Discussions abound on mandating reporting of ransomware attacks and payment demands, to the point where a private members bill has been submitted that will make this mandatory.
Businesses need some external pressure to fully acknowledge the risk of ransomware, to take appropriate steps to protect against it, to report ransomware and avoid payment.
Mimecast’s State of Email Security 2021 report shows ransomware as having a massive and growing impact on Australian businesses but many are ill-prepared to defend themselves.
Key insights from Australian businesses in the report
- 64% experienced business disruption from ransomware, an increase from 48% in 2020.
- 54% paid the ransom, but only 76% of these recovered their data after paying.
- Only 51% of businesses surveyed have a cyber resilience strategy in place.
- 76% were hurt by their lack of cyber preparedness, up from 62% in 2020.
In the absence of regulation like mandatory reporting, a business impacted by ransomware will make fiduciary decisions that represent the best outcome and best value for shareholders.
This may not be in the best interests of its suppliers, customers and the community at large.
This is because secrecy about ransomware disclosures hides the true extent and cost of the problem and further limits greater understanding of the techniques and perpetrators.
Lack of understanding compromises efforts to effectively thwart future ransomware attacks.
There is a great need for better training and awareness of cyber threats and risks across all workers, in the private and public sector, that have access to the Internet in their workplace or remotely, given the current geographically scattered nature of many companies.
The training that is provided is usually ineffective as the lessons are soon forgotten.
The companies with best practice in employee cyber awareness training share a common trait as they all adopt continuous learning and reinforcement as part of their approach.
Its therefore important for these companies to focus on changing security behaviours with their awareness and training, rather than simply treating it as a compliance exercise.
Mimecast’s State of Email Security 2021 survey found only 25% of companies practice ongoing cyber awareness training, and 45% delivered training only quarterly, or even less frequently.
This is despite employee deception being one of the most common attack vectors.
69% of respondents had been hit by an attack initiated by compromising a user, and 69% of the respondents believe that risky employee behaviour is putting their companies at risk.
By far the most common means of compromising employees is via email deception, and this has surged during the pandemic, with 66% of Australian organisations seeing an increase in the volume of email-related attacks involving phishing with malicious links or attachments.
19% of respondents had no email security system at all, leaving them vulnerable to attacks.
This a bone-chilling state of affairs.
What cyber security support, if any, should be provided to directors of SMBs? Is education and awareness initiatives for business executives required? What should it look like?
There is certainly a need to raise awareness and understanding of cyber issues and cyber risk among senior business leaders, even when there are no mandatory requirements in Australia for company directors to hold any certification to prove their cyber security competence.
However, business executives should seek certifications offered by the Australian Institute of Company Directors (AICD) which are available, highly regarded and sought after.
They include a course that focuses on the board’s role in cyber security.
In today’s world, knowledge and understanding of cyber issues and cyber risk are as fundamental to business as understanding finance and financial risk.
In that regard therefore, there needs to be some means for senior business leaders to acquire and be recognised as possessing a certain level of understanding of cyber issues.
Certified recognition of executive’s knowledge in cyber security would need to rank equally in importance to understanding of more traditional aspects of a director’s role.
This is especially true when viewed through the risk lens of a director.
Such training is unlikely to raise the level of cyber awareness and expertise in smaller companies that do not have AICD qualified directors but only those qualified by experience.
They are unlikely to see the merit in dedicating time to gaining such qualifications.
Many of these business executives are time-poor and already swamped as they navigate changing business conditions and the elevated threat landscape caused by the pandemic.
The government should consider initiatives that increase the profile and prominence of programs and materials available that deal with cyber issues and cyber risk for SMEs.
If such consideration is not given, a true resilient supply chain will not be achieved.
Responsible disclosure policies
Would voluntary guidance encourage Australian businesses to implement responsible disclosure policies? If not, what alternative approaches should be considered?
Software vendors have an increased focus on security by design but this can sometimes unwittingly be compromised in the quest to release new products and features quickly.
Speed to market usually trumps the cost to slow down and build secure software.
Software vendors are therefore deploying the strategy of moving rapidly to fix vulnerabilities once they are discovered, usually of their own accord or by third parties.
This urgent thirst to find and fix security vulnerabilities is evidenced by some vendors offering bounties to third parties who can proactively find and report vulnerabilities.
Voluntary disclosure works when the vendor has the right ethics and approach in place.
Even so, with the pace at which malicious attacks, including ransomware, are increasing, speed of disclosure is just as critical as the act of disclosing and fixing vulnerabilities.
With this in mind, mandatory vulnerability disclosure, similar to mandatory ransomware reporting, could be of benefit in creating a consistent approach to cyber security regulation and attitudes across industries, from those creating software to those using it.
In short, while voluntary disclosure could work, given the tsunami of cyber attacks currently being experienced, mandatory will get us closer to where we need to be, faster.
Health checks for small businesses
Would a cyber security health check program improve Australia’s cyber security? If not, what other approach could be taken to improve supply chain management for small businesses?
Would small businesses benefit commercially from a health check program? How else could we encourage small businesses to participate in a health check program?Is there anything else we should consider in the design of a health check program?
Mimecast supports the introduction of a cyber security health check program for SMBs.
This could be essential in raising the cyber security posture of individual businesses, while also raising awareness of the importance of good cyber security practices in small businesses.
Small businesses that lack cyber expertise are increasingly becoming the weak link in supply chains that can extend to organisations responsible for critical infrastructure.
Widespread uptake and awareness of such a scheme could result in SMBs that were ‘health checked’ being looked upon more favourably when seeking contracts with larger companies.
This would further drive uptake and lift Australia’s overall cyber security posture.
The scheme can be structured and implemented in such a way so as to avoid deterring small businesses from participating due to the fear of having failures discovered and on the record, as these can potentially come to light in the aftermath of any future cyber security incidents.
Questions that would need to be addressed
Who would administer the scheme? How would it be funded?
If businesses are expected to pay, they would need to be convinced of the scheme’s merits, both through increased cyber resilience and the cachet of gaining certification.
How can SMEs be assisted to be ‘cyber healthy’ and strengthen their cyber security posture?
With many SMEs time and cash poor, any health check initiative needs to be combined with a health and fitness program for those businesses found wanting as a result of the health check.
In essence, a cyber security health and fitness program could be similar to the healthcare programs provided in varying degrees by different countries around the world.
An SMB Cyber Health Program has the potential for a partnership between the private, public and tertiary sectors to offer a service that is free for the first period of engagement.
SMBs can have their cyber health diagnosed, gaps identified and measures put in place for them to achieve standards for SMB Cyber Health without making an upfront investment.
To maintain their accreditation after the first year of engagement, small and medium businesses could therefore, buy the ongoing SMB Cyber Health service at a competitive cost.
This would support education and provide experiences for students, uplift the cyber security posture at scale across SMBs and provide a sustainable way to maintain accreditation.
Ultimately, this initiative would help to harden supply chains and reduce risk.
This is an overview of a scheme that can have a real and positive impact across all industries but requires deep consultation and investigation to build the right structure around it.
But it is one example of a practical pathway that can be created to deliver the necessary baseline accreditation needed for SMBs to achieve satisfactory cyber security standards.
Furthermore, businesses that are essentially proven to be time and cash-poor, especially due to the current pandemic business climate won’t need to pay an upfront cost.
Cyber security vulnerabilities have become a constant mainstream threat to the business and personal lives of all Australians with hard realities and damaging consequences.
Avoiding and dealing with real world dangers have been the subject of extensive and successful Australian government funded awareness raising campaigns in the past.
Two prime examples for consideration include the ‘slip slop slap’ campaign which began in the 1980s to encourage skin cancer protection and Melbourne Metro Trains’ iconic “Dumb Ways to Die” campaign to encourage safety around its trains and stations.
At MimeCast, we believe that a similarly broad, educational and engaging campaign that puts responsible cyber security practices on the mainstream agenda is long overdue.
The cyber security campaign’s primary target should be consumers and small businesses with minimal or no IT skills so as to raise awareness and education on practical steps that can be taken to protect companies against cyber attacks and the actions to take when attacked.
This will have a flow-on effect into larger businesses and public sectors by the nature of the campaign’s mainstream messaging and communication channels, if it is executed effectively.
By far the biggest cyber security danger in Australia is ransomware.
Available statistics have showed that more efforts need to be leveraged in order to facilitate organisations with the proper defences to mitigate agile and enterprising attackers.
Mimecast’s State of Email Security 2021 Report found that 64% of respondents had experienced business disruption from ransomware which is a big increase from 48% in 2020.
And of the 54% that paid the ransom, only 76% recovered their data after paying.
However, these figures reveal neither the full extent nor the true cost of the problem, given that the commonly-held wisdom is that many organisations pay ransoms, don’t report it, hope that their data is unlocked and therefore unwittingly perpetuate the problem.
In order to combat ransomware effectively it is critically important for organisations to have better knowledge of the ransomware’s scale, the perpetrators and their techniques.
Such information can be gained if companies report details of attacks to a central body.
Reporting ransomware attacks and payment should be mandatory but the government must clarify the aspects regarding the legality of such payments as the March 2021 report Locked Out: Tackling Australia’s ransomware threat clearly stated that in some cases it is illegal.
It acknowledges ransomware as, “Posing the highest cyber security threat as it requires minimal technical expertise, is low cost and can result in significant impacts to a business.”
Cyber security costs to society include ransom payments, yet the discussion paper makes no other request for input on how ransomware should be combated by organisations.
Therefore, mandatory reporting, if implemented must be done in such a way that it does not inadvertently push the problem further underground and undermine its intent.
As a consequence, the insurance industry will therefore need to be consulted in order to achieve clarity on what will and won’t be covered if reporting is made mandatory.
If mandatory reporting was introduced, would insurance cover cyber security aspects like ransomware payments, remediation, recovery plus reputation and financial damage?
It is our view that the recent increased focus on ransomware in media and political discussion needs to morph into clear, actionable regulations that give businesses, regardless of size and public sector organisations clear guidance and reporting requirements.
If left to individual organisations, short focused actions will be the result and reporting will be sometimes nonexistent or painstaking and no real long-term gains will be made.
On the flip side, clear parameters, education and measurement can drive tangible outcomes.
Nicholas Lennon is the Country Manager for Australia and New Zealand at Mimecast