Protecting businesses from a growing incidence of cybercrime should be at the top of most executives’ minds. That’s one of the key conclusions from a recent webinar hosted by Adam Smallhorn, CommBank’s Security Outreach Manager.
Smallhorn was joined by Daniel Baker, Assistant Director-General – Technical Uplift, Australian Cybersecurity Centre (ACSC), and Cornelius Mare, Field Chief Information Security Officer, Fortinet.
The ACSC Annual Threat Report shows reported incidents rose almost 13% in the 2020–21 financial year. Globally, the World Economic Forum’s Global Risk Report 2021 found cybercrime was perceived as the fourth most pressing danger to the global economy, after the pandemic and military conflicts.
Research from IBM put the average cost of a ransomware attack on an Australian business at $4.62 million USD, followed closely by the cost of responding to a data breach at $4.24 million USD. The ACSC says the reputational damage is harder to quantify. It can also hit any size of business.
Geopolitical uncertainty driving new risks
It’s no accident that cybersecurity risk has increased at the same time as the pandemic and rising global tensions. “The cyber threat environment is largely a function of the geopolitical environment,” says Baker. “Over the past decade we've seen about a fourfold increase in both the quantity and the severity of vulnerabilities.”
Mare says Australian businesses are particularly at risk. “If we just look at the stats … Australians are 10% more prone to attack compared to the rest of the world,” he says. “Why is that? 99.8% of Australian businesses [are] small to medium businesses.”
He says there has been a remarkable rise in ransomware attacks over the last year, and warns that it has been accompanied by the emergence of a new cyber threat: data extortion. “[Cyber-criminals] almost don't care if you have your data backed up, if your data is not encrypted. They will go and release your data in the dark web unless you pay for their services for not doing it.”
Protecting key business assets
So how should businesses respond? Smallhorn likens cyber defence to the body’s immune system responding to a virus. An organisation not only needs strong outer defences – it also needs internal defences capable of identifying an intrusion, isolating it, and producing sufficient countermeasures to reduce severity and get back on your feet as quickly as possible.
The ACSC recommends organisations must focus on core business functions underpinned by information technology: “It's going through the process of determining what's most valuable in your business and where are you most reliant on (Information and Communications Technology or operational technology.”
The ACSC has collated these controls into the Essential 8 - Strategies to Mitigate Cyber Security Incidents. Dependent on the business maturity level, the eight mitigation strategies include:
- Application control
- Patch applications
- Configure Microsoft Office macro settings
- User application hardening
- Restrict administrative privileges
- Patch operating systems
- Multi-factor authentication
- Regular backups
Mare says it’s not enough to put systems in place – you also need to test them exhaustively with realistic scenarios. “Do tabletop exercises with executives and talk about is who's going to make decisions. And if that first person is not available, who's the second person to lead the response? Make sure you record recovery roles, responsibilities and contact details, and distribute paper versions in case all your systems go down.”
The ACSC encourage businesses to investigate Cloud services which can often come with greater security at a lower cost of ownership. Software on a service, or platform on a service may alter better security without having to maintain on their infrastructure.
How prepared is your business?
According to the Enterprise Security Group, an organisation’s cyber maturity can be classified into one of three groups, from least to most prepared. Most Australian businesses fall into the first two categories says Mare:
Emerging – These organisations view cyber threats as a necessary evil. They possess basic tech, no dedicated cyber role, informal processes, and a decentralised approach.
Progressing – More engaged organisations. They may have dedicated cyber staff and internal training, although often just to fulfil regulatory obligations.
Mature – Cybersecurity is part of the culture. High awareness and engagement among all staff. Up to date technology and software, with a dedicated cybersecurity officer.
“A mature company is great,” says Smallhorn. “They are very culture-driven, and the cybersecurity is intrinsically aligned to their mission.”
“From a process point of view, they'll be well-documented and formal with an eye towards scale and automation. From a technology point of view, they'll have an enterprise security architecture. When an update or a patch needs to be installed, that's done within 24 hours.
“They are thinking about threats not just in a simplistic way externally, but also ‘What threats do we have internally that might compromise our cybersecurity?’ It's in the hearts and minds of all of the people, its core to their mission.”
How prepared is your business? Seven key questions
Smallhorn says there are some key questions every organisation should ask themselves to test their level of preparedness for cyber threats:
- Do we have someone in our organisation responsible for cyber security?
- Do we have a culture of cyber security?
- If we were to experience a cyber attack or incident today do we have the plans for what to do right now and in the short-medium term?
- Are we thinking about cyber security as a people and process issue, not just a technology problem?
- What are our legal obligations around data and data breaches?
- How do we measure our cyber security and technology risks?
- How do we know we have a well-managed and secure technology stack?