We are thrilled about Australia’s strategic direction to build a world-leading cyber nation by 2030. As a world-leading cybersecurity company whose mission is to help build a better Internet, we think we can help.

Cloudflare empowers organizations to make their employees, applications and networks faster and more secure everywhere, while reducing complexity and cost. Cloudflare is trusted by millions of organizations – from the largest brands to entrepreneurs and small businesses to nonprofits, humanitarian groups, and governments across the globe.

Cloudflare first established a footprint in Australia in 2012 when we launched our 15th data center in Sydney (our network has since grown to span over 310 cities in 120 countries/regions). We support a multitude of customers in Australia and New Zealand, including some of Australia’s largest banks and digital natives, with our world-leading security products and services. For example, Australia’s leading tech company Canva, whose service is used by over 35 million people worldwide each month, uses a broad array of Cloudflare’s products — spanning use cases as diverse as remote application access, to serverless development, and even bot management to help Canva protect its network from attacks.

In support of the Australian Cyber Security Strategy 2023-2030 (The Strategy), released on November 22, 2023, we want to share how we can help empower Australian organizations and individuals to become more secure. The Strategy is clear about the value of cooperation and the vital role of the private sector. We couldn’t agree more, and we look forward to collaborating with individuals, industry, non-profits, and the government to help ensure that Australia’s society and economy is protected from malicious cyber threats.

The Strategy outlines six shields – six layers of defense against cyber attacks, with Australian businesses and individuals in the center (where they should be). Here’s where we think Cloudflare can play a role in each of the shields:

The Strategy rightly focuses on helping those individuals and organizations that typically do not have the capability or resources to employ basic cybersecurity tools. We agree that supporting the most vulnerable is a crucial goal as these groups are often powerless to protect themselves against relentless attacks. A 2023 survey by the Australian Cyber Security Center shows that 62% of surveyed Small Medium Enterprises (SMEs) were victims of a cyber attack. Cloudflare’s recent survey of nearly 4000 security leaders across Asia Pacific shows that 81% of medium and 77% of small-sized organizations suffered a cybersecurity incident over the previous 12 months.

Here we believe we have a lot to offer. Our mission is to help build a more secure, more private and more reliable Internet. A key part of that mission is democratizing cybersecurity – making cyber tools readily available for all, including SMEs, non-profits, and individuals. For example, our free plan makes available our world-leading DDoS and WAF protection for millions of websites, apps, and APIs all around the world, including in Australia. We provide our suite of Zero Trust Tools for free to organizations with up to 50 users (more on Zero Trust below).

We also offer our world-leading, Enterprise-level cyber protection products and services at no cost to the most vulnerable populations, including human rights organizations, journalists and healthcare organizations. One example of this is Citizens of the Great Barrier Reef, which is a participant of Cloudflare’s Project Galileo. Through Project Galileo, they have access to our most advanced cybersecurity tools and support — freeing them to focus on their mission.

We agree with the Strategy’s push for Secure-by-Design and Secure-by-Default technology – these are in fact our core principles when developing our products and services in order to improve security for our end users automatically. We’ve taken this approach in deploying Web Application Firewall (WAF) protections for all of our users, such as the steps we took to protect our customers (including our free plan customers) against the log4j vulnerability, and in creating a machine-learning computed WAF attack score that enables customers to block likely attacks, even when they don’t match existing attack signatures.

This shield also notes both the opportunities and challenges brought by critical emerging technologies, such as quantum computing and artificial intelligence (AI). Cloudflare is getting ready for the quantum future – in order to protect against possible attacks from quantum computers, we believe that post-quantum cryptography tools should be readily available. In late 2022, we announced that by default, all websites and APIs served through Cloudflare, including those on our free plan, support post-quantum hybrid key agreement.

We also provide tools that help ensure that AI can be used securely. Given the incredible growth in this space, it’s critical that businesses can ensure that they are able to leverage AI innovation and growth — and doing so both securely and safely.

We applaud the government’s efforts to strengthen threat sharing and threat blocking. For threat intelligence to be effective across sectors and industries, there needs to be a flow of information not only between government and industry, but also between industry peers. The support in the strategy for developing Information Sharing and Analysis Centers (ISACs) will help create a threat sharing culture within industry and support Australia to build a more mature cybersecurity ecosystem.

Cloudflare has supported ISACs to understand the impact of emerging vulnerabilities. One recent example concerned the HTTP/2 Rapid Reset Vulnerability, which resulted in record-breaking DDoS attacks. By working with our peers and sharing the latest insights we were able to help member organizations proactively protect themselves and their users.

This shield focuses on critical infrastructure (CI) – those institutions vital to the nation’s functioning. Cloudflare understands the crucial importance of protecting CI: many of our customers are CI in their respective jurisdictions, including in Australia. Our tools help keep them, and those that rely on them, secure. For example, we mitigated threats to our customers when Anonymous Sudan and Killnet attacked and issued threats to Australian universities, airports, and hospitals in March 2023.

Equally concerning are the smaller critical infrastructure organizations that are the foundation of our communities: the neighborhood hospital, regional water treatment facility, and local energy provider that meet our basic needs like keeping the lights on and clean water running. Also vital, and noted in the Strategy – the small-yet-crucially-important companies that form the supply chains of our nationwide critical systems. These smaller organizations frequently lack the know-how and financial resources to deploy basic cyber security, let alone best-in-class cybersecurity tools and services. We felt that we could step up to help meet this crucial gap, so at the end of 2022, we launched Project Safekeeping in Australia and other global markets, providing no-cost and no-time limit Enterprise-level cybersecurity products for these critical entities.

Finally, we applaud the Strategy’s goal to strengthen the overall cyber posture of the Australian Commonwealth government, in particular by developing a Zero Trust culture. Zero Trust is generally considered a best practice in cybersecurity – the belief that organizations should not trust based on relationship to a perimeter (such as if someone is in the office), but instead must verify everything and everyone trying to connect to its systems before granting access. Zero Trust principles are being implemented successfully across the private sector and governments, and a Zero Trust strategy will certainly help uplift the security maturity and posture of Australia and its government.

Cloudflare is already providing our world-leading Zero Trust tools and services to government departments across Australia, both state and federal. For example, Australia’s National Disability Insurance Agency (NDIS) utilizes Cloudflare’s suite of security products to protect their environment and provide secure access into their application ecosystem.

This shield focuses on the essentials for having a diverse and professional cyber workforce in order to foster a vibrant Australian cyber ecosystem. Cloudflare also strives for a diverse workforce in order to have better business outcomes. To improve diversity across departments and roles, we rely on inclusive recruiting practices to help ensure a fair process, and we train employees on mitigating unconscious bias. In Australia, we actively foster diversity in cyber through internal associate programs designed to promote diverse groups into cyber engineering roles. We also run a series of external workshops and sessions aimed at the broader Australian women in cyber community, in order to foster greater learning and networking opportunities in this traditionally male-dominated sector.

As a global company whose mission is to help build a better Internet, we believe it is vitally important for the international community to defend a free and open Internet. We were thrilled to see the Strategy acknowledge this as a key pillar of Australia's cyber diplomacy. A free and open Internet is, in fact, both safer – as global knowledge is necessary to stop attacks that could come from anywhere in the world; and more resilient, as the Internet needs multiple global connection points to ensure that cyber attacks do not impact Internet access.

In addition, we fully agree with the Strategy that global technology markets should be competitive, reflecting a diverse pool of technology vendors. We strongly believe in the importance of having a vibrant security ecosystem, where different security providers can help mitigate the risk of services being compromised, helping to avoid security events.

Finally, this shield recognizes that international cyber standards must be harmonized. As a cybersecurity technology provider that adheres to multiple cybersecurity standards all around the world, we couldn’t agree more. Overlapping and redundant standards are a massive operational burden that do not equate to greater levels of security. However, onerous compliance regimes do prevent governments from having the best security technology available, given that many companies, particularly SMEs, simply can’t afford the high costs associated with numerous cybersecurity certifications.

We are thrilled to support Australia’s mission to be a world cyber leader by 2030. We look forward to our continued collaboration with the Australian government and industry in order to help ensure that everyone – from critical infrastructure, government, SMEs, nonprofits, to Australian citizens – can be more secure.

Over the last few years, Zero Trust, a term coined by Forrester, has picked up a lot of steam. Zero Trust, at its core, is a network architecture and security framework focusing on not having a distinction between external and internal access environments, and never trusting users/roles.

In the Zero Trust model, the network only delivers applications and data to authenticated and authorized users and devices, and gives organisations visibility into what is being accessed and to apply controls based on behavioral analysis. It gained popularity as the media reported on several high profile breaches caused by misuse, abuse or exploitation of VPN systems, breaches into end-users’ devices with access to other systems within the network, or breaches through third parties — either by exploiting access or compromising software repositories in order to deploy malicious code. This would later be used to provide further access into internal systems, or to deploy malware and potentially ransomware into environments well within the network perimeter.

When we first started talking to CISOs about Zero Trust, it felt like it was just a buzzword, and CISOs were bombarded with messaging from different cybersecurity vendors offering them Zero Trust solutions. Recently, another term, SASE (Secure Access Services Edge), a framework released by Gartner, also came up and added even more confusion to the mix.

Then came COVID-19 in 2020, and with it the reality of lockdowns and remote work. And while some organizations took that as an opportunity to accelerate projects around modernising their access infrastructure, others, due to procurement processes, or earlier technology decisions, ended up having to take a more tactical approach, ramping up existing remote access infrastructure by adding more licenses or capacity without having an opportunity to rethink their approach, nor having an opportunity to take into account the impact of their employees’ experience while working remotely full time in the early days of the pandemic.

So we thought it might be a good time to check on organizations in Asia Pacific, and look at the following:

• The pandemic’s impact on businesses

• Current IT security approaches and challenges

• Awareness, adoption and implementation of Zero Trust

• Key drivers and challenges in adopting Zero Trust

In August 2021, we commissioned a research company called The Leading Edge to conduct a survey that touches on these topics. The survey was conducted across five countries — Australia, India, Japan, Malaysia, and Singapore, and 1,006 IT and cybersecurity decision-makers and influencers from companies with more than 500 employees participated.

For example, 54% of organisations said they saw an increase in security incidents in 2021, when compared to the previous year, with 83% of respondents who experienced security incidents saying they had to make significant changes to their IT security procedures as a result.

Increase in security incidents when compared to 2020. ▲▼ Significantly higher/lower than total sample

And while the overall APAC stats are already quite interesting, I thought it would be even more fascinating to look at the unique characteristics of each of the five countries, so let’s have a look:

Australian organisations reported the highest impact of COVID-19 when it comes to their IT security approach, with 87% of the 203 respondents surveyed saying the pandemic had a moderate to significant impact on their IT security posture. The two biggest cities in Australia (Sydney and Melbourne) were in lockdown for over 100 days, each in the second half of 2021 alone. With the extensive lockdowns, it’s not a surprise that 48% of respondents reported challenges with maximising remote workers’ productivity without exposing them or their devices to new risks.

With 94% of organisations in Australia having reported they will be implementing a combination of return to office and work from home, building an effective and uniform security approach can be quite challenging. If you combine that with the fact that 62% saw an increase in security incidents over the last year, we can safely assume IT and cybersecurity decision-makers and influencers in Australia have been working on improving their security posture over the last year, even though 40% of respondents indicated they struggled to secure the right level of funding for such projects.

Australia seems to be well advanced on the journey into implementing Zero Trust when compared to other four countries included in the report, with 45% of the organisations that have adopted Zero Trust starting their Zero Trust journey over the last one to four years. Australian organisations have always been known for fast cloud adoption, and even in the early 2010s Australians were already consuming IaaS quite heavily.

When compared to the other countries in the report, India has a very challenging environment when it comes to working from home, with Internet connectivity being inconsistent, even though there’s been significant improvement in internet speeds in the country, and problems like power outages regularly occurring in certain areas outside of city centres. Surprisingly, the biggest challenge reported by Indian organisations was that they could benefit from newer security functionality, which goes to show that legacy security approaches are still widely present in India. Likewise, 37% of the respondents reported that their access technologies are too complex, which supports the previous point that newer security functionality would be beneficial to the same organisations.

When asked about their concerns around the shift in how their users will access applications, one of the biggest concerns raised by 59% of the respondents was around applications being protected by VPN or IP address controls alone. This shows Zero Trust would fit really well with their IT strategy moving forward, as controls can now be applied to users and their devices.

Another interesting point to make, and where Zero Trust can be leveraged, is 65% of respondents saying internal IT and security staff shortage and cuts is a huge challenge. Most security technologies out there would require special skills to build, maintain and operate, and this is where simplifying access with the right Zero Trust approach could really help improve the productivity of those teams.

When we look at the results of the survey across all five countries, it’s fairly obvious that Japan didn't seem to have quite the same challenges as the other countries when the pandemic started. Businesses continued to operate normally for most of 2020 and 2021, which would explain why the impact wasn’t in line with the other countries. Having said that, 51% of the respondents surveyed in Japan still reported they saw a moderate to significant impact in their IT security approach, which is still significant, even though lower than the other countries.

Japanese organisations also reported an increase in the number of security incidents, which supports the fact that even though the impact of the pandemic wasn’t as severe as in other countries, 45% of the respondents still reported an increase in security incidents, and 63% still had to make changes to their IT security procedures as a direct result of incidents.

Malaysia rated second highest (at 80%) in our report on the impact the pandemic has had on organisations’ IT security approach, and rated highest on both employees using their home networks and using personal devices for work, at 94% and 92% respectively. From a security perspective, that poses a significant impact to an organization's security posture and increases the attack surface for an organisation substantially.

From a risk perspective, Malaysian organisations rated lack of management over employees’ devices pretty highly, with 65% of them expressing concerns over it. Other areas worth calling out were applications and data being exposed to the public Internet, and lack of visibility into staff activity inside applications.

With 57% of the respondents calling out an increase in security incidents when compared to the previous year, 89% of the respondents said they had to make significant changes to their IT security procedures due to either security incidents or attack attempts against their environments.

In Singapore, 79% of IT and cybersecurity decision-makers and influencers reported that the pandemic has impacted their IT security approach, and two in five organisations said they could benefit from more modern security functionality as a direct result of the impact caused by the pandemic. 52% of the organisations also reported an increase in security incidents compared to 2020, with almost half having seen an increase in phishing attempts.

Singaporean organisations were also not immune to a significant increase in IT security spend as a direct result of the pandemic, with 62% of them having reported more investment in security. Some of the challenges these organisations were facing were related to applications being directly exposed to the public Internet, limited oversight on third party access and applications being protected by username and password only.

While Singapore is known for high speed home Internet, it was quite a surprise for me to see that 40% of organisations surveyed reported issues with latency or slow connectivity into applications via VPN. This goes to show that the problem of concentrating traffic into a single location can impact application performance even across relatively small geographies, and even if bandwidth is not necessarily a problem, like what happens in Singapore.

While there were distinct differences in each country around IT security posture and Zero Trust adoption, across Asia Pacific, the similarities are what stand out the most:

• Cyberattacks continue to rise

• Flexible work is here to stay

• Skilled in-house IT security workers are a scarce resource

• Need to educate stakeholders around Zero Trust

These challenges are not easy to tackle, add to these the required focus on improving employee experience, reducing operational complexities, better visibility into 3rd party activity, and tighter controls due to the increase in security incidents, and you’ve got a heck of a huge responsibility for IT.

And this is where Cloudflare comes in. Not only have we been helping our employees work security throughout the pandemic, we have also been helping organisations all over the globe streamline their IT security operations when it comes to users accessing applications through Cloudflare Access, or securing their activity on the Internet through our Secure Web Gateway services, which even includes controls around SaaS applications and browser isolation, all with the best possible user experience.

So come talk to us!