Wednesday, 24 June 2020

Headlines featuring cyber security breaches are increasing in frequency and corporate Australia needs to pay attention. The scale of recent cyber-attacks - from that inflicted on beverages company Lion to the broad-based issue facing the federal government revealed last week - have made it patently clear that no entity is immune no matter how large or small. 

Many are more vulnerable than they realise. Larger organisations may have decent-sized IT teams yet often these teams are too stretched meeting day-to-day obligations to spend time developing sufficient cyber protection strategies. Smaller enterprises invariably lack the resources to invest in cyber defence strategy or take measures as simple as providing the sufficient bandwidth to protect their networks. Sticking with old technology means running the risk of not being supported for security patches, a move which is often tantamount to welcoming cyber criminals through the door. 

Importantly, business leaders must become more aware that cyber crime is not always indiscriminate  and increasingly is carefully organised. As much as it may seem a data breach is the work of a sole operator, attacks can be the handiwork of criminal syndicates or teams acting on behalf of a government or government body also known as ‘state-based cyber actors’.

The Prime Minister blamed one such team for causing the chaos within government departments: “Based on advice provided to me by our cyber experts, Australian organisations are currently being targeted by a sophisticated state-based cyber actor," Mr Morrison said.

"This act is targeting Australian organisations across a range of sectors including all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure.” 

As these teams grow in number and sophistication, corporations (and clearly governments) must step up to ensure they are adequately protected. Those questioning the cost as well as necessity of increased cyber security should look to the price of suffering a breach in the first place. Consider what other corporations have endured so far: ransomware attacks forced not only Lion but other corporate giants including appliance manufacturer Fisher Paykel and car maker Honda to temporarily suspend operations. Often these companies have found themselves facing the threat of their sensitive financial and other information released on the dark web unless they pay a hefty fee to the perpetrators. Crippling a company and then holding it to ransom is surely a scenario no corporation would want to be faced with. 

Paying lip service to your data security or, worse, ignoring the risk altogether, has quickly become the corporate equivalent of playing Russian roulette. A telling example involves the decision last December by property valuer LandMark White to rebrand as Acumentis after two cybersecurity incidents in 2019 took it to the brink of collapse.

All sectors face this kind of threat. Major infrastructure and manufacturing are also tempting targets, with food production lines for instance easily disrupted by the infiltration of industrial machinery software, or construction projects abruptly ceased due to crippled data networks. Bluescope Steel was forced to halt production in May when it suffered such a data breach. 

Key to tackling cyber security threats is company culture. While installing the best data security is clearly among the steps to take, so is educating employees and key stakeholders in how to recognise threats and handle electronic communications safely. Recognise that people are your first line of defence. If an employee knows how to recognise a phishing email or suspicious attachment a data breach can be halted in its tracks. Should they not recognise a suspicious link, a simple click can be enough to let cyber criminals into a corporate network. Worse still, once inside, perpetrators often remain undetected for up to six months or more, trawling through key information and observing high levels of email conversations as they determine the right time to strike. When they do, common methods used to cripple a system include installing ransomware which encrypts critical servers and data, effectively stealing the information from the company, and Denial of Service where external traffic floods the network until it shuts down. The perpetrator is then in the perfect position and starts demanding a ransom. Corporate Australia can however take steps to avoid these scenarios by improving their data security defences and providing education and training to their employees. The time to close the door on cyber criminals has well and truly arrived.