 24/7 threat detection and response capabilities, and access to security-cleared personnel onshore with its accredited Protected Security Operations Centre (Protected SOC).
The Protected SOC is powered by Microsoft, which allows the EY cybersecurity team to deliver managed services for threat detection and response by leveraging solutions such as Microsoft Defender, Microsoft Sentinel and Azure Lighthouse in a protected capacity.
Bergman says there is strong demand for the EY Protected SOC, with many organisations rethinking how they leverage existing investments in Microsoft to save time, effort and money, but also improve their sovereign cybersecurity capabilities.
“The ability for EY to run a Protected SOC powered by Microsoft is a really strong sovereign capability that organisations want across the region,” Bergman says.
For example, one organisation that EY recently worked with had bought and deployed approximately 40 different cybersecurity products over time.
“There’s been a substantial change in Microsoft’s native capabilities on the security stack side of things, so we went back and looked at the cyber strategy the organisation had,” Bergman explains.
“We revisited and re-examined the enterprise security architecture, and we realised that based on their existing Microsoft investments, we could replace a substantial number of third-party security tools with native capability from the Microsoft stack.
“By doing that, we managed to decrease the total cost of ownership, but also dramatically improve the end-to-end threat detection and response capability. It’s a good example of focusing on the simplification and rationalisation of tools to uplift cybersecurity capability.”
EY is currently working with another client to provide end-to-end visibility of risk across its digital ecosystem by converging information technology, operational technology and the Internet of Things (IoT).
“It’s incredibly complex. A lot of organisations have neglected it or struggled to do it,” Bergman says.
“We’ve been working with Microsoft on how to leverage a combination of Defender, Sentinel, Defender for IoT and Azure Lighthouse in a way that provides end-to-end visibility of risk to allow the client to be in a much better position to react or respond to a ransomware attack or some other event across their environment.”
Berman says EY will continue to invest in the automation and AI capabilities that underpin its Protected SOC so that it can detect cybercrime “at the speed of machines rather than eyes on glass”.
Solving the skills shortage
EY has also made a significant investment in recruiting, training and certifying cybersecurity professionals to help plug the current skills gap in Australia. Bergman notes that the organisation’s cybersecurity team is one of the largest in the Oceania region.
“We are seen as a Microsoft cybersecurity centre of excellence across the region, which is great,” he says.
EY is also looking to establish skills pathways through its Protected SOC to attract more people to the cybersecurity sector.
“We want to play our part in helping solve the skills shortage by creating some alternate pathways for people wanting to get into the cybersecurity profession,” Bergman says.
“It’s a work in progress. There are a few organisations that we are looking to work with, and we’re looking at some neurodiverse pathways, some Indigenous pathways, some rural pathways and a return-to-work pathway.
“Those conversations are still ongoing, but it’s super important because if we don’t solve the skills shortage, we’ve got some significant challenges ahead.”