The Federal Court has found RI Advice, an Australian Financial Services licensee, guilty of breaching its license obligations to act efficiently and fairly when it failed to have the appropriate cyber risk management systems to effectively manage its cybersecurity risks.
What does the Federal ruling mean?
This sets a new precedent as businesses learn that they can be held accountable by the government for negligence when it comes to their cybersecurity posture.
One of the incidents detailed by ASIC was a brute force attack by a malicious actor that gave them access to the file server of an authorised representative, which went undetected between December 2017 to April 2018. According to ASIC, this incident resulted in the potential compromise of confidential and sensitive personal data of several thousand clients.
Brute force attacks consist of attackers submitting many passwords or passphrases with the hope of eventually guessing correctly. Implementing multi-factor authentication such as two-factor authentication, which needs another factor other than username and password to enable access, could have put a stop to the brute force attack that occurred.
For example, an attacker may need an authentication code from an certified app or a SMS code and password, this makes it more difficult for cybercriminals to access your files.
How was the attack avoidable?
This attack could have also been prevented by implementing an account lockout after several unsuccessful login attempts. Brute force attacks are commonly carried out by automated bots and a highly effective solution to preventing their success is by enabling CAPTCHA which renders bots ineffective. Finally, it is best practice to get your information security team to regularly monitor server logs to discover the presence of any suspicious activity.
With a rise in complexity and frequency of cyber threats, it isn’t a question of if your business will fall prey to a cyberattack, it is more a question of when an attack will occur. Businesses, regardless of their size, type, and industry, need to enhance their cyber resilience.
The Australian Cyber Security Centre (ACSC) has developed prioritised mitigation strategies, to prevent cybersecurity incidents and help organisations protect themselves against various cyber threats. The most effective of these mitigation strategies is the Essential Eight.
I recommend that businesses implement these strategies at the bare minimum to make it harder for adversaries to compromise their systems. Businesses need to learn from RI Advice and prioritise the enhancement of their cybersecurity posture by treating it as a business function, as opposed to a business issue that is relegated to the IT department.
Ajay Unni is the founder of StickmanCyber, a business that helps companies mitigate their cyber-security risks. Ajay named the company after the countless stick figures he used in flow charts, throughout his years in the software and cyber-security industry. Ajay Unni has over 30+ years’ IT industry experience, with over 15 years as a cyber-security specialist.