75% of Australians experience an attack surface from web applications
Fastly has published new research in partnership with Ecosystm which shows that 75% of Australian businesses now live with a significantly increased attack surface due to their reliance on web applications. Large attack surfaces are regularly researched and tested by attackers looking for less protected entry points into enterprise IT environments.
According to investigation, Australian organizations have moved en masse to more decentralized IT architectures over the past two years, but are still grappling with some of the cybersecurity implications of these kinds of digital and cloud-centric operating models. The cloud, web applications, and APIs that enable these applications to integrate and exchange data rank high in risk and challenge assessments by CIOs, CIOs, and technology leaders in Australian organizations. API endpoints, cloud service provider authentication, and enterprise open source software are all considered significant risks as potential entry points for attackers.
Inadequate controls around these architectural elements, coupled with a lack of operational maturity and a reliance on traditional defensive postures, have made Australian business leaders nervous and fearful of attack. The survey shows that 65% of large Australian businesses view attacks on nation states as a very high or high risk to their organizations. Leaders of all sizes are also concerned about credential stuffing, which attackers can use to attempt to compromise cloud accounts and individual logins as a service.
Research also shows that:
- IT leaders plan to focus more on web application security over the next two years, but more likely in 2023. Digital has dominated IT strategies for the past two years, but operating securely in a predominantly or entirely web- or cloud-based environment means living with high risk tolerances and discomfort for security teams.
- Application security often comes second in the competition for attention and funding. More than half (53%) of IT leaders say they prioritize “other digital transformation projects” over application security in 2022, while 39% say “other business initiatives” – outside of IT – take priority, to the detriment of cybersecurity.
- Over 40% of executives identify cloud misconfiguration as still among their top five cybersecurity challenges. Despite the attention and attention paid to this issue over the past two years, and the rise of low-code/no-code platforms and configurations, cloud environments remain complex, and errors or misunderstandings mean that even experienced engineers can encounter cost overruns and/or the risk of unintended data exposure. This percentage is higher for enterprises (41%) than for large (22%) and medium (26%) organizations.
- The main challenge in managing application security initiatives is the complexity. 55% of executives say too many third parties are involved in the end-to-end security of their applications, underscoring the new reality of operating in a cloud-, web-, and API-driven world.
Indeed, a typical response from decision makers to the growing complexity of their technology environments is to deploy additional new security solutions. But this approach means nearly half of Australian businesses have more than 50 cybersecurity tools and struggle with alert fatigue and high false positive rates.
Organizations need a modern cybersecurity posture that enables them to anticipate threats before they arise and respond instantly when attacks do occur. They need security controls that can automatically sense, detect, react, and respond to access requests, authentication needs, and external and internal threats. The administration and enforcement of these controls should also be automated to a large extent to improve coverage and consistency, and reduce the burden on security operations centers (SOCs) and cybersecurity practitioners.
“As Australian enterprises deepen their digital transformations, they face a known problem: the challenges of securing a growing number of mission-critical cloud services and API-centric applications,” said Derek Rast, vice-president regional president Australia and New Zealand. at Fastly. “The tools these companies use to secure their digital, cloud, and microservices-based architectures need to evolve. Traditional web application and API security tools fall short in this regard. Exploiting Web Application Firewalls (WAFs) and Content Delivery Networks (CDNs) should be part of an overall defense-in-depth security strategy.
Responsiveness to cyber threats is itself under threat
The lack of consistency in the operating parameters, powers and preparedness of cyber threat and incident response teams is a prime example of the cyber maturity challenges facing Australian businesses.
Research finds that one in three cyber threat response teams lack the support of key internal stakeholders, are unclear about escalation points for incident management, and lack the authority to confiscate or disconnect equipment and monitor suspicious activity, including from senior management.
Additionally, with respect to cyber threat response planning:
- Only 54% have a comprehensive plan including legal and corporate communications teams
- 50% repeat the plan at least once a year, the other half practice less frequently or do not practice at all
- 48% have a timeline for additions and improvements to the plan, and hold senior leaders accountable for making improvements
Businesses are more likely than large or medium-sized organizations to have a well-rehearsed multi-stakeholder plan. However, they are also more likely to be subject to regulatory planning and incident response requirements. This is supported in the study by the fact that compliance is identified as a major cybersecurity challenge facing organizations.
The company always one step from the periphery
Medium and large organizations are more likely than enterprises to rethink how they deploy applications and business logic to end users and actively pursue that target state. The study shows that 64% of midsize businesses and 56% of large enterprises are embracing edge computing, moving business logic from application servers to edge cache. On the other hand, only 43% of companies do the same, which is 10% less than the general average.
Moving business logic from the backend to the edge not only increases application performance, but can also significantly reduce an organization’s risk because user requests are routed through a single “front door”, instead of a number of servers that host the application.
The study represents the views of 200 cybersecurity decision makers – primarily CIOs, CIOs and equivalent titles – in Australia. The study was commissioned by Fastly and conducted in April-May 2022. It covers organizations of three sizes: medium (101-499 employees), large (500-999) and enterprise (over 1,000 employees).
You can read the full report here.