Thursday, 25 February 2021

KordaMentha’s Behind Business podcast discusses the most pressing commercial, financial and operational issues facing business today.

Our first episode of Behind Business for 2021 discusses one of the most serious issues facing businesses and individuals today – cyber security. Featuring cyber and digital forensic expert and partner at KordaMentha, Brendan Read and cyber risk and claims adviser from HWL Ebsworth Lawyers, Andrew Miers, the episode will discuss the current threats facing organisations and what they can do to avoid becoming the next cyber-attack victim.




Sean Aylmer
Welcome to Behind Business, the podcast where KordaMentha experts discuss the most pressing issues facing business today.  I’m Sean Aylmer, an economist and journalist for 25 years, and host of the Fear and Greed daily podcast. If we weren't dealing with a once in a century pandemic, cyber security would be one of the biggest issues making news. It is undoubtedly among the great challenges of the next decade. And as our use of technology and the daily interaction of tech and everyday living grows, it will become even more so. There has been government and private funding to bolster our defenses against cyber-attacks, but the threat is constantly evolving so those defenses need to evolve too. The criminals involved, sometimes state sponsored are always finding new ways of initiating cyber breaches. Today, we're going to discuss the history of cyber security, where we are now, where we might be headed, and what we need to look out for.

We have two experts in this edition of the Behind Business podcast. Brendan Read, is the KordaMentha partner specializing in cyber digital forensics. And to help us navigate the legal perspective, we have Andrew Miers, partner at HWL Ebsworth. Welcome to you both.

Brendan Read
Thank you.

Andrew Miers
Thank you very much.

Sean Aylmer
Brendan, starting with you, how big a problem is cyber security?

Brendan Read
Yeah. Sean, look, it's a really big problem. Any organization, whether big or small, whether it's a government entity, no one's immune to the threat of cyber risks. And going back from my time in the police even, early 2000s, I was constantly seeing a number of cyber incidents that were happening to business back then and that risk has just continued to grow and build on momentum. And as you see now, we're facing a really tough scenario of trying to deal with these cyber threats that are coming not only from a domestic front, but international.

Sean Aylmer
You just mentioned that when you're in the police force, quite a few years ago, it was around. So, cyber threats have been around for a long time, are they just more prevalent now, Brendan?

Brendan Read
I think definitely more prevalent. There's a lot of sharing of information of how to do these types of attacks, so a lot more having a go at doing this type of activity. And I think it's just a lot more advertised and educated to organizations and people. So they're becoming more aware that, that threat actually exists. And obviously, more people are becoming victims of it, word is getting out.

Sean Aylmer
Andrew, how much damage can cyber crime do?

Andrew Miers
Yeah, Sean, Look, I think it's probably fair to say, it can do quite a significant amount of damage, so much so that it can even put a business out of business altogether, and there have been some instances where that has occurred. The damage is multi-factored. There's the costs of actually responding to an incident and getting new external advisors to help remediate and fix it. There can be regulatory costs of having to comply with regulation around notifying data breaches to customers and so forth. But also, there's a significant reputational cost. And I think what we're seeing, increasingly, is that cyber incidents are hitting the headlines and they're now front-page news. Something that wasn't really in public discussion 10 years ago, is on the front pages of the papers on a regular basis now. So when a company has a cyber incident, sometimes the most significant damage is that reputational harm.

Another impact is just business interruption losses. And I think a lot of companies that's where the impact for them is felt. If they're offline for a period of time, whether it's a few days or even possibly a few weeks, they might not be able to trade or earn revenue during that time and they may suffer business interruption losses in much the same way that companies traditionally did when, for example, their premises burnt down. Now, it's sort of the equivalent of your online presence burning down and having an impact on your profits.

Sean Aylmer
Yeah, Andrew, just saying with you, and you talked about it then. So we have professional cyber security industry, and that's about protecting people, but then there's also the costs of remediation and kind of looking after people when harm is done. I'm trying to get a sense of how big the industry is in the parts to it.

Andrew Miers
That's a good question, Sean. And it's sort of an emerging industry and a growing industry. I think the figures around it are that, five years ago, it was about a $2.2 billion industry in Australia and it's projected to grow to about $6 billion by 2026. We've got the government sort of actually trying to actively foster and encourage a standalone cyber security industry and our home-grown one. I think what we've got to remember is that, cyber is not solely about IT, it's just as much about human behavior. And so, risk managers, insurance brokers, insurance providers, even identity theft to harm, counselors, a lot of those more soft skill type of things, it's probably self-serving, to say so, but lawyers, there's a lot of players who provide services in that space who aren't just focused on the IT side.

Sean Aylmer
And Brendan, there were small and large companies involved, I mean, being hit by cyber crime.

Brendan Read
Yeah, that's correct, Sean. And I see a lot of organizations that are getting targeted, which are ones that tend to be dealing with a lot of financial transactions. So, if I give you an example, like a conveyancing solicitor, that's obviously doing the groundwork in terms of sale of a property, but someone might just go to the cheapest conveyancing solicitor they can get online and they're just operating from their home, not a very sophisticated set up in terms of their IT as a single operator, but they're dealing with hundreds of thousands of dollars of transactions, and they're a prime target for these hackers to get access to that information and obviously try and divert any sort of payments, so they can get access to those funds.

They're just targeting everyone, at any opportunity, where they can make money, where they can steal information, people's personally identifiable information. Everyone's a target. Obviously, at the smaller end, having the money to be able to implement an appropriate strategy to deal with these cyber threats is difficult, but equally so, at the top-end of the town, no one is immune to this risk, no matter what your systems are in place. You could pay for the top-end network intrusion protection and firewall protections, but those threats can still come through.

Sean Aylmer
It just seems to have the last, I mean, 2020 particularly, there are some big firms, know the Reserve Bank of New Zealand, I think the corporate regulator here, ASIC, they seem to be involved in major attacks, sometimes by state players it seems. What were some of the big attacks in the last two or three years that you've seen, Brendan?

Brendan Read
Yeah, look, I think you've already touched on some of those Sean. Obviously, Scott Morrison had announced that,  I think it was June, last year, that we had a wide range of political and private sector organizations that were coming under cyber attack from how he referred to as sophisticated state-based cyber actors. We've obviously got a really sophisticated and large groups targeting our specific government and industries to cause as much damage as possible. More recently, the data breach of Accellion, where it was a third-party file sharing platform. And we're still seeing, even today, more organizations that are still affected by that same data breach that are now identifying that they're exposed from uploading their client data into these platforms, and those getting accessed by the criminals.

Sean Aylmer
It's just worth exploring that a little bit because that one was a bit different, because rather than someone opening an email they shouldn't have, it was actually, what was hacked was the provider of the software, is that right?

Brendan Read
Correct. Yeah. So the way technology is moving, there's a lot of cloud-based platforms that are now being taken up by organizations from a cost and a productivity perspective, it makes perfect sense, but then, also from a security perspective, it becomes a risk that also needs to be managed. So, it's not uncommon for any organization to use a third-party platform or product to put their client data into, but you really need to understand what that third party is doing around the security of the data that sits in that product or platform. Like do they have a dedicated security team that's monitoring? Are they constantly looking at the vulnerabilities themselves in terms of their own software? And what are they doing to rectify that? That really sort of plays. And once a breach happens and a vulnerability is identified, those organizations need to move extremely quickly to fix those vulnerabilities, provide updates out to those clients to obviously ensure that they're protected.

Sean Aylmer
So just, in that instance, people got an update, did the right thing, but the actual problem was within the update, and therefore, it infiltrated the system.

Brendan Read
Yeah, correct. That was in the SolarWinds attack that happened where it actually infiltrated the updating software itself, so it could deploy the malicious software onto each of the clients. So yeah, causing a great risk.

Andrew Miers
And can I just add a few comments to that discussion? I think some of the incidents that you mentioned highlight two key sort of looming risks at the moment. One is, you mentioned the ever-growing risk of ransomware. I mean, that's just becoming such a problem. Ransoms a few years ago were quite small, but they're just getting more severe.

Sean Aylmer
When you're talking about ransomware, it is literally a ransom to unlock the data that they've got, is that right?

Andrew Miers
Exactly. Like in the old world, you kidnap someone and you won't release them until a ransom is paid. And now in the new world, the online world, you kidnap the data. You might encrypt the data and the ransom needs to be paid in order to hand over the decryption key or you might've taken data and you're threatening to publish it online or release it, or do something with it. And this is becoming... I mean, it's been a problem for a few years, but I think in the last 12 months it's grown exponentially.

Sean Aylmer
What are companies doing when they're receiving these ransom notes effectively?

Andrew Miers
Well, very good question. I mean, if they've got good backups that can sometimes assist with the issue and they'll go into OverDrive to restore everything based on their backups, and so not have to, I guess, cave in to the demands of the ransom threat actor. But sometimes, they might not have good backups or the backups themselves might've been targeted and some companies are having to grapple with this issue of whether or not to pay the ransom, and it's a really difficult and tricky issue. It raises potential, if not legal, at least ethical and moral questions around paying criminals. And there's certainly a decreasing tolerance for it. We've seen in the United States in the last few months, the Department of Treasury have actually called out the potential for breaching sanctions laws when paying a ransom and we might say a similar move in Australia. So, it's a real dilemma, do you pay the ransom and give into the criminals? Or potentially, there's an impact on your business if you don't pay it.

Sean Aylmer
Yeah. I mean, because I'm sure in some cases, on a pure financial sense, it does make sense to actually pay the ransom and get the data back.

Andrew Miers
Yeah. I mean, the ransoms are getting quite big. They're often seven-figure sums now, but even then, that can be cheaper than all the costs involved in fixing things up.

Sean Aylmer
So we'd mentioned ransomware, and I'll just stay with you, Andrew. Just quickly, can you run through the definitions of some of these things? So denial of service, what's that one about?

Andrew Miers
Well, denial of service is effectively where a threat actor floods you with so much traffic, so to speak, that it causes your system to clog up and it quite literally denies you a service. Sometimes that's in conjunction with a ransomware threat, "If you pay the ransom, we'll stop it."

Sean Aylmer
Phishing?

Andrew Miers
Phishing, yeah, this is a real problem. And this is phishing with P-H, not with an F. It sort of is like fishing for information from someone in that sense. Effectively, that involves sending an email that purports to be from someone else or tricks you into thinking that you're dealing with someone that you're not, and you click on a link or you reply, or sometimes people even hand over their credentials. So, phishing is often the root in to a broader attack on a company.

Sean Aylmer
So Brendan, it's all about data at the end of the day. And is it mostly about finding bank accounts? Or is it actually mostly about other data in how people act and behave?

Brendan Read
Look, I think it's all types of data. Like Andrew was just mentioning with the ransomware attack, they're just interested in being able to get access to the data, locking it down or selling it on the dark web if they don't have the ransom paid. But the big risk for a lot of people is their personally identifiable information, and that's where there's massive repercussions and impacts on their personal lives, where you'll have their driver's license details obtained, bank accounts created, loans taken out, credit cards applied for, and causes nothing but grief and pain to try and recover from something like that.

Sean Aylmer
So, Brendan staying with you, how do the criminals choose their targets? Is it arbitrary or do they have favorites? Is it businesses? Is it individuals?

Brendan Read
Look, it's a case of multiple ways. They'll just do their own research and look for various businesses where they think they can get access to it. Other criminals will be just probing networks and searching for IP addresses that have open ports. So basically, think of a house and it's like certain windows are being left open and not protected, and they're just looking for those open windows to come in. And once they're in, they can do all sorts of damage. You touching on before, the malware, so they can upload this malicious software. They can then basically take over total control over the computers and servers in those environments, and then just leapfrog from those infected computers to other areas within the business, and obviously, exfiltrate data, they can encrypt that data or just monitor activity.

Brendan Read
And that's probably a really interesting point around sort of the actual average time that people are actually inside a network during a data breach. And I think if, statistically speaking, I know IBM has a statistic on it, that back in 2020, the average time to identify data breach was 207 days. And that flowed onto the average life cycle of a breach from identification to containment, that actually blew after 280 days. And if you think of a criminal inside your network, monitoring email communications and looking at various files on the network, and confidential information, that's a lot of exposure period for them to cause some damage.

Sean Aylmer
Mm-hmm (affirmative). Sure has. Andrew, what about COVID? Particularly, the shift to work from home, has that increased risk around cyber security?

Andrew Miers
Yeah, absolutely. And I think that's been one of the big features of the last 12 months. The remote working arrangements was a definite part of the cause of that. So, people using their personal devices and perhaps being a little bit lax with putting documents on their personal device instead of logging on via whatever platform their company uses. And so, emphasizing the need for companies to make sure that people are working from home, they're logging on properly, not emailing things to themselves, but also, it just opens up vulnerabilities, generally.

Sean Aylmer
So I'm going to ask you both, what's the most likely threat in 2021? Brendan, starting with you.

Brendan Read
Look, I think it's going to be a mix of an increase in ransomware. I think that's extremely profitable, and we'll definitely see the increase of that.

Sean Aylmer
So ransomware is your core, Brendan. Andrew, what do you think?

Andrew Miers
Well, I'd absolutely agree with ransomware, that's not going away anytime soon. So that's a huge one. I also think there is supply chain risk. Some of the examples we were talking about before, like SolarWinds and Isilon, where you have one breach which has a ripple effect, or not a ripple effect, it's like a tsunami, in some cases, that just flows on to multiple other companies. So, you're going to have these breaches that pile up into this sort of aggregated risk, just arising out of one incident.

Brendan Read
Yeah. And just to add to that as well, I think some coordinated attacks on critical infrastructure will become a problem and I know that the government is currently looking at legislation to help deal with that major risk.

Sean Aylmer
And Andrew, where do you think the law's going and regulation is going in terms of cyber security?

Andrew Miers
Yeah, look, it's moving at quite a pace actually. Probably not quite fast enough to keep up with the risks, with law always sort of lags technology. But we've seen over the last 12 months and ongoing into this year, quite a few changes. We're seeing regulators take a much more active interest. We saw the privacy commissioner last year, bring the first ever civil penalty case against Facebook, not for a cyber breach so much, but it was a privacy breach. And that's the first time they've ever done that. But other regulators who aren't necessarily directly concerned with personal information are also weighing into it. So ASIC, which is the corporate regulator has been talking about cyber resilience for quite a few years and they've now brought the first ever civil penalty proceeding against a financial planning company, and they're alleging a breach of financial services laws.

Andrew Miers
Financial services laws don't even use the word cyber, but they're saying that they didn't have appropriate risk management in place with their IT and they allowed numerous cyber incidents to occur. We're seeing APRA, APRA hasn't yet brought any enforcement action, but APRA as the prudential regulator introduced a new prudential standard 18 months ago, which requires banks and superannuation funds and insurers, and other companies under APRA's regulation to tighten up their cyber security and to notify APRA if there's a cyber incident. So we're seeing the regulators getting much more active and much more interested.

We're seeing more legislation. Brendan mentioned the critical infrastructure legislation, which is currently being considered by parliament, that's going to impose new obligations on... What we think of critical infrastructure is, things like water and ports, and electricity, but it's, going to broaden it to financial services, even to supermarkets because they're part of the critical infrastructure of our economy. And so, tightening up and adding new cyber security obligations there as well. And we're seeing ongoing evolution of privacy law as well, that the government is having another look at the Privacy Act to see whether it has kept up with the times. And we could see some more rights introduced for people to enforce their personal privacy rights. So, look, that's just a taste, but there's a lot happening in that space, which is one reason I find it an interesting area to practice in.

Sean Aylmer
And Brendan, just to wrap it up, what should businesses be doing to protect themselves? And what do they do if they're in trouble?

Brendan Read
Yeah, look, I think planning before an actual event occurs is always going to be best placed in any organization that's actually going to have an incident response plan, and have it developed in place and tested before an actual event occurs. They're going to be in a much better position to have the risk of financial, I mean, reputational harm to the business. I think training and education plays a very important role. Changing the culture of an organization is really critical, that they're thinking about data and its security all the time and everything that they do in their operations, and then just creating that awareness that those risks are actually there.

Sean Aylmer
And Andrew, your take on how business should look after themselves in 2021.

Andrew Miers
Look, I think the things that Brendan said around training are definitely key, because as I said before, it's as much a human issue as it is a technology issue. Following the Australian Signals Directorate Essential Eight, there eight fairly simple, straightforward things that the Cyber Security Center says would prevent about 85% of cyber incidents. But the other one I would mention is the role of cyber insurance. Obviously, insurance is not going to stop things happening and it shouldn't be seen as a security blanket to make you lazy about your cyber security. But it does mean that if an incident occurs, you know that some of that financial pressure of the cost of responding to the incident will be offlaid with the assistance of your insurer. And the insurer can also provide you with tapping into some of the expert service providers to assist, especially, for SMA companies that might not have existing providers. So, I would say that, that is a good protective measure as well.

Sean Aylmer
That's a great point to leave it. Brendan, Andrew, thank you very much.

Andrew Miers
Thank you, Sean.

Brendan Read
Thanks so much, Sean. Really appreciate it.

Sean Aylmer
I've been talking to KordaMentha partner, Brendan Read and HWL Ebsworth partner, Andrew Miers. Cyber security is clearly a challenge today and into the future. It comes in all shapes and is forever evolving. The perpetrators of cybercrime are also evolving, staying ahead of the game. Many are state sponsored. But there are plenty of cyber criminals out there working from their homes. Cyber security impacts all of us and has the potential to cause great damage to people and organisations. It has already done so with a number of high-profile cases over the past 12 months. Understanding what cyber crime is and how to address it and prevent it can help businesses stay ahead of the game. Training, culture and awareness must be at the basis of a good cyber culture within any organisation. Being relentless in avoiding cyber crime is also critical. And using experts in the field will help companies achieve the very best outcomes. Join us again soon for KordaMentha's expert's views on Behind Business. I'm Sean Aylmer and that was Behind Business.