With six major data breaches in October 2022 alone, it is becoming clear Aussie firms have become targets for a new ‘cyber’ take on age-old crime. Traditional offences such as theft, blackmail, and ransom attempts are not as trendy as they used to be with the gravitation towards the cyber realm—where all signs show that cybercrime will not be slowing down.
So, what are these new-age cyber criminals looking for? Primarily, they are looking for highly valuable personal or business information which they hope can translate into financial gain. Foreign criminal groups are attempting to exploit vulnerabilities found in Internet-facing systems and then sell these stolen data to other cyber criminals. This “business model” can be seen in the many recent data breaches on Australian organisations.
What is the state of cybersecurity in Australia?
In the case of the Medibank Private breach, attackers combined previously discovered information from other threat actors with insidious scanning techniques, then laying in wait for new vulnerabilities to exploit. Once vulnerabilities were discovered, they pounced and exploited them in an attempt to extract a ransom for the stolen information. With all these recent breaches, it would appear such a “business model” reaps business-crippling dividends.
Breaches have the potential to wallop organisations with double whammies in terms of cost and expenditure. When a business is breached or held at ransom, the management has to deal with angry customers whose data were leaked, regulatory watchdogs hounding for resolution and fines, social media abuzz with irate mud-slinging, and juggling between technical mitigation and public relations. What does this mean? Money. Lots of money.
The increased frequency and severity of these breaches carry many significant implications—from lost confidential information into the wild, financial loss due to ransom payouts, lost business due to exodus of clients, operational interruptions, and damage to reputation.
Apart from costs due to regulatory fines and legal fees, your organisation may need to fork out more money for tasks which include investigation, response, and data restoration.
Cyber insurance has become an essential instrument for companies in their risk management frameworks. In the case of Medibank Private’s breach, it was announced that they will provide a cybercrime customer support package which promised assistance encompassing financial support for hardship, and reimbursement of fees for clients who were affected.
Know thy enemies
Australian organisations and businesses should seek to understand more about their attackers and develop countermeasures and preventive measures. It is obvious from recent data breaches that attackers are clearly using continuous and automated tools to look for weaknesses in Internet-facing production applications. Organisations can flip the table and turn on offensive defence, be ready for any suspicious sign and mitigate immediately.
A carefully chosen dynamic application security testing (DAST) solution will ensure organisations’ publicly facing web applications, and any application programming interfaces (APIs) within those web applications, are being continuously monitored for new vulnerabilities.
Hammer with the law
The lack of sufficient penalties and accountability in Australia has made businesses more attractive targets to cyber criminals, highlighting the need for a far more vigorous approach to cybersecurity. With the latest breaches, regulators are planning to introduce new laws to parliament as a response; increasing penalties for companies who suffered data breaches.
These changes will raise maximum penalties for serious or repeated privacy breaches from the current A$2.22 million (US$1.4 million) to upward of A$50 million, three times the value of the benefit obtained through the misuse of information, or 30% of turnover in the relevant period. This is a step in the right direction in terms of placing emphasis on cybersecurity, but more needs to be done at the organisational level to fight this ever-growing issue.
What tips can firms use to strengthen cybersecurity?
At an organisational level, there are many different ways to strengthen cybersecurity that will deter or even prevent potential attacks. Here is a practical, low-cost checklist for organisations to protect themselves from attacks. (Source: AICD CSCRC)
Set clear roles and responsibilities
Consider whether a director or a board should have a more active role in overseeing cyber security to help better ensure the security from the top. By understanding that cyber threats are an organisational issue, measures will more likely be taken to avoid such attacks.
Throughout the organisational chart, employees should always document whenever possible who is responsible for the firm’s cyber security. This will ensure that someone is in tune and accountable with everything cyber security related within the organisation.
Develop, implement and evolve a strategy
Sweeping through the firm, it is important to identify both the cyber security strengths and weaknesses of the organisation to tailor a strategy that is matched to potential threats. It may be wise to get a “red team”, reputable external assessors and consultants, instead of only relying on your in-house team, to round up your cyber resilience strategy and actions.
Establishment of an access control system to determine who should have access to what, is important for identification and restricting access, as no system or data should be available to all. For example, employee and customer data should be assessed only by relevant stakeholders. Further, discern what minimal data is needed, rather than collecting more data than you will never need or use. The less data you host, the less risk you have.
Embed cybersecurity in existing risk management practices
At base-level, anti-virus should be kept up to date to ensure maximum coverage. Likewise, apps and operating systems (OS) should be patched and updated. As phishing is such a prominent means of introducing malware into systems, restricting access to social media and external email accounts can potentially save organisations from attacks on company devices.
The implementation of multi-factor authentication can be another step in reducing attacks. In addition to a username and password, access requires another piece of information such as a code sent to a user’s phone. This ensures only authorised employees are able to access systems and emails. Maintaining offline backups of key data can also save lots of hassle.
Ensure that departing employees, transitional staffers or volunteers no longer have access to systems and passwords can be critical in maintaining security and data integrity.
Promote a culture of cyber resilience
Regularly repeating cyber security training and awareness amongst all employees is also something to do, as employees who understand cyber security will be more likely to help protect the firm against attacks. Additionally, promoting strong email hygiene is vital as more than 90% of successful cyberattacks start with a phishing email. Mandating phishing testing for all employees can be another strategy that can help mitigate the risk of attacks.
With employees in the organisation who understand what potential phishing emails look like, the odds of them falling for actual incidents of phishing will decrease dramatically.
Plan for a significant cybersecurity incident
Use available templates if appropriate. Beyond just a plan, ensure that regular, scheduled, and even unscheduled simulation exercises are carried out to test and hone cyber readiness within your business. Ensure physical back-ups of key data and systems are regularly updated and securely stored, including off-site. Maintain offline lists of who may assist in the event of a cyber security incident and which key stakeholders to communicate with.
Keep things simple
It is also worth noting that complex environments, data, and software can make your applications more prone to vulnerabilities and increase security risk. Consider making light work with even the most complex configurations and setups, and test them.
Agile through DevSecOps
Agile processes can give you velocity, but it can be difficult to insert sufficient security processes without slowing down development. Thus turn mere DevOps into DevSecOps.
Bake security in code
For an active defence posture, compliance isn’t enough. Build security into your software across the development lifecycle to protect from threats that get smarter with each attack.
Awareness is a good start, but the steps that follow will dictate how likely firms fend off potential breaches. Having a system in place to prevent attacks, like the 8 tips outlined here, will significantly decrease the odds of a breach, and strengthen any firm’s cyber defence.
However, we must be mindful that cyber attackers are becoming increasingly sophisticated in their attacks lately. And by implementing a system of prevention can deter such breaches, but it is not a definite counter to the constantly evolving arsenal of cyber attackers.
For a more comprehensive coverage, firms must secure entire systems throughout the software supply chain, and software development workflows. Going beyond the prevention of attacks and building software right will grant organisations a truly comprehensive defence against sophisticated attacks, and a strengthened grip in organisational cybersecurity.