They don’t declare battle, they just attack – with disastrous results for businesses and individuals. Cybercrime is one of the biggest threats facing business but you can be prepared.
If you’ve ever wondered whether your company – or even you personally – could fall victim to cybercrime, Abigail Bradshaw has the answer. “Anyone who is connected to the internet is vulnerable,” says Bradshaw, head of the Australian Cyber Security Centre (ACSC). “Australians are attractive targets to malicious cyber actors – we have great digital uptake and a relatively wealthy population.” And the massive shift to remote working and increased personal use of digital communications during the pandemic has seen a wider “attack surface” for malicious actors and, in turn, a surge in cybercrime.
During the 2020-2021 financial year, the ACSC received more than 67,500 cybercrime reports – equating to one report of an attack every eight minutes. “The vast majority of those reports were lodged by businesses,” says Bradshaw. “Even the smallest cyber incident can be absolutely devastating for a business.”
Ransomware is one of the biggest dangers, she says. “It’s growing in sophistication and being commercialised by malicious actors as an off-the-shelf product that can be used by a wide variety of other, geographically dispersed malicious actors.” It’s known as RaaS – ransomware as a service – and the klutzy cybercriminals using it are arguably more nefarious because they don’t have the know-how to undo the havoc they have wrought, even if they’re paid a ransom. “Last year, we had nearly 500 ransomware cybercrime reports; that’s an increase of 15 per cent on the previous financial year.”
More than $33 billion in losses from cybercrime were reported in Australia last financial year and Bradshaw agrees that the number of attacks reported to the ACSC is likely to be only a fraction of the “attacks, reconnaissance and data theft that’s actually going on”. But, she adds, “small measures, particularly when done en masse, can make a significant difference to the Australian ecosystem”. Here, five cybersecurity experts reveal the must-dos for business.
1. You must control access to your data
Vikram Sharma, founder and CEO, Quintessencelabs
“Whether you’re a large corporation or an SME, you need to have a strong level of control over the data that you’ve been entrusted with,” says Vikram Sharma, whose Canberra-headquartered data security firm has been hailed as a technology pioneer by the World Economic Forum, where he’s a member of the Global Future Council on Cybersecurity. “Businesses have a significant amount of sensitive information – including intellectual property, employee data and financial, strategy and customer information – that needs to be well-protected.”
Data-access controls must apply not only to those authorised to access it but also to prevent data being inappropriately modified. A high level of authentication is critical to ensure that authorised users are who they claim to be and that they’re only able to perform the operations they’ve been permitted to, he says. This could be by a view-only limitation or restricting users’ access to subsets of data.
There’s a “litany of examples”, says Sharma, where “had such controls been properly implemented, the impact of the hackers’ actions would have been mitigated”. Security breaches of customer data are common. “But if you’ve protected your data well and encrypted sensitive information, even if the adversary were able to breach your systems, get malware sitting inside your networks and sniff around for sensitive information and leak it, it won’t be of any value because it’s encrypted.”
The first step is a thorough data audit, which is challenging given that most companies have a patchwork of providers holding their data. “Many organisations aren’t aware of all the data they hold system and limited visibility from a central perspective,” says Sharma. “You might have equipment from IBM and Hewlett-Packard for processing; EMC and NetApp for storage; and software from Oracle and SAP for the cloud. You need to control the encryption keys to the castle very well.”
That includes carefully segmenting the data and implementing strong security policies and access levels. Real-time audit logs can feed into analytics tools, flag deviations from normative behaviour and proactively shut down access before malicious actors can take another step.
Even when you’ve got all that in hand, you can’t relax: quantum computing is growing, revolutionising computation and unleashing new threats. “A lot of the encryptions we use today rely on the fact that it needs too much computer power to reverse but if you have a lot of computer power, you can reverse it out,” says Sharma. “For all the tremendous benefits quantum computers will bring, they’ll compromise many technologies being used to protect information today.”
“Forward-leaning organisations” are already looking to be “quantum safe”. Sharma says that QuintessenceLabs is working with “the larger end of town” on it, to avoid having to do a major refresh – “equivalent to a Y2K moment” – and upgrade of data security in a few years.
2. Boards and C-suites must get involved
Stephenie Andal, Head of strategic policy, Cyber Security Cooperative Research Centre
The days of directors and the leadership team pushing responsibility for cybersecurity onto the IT department are over, says Stephenie Andal, a political scientist at the government-funded Cyber Security CRC. In July, the federal government opened consultation on a range of regulatory reforms to improve the nation’s cybersecurity. “Australian directors increasingly bear personal exposure to cyber-risk liability,” says Andal. “They should be familiarising themselves with the requisite legislation and adopting cybersecurity best practices across their organisation to manage cyber risk – it’s not going away.”
There’s a rapidly expanding dossier of costly cybersecurity fails to illustrate the potential fallout for boards and executives. “State-based cyber actors, cybercriminals, hacktivists and terrorists are seeking to strategically disrupt critical infrastructure and global supply chains, steal intellectual property and exploit network vulnerabilities, with the intention of gaining access to sensitive data for financial and/or strategic gain.”
Andal cites two recent high-profile incidents. “The SolarWinds cyber-espionage campaign disrupted more than 16,000 computer systems worldwide and global meat supplier JBS Foods was hit with a ransomware attack that had repercussions around the world, including in Australia.” In June, JBS admitted to paying about US$11 million in ransom.
Making cybersecurity a priority in budgets and company-wide policies is important, says Andal. “Australian organisations and boards must start treating their online assets and managing their valuable data with the same level of care and attention they pay to their real-world assets – they’re inextricably linked. If cybersecurity matters to the chair and the board, it’ll have a trickle-down effect.”
There’s a way to go, however. Andal points to research conducted by the Ponemon Institute for United States security intelligence company LogRhythm that was released in June. A worldwide survey of 1426 chief information, technology and security executives found that 93 per cent of them don’t report to their CEO. “That speaks to a disjunction between boards and executives and their IT teams. The more we can draw them closer together, the more we’ll start to see better cybersecurity practices and protocols.”
3. Boards must do a ransomdecision exercise
Nick Abrahams, Global co-leader, digital transformation practice, Norton Rose Fulbright Australia
When the worst happens, many businesses don’t have a plan. “I was getting called in to brief boards about a ransom while the case was live and they didn’t have a framework for the decision,” says Nick Abrahams, a leading legal adviser on cyber issues. He recommends that boards consider the following questions and book in regular crisis exercises that involve the executive leadership team “to give boards muscle memory because if it happens, they’ll have to make a decision very fast”.
Does paying the ransom fit with the values of the company?
“Some directors feel viscerally that it’s contrary to directors’ duties to pay criminals. But there’s arguably a positive obligation to consider payment of the ransom because you’ve got a duty to act in the best interests of the company. So if the payment is legal and doesn’t run contrary to your values then you’ve got to consider it.”
What is the reputational impact of a data breach?
“When a ransomware attack has locked up a business so it can’t operate normally or at all, people freak out. It’s a little bit like coming home to find your house has been burgled – there’s a massive amount of anxiety. In the midst of a ransomware attack, I spend a lot of time trying to calm people down and get them to recognise this is a short-term issue and the business will get past it.”
What is the operational landscape?
“Ransomware perps put a ticking clock on you – if you miss that deadline, you’ve lost the opportunity to get the decryption key. Boards need to evaluate the best guess of the IT team for getting the business back to normal without the decryption key and the likelihood that the decryption key will work. You can do a Proof of Life, where you put the ransomware perpetrator on notice that you want these particular files decrypted. You must assume it won’t work terribly well; sometimes you’ll get a reasonable amount decrypted and other times you’ll get almost nothing.”
What about cyber insurance?
“A cyber insurance company may pay the ransom, which is helpful for boards because it means they can move that decision to the side. But we’re starting to see cyber insurers not paying ransoms so you can’t be certain they’ll pay. The other question is: if you pay, will you get hit again? There’s no evidence to support that, largely driven by the fact that after one of these events, there’s a heightened investment in the business to build up cybersecurity strength and capacity.”
4. You must build a strong cybersecurity culture with your people
Narelle Devine, Chief Information Security Officer Asia Pacific, Telstra
The people part is often overlooked in high-tech cyber strategies, which is why Narelle Devine, the chief information security officer at Telstra, argues cyber education is more powerful when you make it personal. Cyber-safety messages resonate more when “you frame it around how staff can protect themselves and their families”. They then bring their improved cyber habits to the workplace, too. “It really helps to shift the culture.”
Simple things, such as enforcing multifactor authentication and encouraging staff to use the password manager they use at the enterprise level for their personal passwords, can change behaviour across the board. “Tell them the ‘why’ – explain why a cybercriminal might be interested in your company. That makes people stop and think about what they can do to help ensure it doesn’t happen.”
Devine recommends companies approach cybersecurity with the same principles that underpin their safety culture. “You want people to find those cybersecurity issues and feel okay about telling you about them, rather than feel they’ll be punished because they’ve done something wrong.” The aim is to foster a culture where a person who clicks on a phishing link alerts the IT team immediately, instead of staying silent and trying to hide it.
The cyber war requires a wide range of skills, argues Devine. Almost every profession “has a characteristic or behaviour that once you overlay a little bit of cyber training, it fits perfectly into a cyber team. It’s exciting. We talk about skills shortages but while there are shortages in certain niche areas, if you’re creative about how you build the cyber team, you can find some awesome people.”
5. Government and private-sector investment in cybersecurity must be boosted
Richard Bergman, Cybersecurity, privacy and trusted technology lead partner, EY Oceania
“Australia’s ability to protect its industrial control systems (ICS) and operational technology (OT) is probably my biggest area of concern about the nation’s cybersecurity over the next 10 years. I don’t think we’re well-equipped to protect Australian citizens, our critical infrastructure and essential services, including the economy as a whole, from the risk of a significant cyber attack. An attack against our critical infrastructure could result in a significant disruption to essential services, which can include energy or health or safety systems in mining and manufacturing, and could lead to serious injury or loss of life.
Australia has not invested anywhere near enough in protecting our OT and ICS environments and there are some alarming trends:
- The explosion in the number of industrial Internet of Things (IoT) devices. The ecosystem for our organisations has rapidly changed – and most of them are internet-enabled or cloud-connected.
- Over the past three years, a substantial increase in exposure across ICS and OT systems has become clear – these significant vulnerabilities are easy for cybercriminals to go after.
- The cybercrime gangs have realised they’re going to get a bigger ransom paid if they disrupt an organisation’s critical business systems – none more so than disrupting an ICS. We saw that in the US with the Colonial Pipeline attack in May, where a US$5 million ransom was paid.
The Australian Signals Directorate has estimated that a catastrophic cyber attack could cost the Australian economy up to $30 billion a year and wipe out 160,000 jobs. I don’t think we’ve gone far enough with the level of investment from government for our national defences or the level of investment from the private sector.
There is a failure in cyber leadership at the moment. We know that boards and C-suites are concerned about cyber risks but that concern isn’t translating into action and investment to appropriately manage their cyber risks. We’re seeing a lack of ownership from C-suites and boards in addressing the level of risk, let alone being ready for the future cyber threats that are going to come after the ICS.
Some sort of government cybersecurity critical-infrastructure uplift fund is essential to help fight cybercrime at scale. A single organisation doesn’t stand a chance against all of the cybercriminal gangs and threat actors around the world but if we combine capability and investments and leverage a sovereign investment fund as a nation, it would make a difference.”