Friday, 11 February 2022 The cyber trends predicted to make headlines in 2022 The return to work is in full swing. Organisations are diving into a new year, hopefully better than the last, and workforces are coming to accept Covid as a regular part of life. Another issue that has become just as much a part of daily life is cybercrime. Data breaches are rife and ransomware attacks are soaring in number and severity the world over. While we may not hear about these incidents as much as we do Covid, cybercrime is now so pervasive that organisations are being called on like never before to safeguard against this equally insidious and invisible threat. In context of this evolving landscape, we see changes to organisations’ cybersecurity awareness and operations. For 2022, we predict several factors to feature heavily in media reports and the judicial system. Further changes in the workforce will affect data security. We will see increased regulatory action and new legislation enhancing transparency about cybercrime and forcing organisations, and their board members, to take far greater responsibility for cybersecurity. And more will come to light about the duality of artificial intelligence – equally used by hackers to evolve the sophistication, and potential devastation, of cyber attacks and by organisations to enhance cyber resilience. 1. ‘A great reshuffle’ and the risks to data management Over 40% of workers in the US wanted to change their jobs last year, according to a Microsoft survey.1 In Australia, Treasurer Josh Frydenberg described the same phenomena here as more of, “…a great reshuffle”, after analysis showed more than one million workers started new jobs in the three months to November 2021.2 “The rate at which people are taking up new jobs is now almost 10% higher than the pre-COVID average,” Mr Frydenberg said in a speech to the Australian Industry Group this month.3 For managers, this has created two scenarios: firstly, a greater pool of potential cybersecurity industry recruits, and on the flip side, a heightened risk of employee-driven data breaches. There is no doubt the cybersecurity industry requires more people. Cyber attacks have risen more than 1100% in the past 12 months alone. 73% of organisations had at least one data breach in the past year directly or partially attributed to a gap in cybersecurity expertise. This lack of qualified personnel is increasing risks exponentially. Departing employees and people working remotely also pose potential dangers to company data. Whether by design or unintentionally, studies show that just over 70% of staff leaving a company will take some form of information with them, from marketing strategies to customer lists and collateral in general. In one case, a customer spotted source code valued at $5 million being taken by a software developer who was in the process of resigning.4 As luck would have it, the IP theft was prevented by noticing the movement of data in the person’s last days. Mitigation to prevent such an occurrence in the first place, however, would have been far more desirable. Similarly, organisations that have had to move to remote working environments quickly may not have had time to put sufficient processes and security controls in place to secure their data. We consistently encounter IT teams that are simply trying to manage day-to-day activities who are then further stretched by the demands of a remote workforce. Combined with current turnovers in staff, these kinds of scenarios are data-loss disasters waiting to happen. Managers must start believing that, at any time, there exists massive risk of data walking straight out their door. How to prevent such scenarios? In cases of both departing employees and dealing with remote workforces, organisations must implement security controls, including data loss prevention and security monitoring as well as limiting access to critical information via implementing factors as simple as ’need-to-know‘ access policies. This style of zero-trust architecture governs what an employee can, and cannot, see. Formal policies, emphasising the kind of data departing employees can take with them, will also have a positive impact. Organisations generally disable ex-employee accounts for a brief period after departure. However, they must also ensure that they are removing ex-employee accounts after a specified period. On the technical side, monitoring employee behaviour at all times – rather than after the employer becomes aware of an employee’s pending departure – can enhance the ability to detect suspicious access requests or peculiar data transfers. Treating employees, both current and departing, in a fair and a friendly manner will also pay big dividends, as a disgruntled employee poses serious risk to any business. It will be interesting to see if any are impactful enough to make headlines. 2. Regulations and enforcement actions on the rise Turning a blind eye to cybersecurity is no longer possible. A recent sharp rise in regulations and enforcement means any organisation serious about its reputation and profitability should take heed. For any doubters, ASIC’s first Federal Court action over allegations of deficiencies in cybersecurity now stands as the writing on the wall. The test case against RI Advice alleges the financial services company failed to take reasonable steps to manage a string of cybersecurity breaches and contravened s912A of the Corporations Act.5 The case, which goes to trial in April 2022, provides some insight into what could become the regulator’s minimum benchmarks for cybersecurity, at least within the financial services sector. Separate enforcement action taken by the ACCC is also making organisations sit up and take notice. Last year, the corporate regulator launched proceedings against an online health booking platform which disclosed personal information to insurance brokers without consumer consent, resulting in the platform’s operators receiving a $2.9 million fine.6 The ACCC also prosecuted a tech company for misleading its consumers about collection of their data.7 While not in relation to cyber attacks per se, such proceedings indicate the ACCC’s clear focus on the seriousness with which it views protection of consumer data. What’s more, the ACCC has received a $27 million funding boost to address digital security, placing it in an even stronger position to prosecute businesses deemed to have failed in their cybersecurity obligations to consumers. And the Australian Prudential Regulation Authority (‘APRA’) has started to audit regulated firms against their cybersecurity standard, CPS 234. With greater transparency expected, we will likely see an increase in reported exposures. 3. New legislation in the wings Keeping major data breaches quiet will be a thing of the past. Mandatory disclosure will be one of many consequences should the Ransomware Payments Bill 2021 be passed in its entirety. Provisions in the private members Bill will force major organisations to report ransomware payments to the Australian Cyber Security Centre (ACSC). The new legislation will also grant the government power to disclose notifications of any cyber threats to that organisation’s clients or customers – even to the public. Understandably, companies are loath to deal with such potentially damaging levels of transparency. But again, these clamp downs from on-high bring the paramount importance of protecting personal information into sharp focus for organisations as well as their managers and boards. Already, the Security Legislation Amendment (Critical Infrastructure) Bill 2021 has made it mandatory for owners of key infrastructure assets to notify the government as soon as a cybersecurity incident becomes apparent. In the case of a serious incident involving critical assets (such as water or electricity) the providers of these services must now follow an expansive list of directions dictated by the Minister for Home Affairs. The government’s review of the Privacy Act has further led to proposals that could dramatically increase penalties for privacy breaches. In essence, the legislative changes described above indicate regulators will be taking cyber breaches far more seriously. Combined, the changes also serve to strengthen the roles of both the ACSC and the Office of the Australian Information Commissioner (OAIC), already two of the leading bodies of their kind in the Asia-Pacific region. The OAIC recently issued a determination against a multi-national company for failing to prevent unauthorised third parties from accessing customer information via a cyber attack.8 Not surprisingly, it has also voiced support for stronger penalties over breaches of the Australian Privacy Principles, particularly for multi-national corporations. No doubt, there will be more robust legislation being drafted and enacted in 2022 – we will have to see at what speed. 4. Board members now under a cybersecurity microscope Like keeping quiet about a cyber attack, we are also seeing an end to sweeping cyber threats under the carpet. Board members will be held accountable for all things cyber in 2022. Greater scrutiny will be placed on their actions in, and around, cybersecurity and dismissive explanations, such as ‘we spoke to our IT department’ and similar, will no longer fly. Just as the ACCC is now well-positioned to prosecute businesses that misrepresent their cybersecurity posture, so too is APRA in relation to corporate administrators who do the same. APRA has made it known it is taking a “much more targeted approach to ensuring CPS 234 [APRA’s Information Security Prudential Standard] is being fully complied with and holding boards and management accountable where it is not”.9 The authority has further stressed that boards adopt a proactive approach to oversight of cyber risk, stating it expects boards to “have the same level of confidence in reviewing and challenging information security issues as they do when governing other business issues”.10 Every boardroom is now highly recommended to have at least one member with the sufficient technological expertise to know exactly what their organisation is doing, and has done, in relation to cybersecurity. This will be the member whom the board turns to when called on to demonstrate their organisation has sufficient processes in place to mitigate cyber threats, and that back-up systems not only exist but have also been tested to ensure they work to prevent data loss and allow for a timely recovery. Board members must recognise that data is dynamic in nature – it can be overwritten at any time – and high levels of efficiency need to be applied to ensure its security. However, only 10% of boards are estimated to contain a dedicated cyber expert or cybersecurity committee, a figure IT analyst, Gartner, estimates will soon increase to at least 40%.11 We can only agree, with APRA stating it considers boards need be more proactive in the following three areas: Reviewing and challenging management reports on cyber issues generally. Ensuring their organisations can recover from cyber attacks – and that also extends to recovering lost data. Ensuring the effectiveness of information security controls across their organisations’ supply chains.12 Whether organisations have boosted their boards with cybersecurity expertise by now or not, they should waste no time in rigorously challenging their cybersecurity teams and processes. They need to question, for example, what blind spots could exist on end-to-end supply chains, whether testing and data recovery capabilities are sufficient and what plausible disruption scenarios have been considered. Boards who do not question, and address, such issues could soon be subject to investigation and enforcement action by APRA and other regulators. If there is one sure-fire way of knowing what’s to come, it is to look at the picture internationally. Cybersecurity measures being considered by the Australian government are modelled on such examples as Europe’s General Data Protection Regulation, implemented as long ago as 2016 and officially launched in May 2018. This regulation imposes security requirements around data processing and requires technical and organisational measures in place, commensurate with the consequences of a data breach. It has since been hailed a positive move, with the European Data Protection Board last year stating it had successfully used the regulations in determining 254 final decisions.13 Looking at the year ahead, it will be a struggle for boards to have the technical representation required to meet their cybersecurity obligations when there is a shortage of expertise in the market. 5. Ransomware attacks: increased AI involvement Cyber and ransomware attacks have never grown faster than at rates we are seeing today – and worse is yet to come. Hackers are starting to use artificial intelligence (‘AI’) to create viruses faster than detection methods can keep up, to devise even more deceptive phishing emails and texts and to scan corporate networks for weaknesses. But also still active is the traditional low-risk, low-cost, high-reward ransomware. Driven by the lucrative nature of the trade, cybercrime is only set to rise. The European Union Agency for Cybersecurity noted that 2021’s 150% rise in ransomware is basically a spiralling trend.14 AI is, of course, a double-edged sword used by both sides. While it makes life easier for cybercriminals, it can also be used to increase resilience and scope of cybersecurity systems. Still, managers must continue to coach their entire workforces, top to bottom, in how to recognise potential attempts to hack into company systems. If, for instance, an employee has already been taught how to recognise a phishing email, they must now be educated on how the weaponisation of machine learning models is potentially allowing cybercriminals to read their social media posts and customise the emails they send. Tactics now being employed by cybercriminals are boundless. We will continue to see AI driving an increase in sophisticated cyber attacks. However, AI used for prevention, at its current rate, looks set to win the battle. 6. Supply chain risk As business continues to operate in a connected world, often through the use of third-party suppliers, consideration must be given to how risk is managed within these commercial relationships. Traditionally, these relationships were based on a commercial decision rather than upfront consideration of cyber risk. What we now are seeing is a real shift in the decision-making process, with businesses often requesting upfront evidence or verification (often through questionnaires) that appropriate security measures are in place before the relationship can progress. The risk may even be increased for smaller third parties, as “Cybercriminals often see smaller partners as an opportunity to infiltrate and exploit larger, more lucrative targets.”15 Even when their data exists in a third-party platform or application, businesses still need to consider their obligations to protect that information from cyber attacks. It is imperative to have a clear understanding of the cyber risks posed by using that vendor and to what extent that third-party protects their information. The impact of a third-party’s cybersecurity posture directly correlates with its commercial partners’ risks of exposure. This was highlighted in the recent ransomware attack on workforce management solutions provider, Kronos, which affected multiple customers, including sportswear manufacturer Puma.16 In the event the third-party suffers a cyber breach, businesses may still have obligations to investigate and respond not only to the Government Regulator but to affected parties. No-one is immune. Recent high-profile victims have included global brokerage JBS, the American oil pipeline system Colonial Pipeline and IT firms Kaseya and SolarWinds. It all points to the dawning of a new era of constant vigilance for the corporate world. As Eric O’Neill, national security strategist at VMware states, “2022 will be the year of zero trust, where organisations verify everything versus trusting it’s safe.”17 With the rise of these types of attacks, it is inevitable that there will be increased pressure for organisations to validate their cybersecurity posture if they wish to operate in an online environment. While cybercriminal activity is evolving, so too are cybersecurity measures (whether voluntarily or through enforcement). We will watch the above predictions closely as 2022 unfolds. Download the full publication here, or click the Download PDF button below. 1 Microsoft, The Next Great Disruption Is Hybrid Work—Are We Ready? (22 March 2021) <https://www.microsoft.com/en-us/worklab/work-trend-index/hybrid-work> 2 Mick Tsikas, Australia is seeing a 'great reshuffle' not a 'great resignation' in workforce: Frydenberg (6 February 2022) The Conversation <https://theconversation.com/australia-is-seeing-a-great-reshuffle-not-a-great-resignation-in-workforce-frydenberg-176516> 3 Ibid. 4 Drew Robb, Will More Resignations Lead to Increased Data Theft? (27 September 2021) SHRM <https://www.shrm.org/resourcesandtools/hr-topics/technology/pages/will-more-resignations-lead-increased-data-theft.aspx> 5 Australian Securities & Investments Commission, 21-196MR Court finds RI Advice liable for failing to supervise financial adviser following ASIC investigation (2 August 2021) <https://asic.gov.au/about-asic/news-centre/find-a-media-release/2021-releases/21-196mr-court-finds-ri-advice-liable-for-failing-to-supervise-financial-adviser-following-asic-investigation/> 6 Australian Competition & Consumer Commission, HealthEngine to pay $2.9 million for misleading reviews and patient referrals (20 August 2020) <https://www.accc.gov.au/media-release/healthengine-to-pay-29-million-for-misleading-reviews-and-patient-referrals> 7 Australian Competition & Consumer Commission, Google misled consumers about the collection and use of location data (16 April 2021) <https://www.accc.gov.au/media-release/google-misled-consumers-about-the-collection-and-use-of-location-data> 8 Office of the Australian Information Commissioner, Cupid Media Pty Ltd: Own motion investigation report (1 June 2014) <https://www.oaic.gov.au/privacy/privacy-decisions/investigation-reports/cupid-media-pty-ltd-own-motion-investigation-report#conclusion> 9 Executive Board Member Geoff Summerhayes, ‘Strengthening the chain’ (Speech delivered at the Financial Services Assurance Forum, Australian Prudential Regulation Authority online/virtual event, 26 November 2020) <https://www.apra.gov.au/news-and-publications/executive-board-member-geoff-summerhayes-speech-to-financial-services> 10 Australian Prudential Regulation Authority, Improving cyber resilience: the role boards have to play (23 November 2021) <https://www.apra.gov.au/news-and-publications/improving-cyber-resilience-role-boards-have-to-play> 11 Gartner, ‘Gartner Predicts 40% of Boards Will Have a Dedicated Cybersecurity Committee by 2025’ (Press Release, 28 January 2021) 1 <https://www.gartner.com/en/newsroom/press-releases/2021-01-28-gartner-predicts-40--of-boards-will-have-a-dedicated-> 12 Australian Prudential Regulation Authority, above n 10, 6. 13 Ilse Heine, 3 Years Later: An Analysis of GDPR Enforcement (13 September 2021), Center for Strategic & International Studies <https://www.csis.org/blogs/strategic-technologies-blog/3-years-later-analysis-gdpr-enforcement> 14 Drew Robb, 2022 Cybersecurity Trends: Ransomware, Security-as-a-Service, Zero Trust (24 January 2022) SHRM <https://www.shrm.org/resourcesandtools/hr-topics/technology/pages/2022-cybersecurity-trends-ransomware-security-as-a-service-zero-trust.aspx> 15 Australian Cybersecurity Magazine, The impact of an organisation’s security posture on its external partners or customers (2 September 2020) <https://australiancybersecuritymagazine.com.au/the-impact-of-an-organisations-security-posture-on-its-external-partners-or-customers/> 16 Lawrence Abrams, Kronos ransomware attack may cause weeks of HR solutions downtime (13 December 2021) Bleeping Computer <https://www.bleepingcomputer.com/news/security/kronos-ransomware-attack-may-cause-weeks-of-hr-solutions-downtime/> 17 Drew Robb, above n 14.