Behind the headlines of ransomware attacks on major Australian companies are some important lessons for all organisations as they face a world of growing cyber threats.
From misappropriated passwords to fake audio and video calls, the work of cyber criminals is growing in sophistication and volume. The estimated annual cost of cyber crime in Australia has risen to $42 billion, according to consultancy KPMG.
So what can businesses do to fend off the threats, and keep themselves and their customers safe? Westpac Institutional Bank put the question to some of the country’s most respected cyber experts. Here are their top insights.
1. Design your applications defensively
Some recent breaches appear to have involved unprotected application components, which trusted whoever had access. Unfortunately, if accessible to an attacker, they might be able to exploit that vulnerability to inappropriately access data.
“Do not let any part of your systems or networks trust another part – instead, design systems to always explicitly authenticate,” says Simon Brown, Westpac’s head of cyber strategy and advice. It’s also essential to continuously collect systems activity data so that it’s easier to later assess what data has been accessed in an attack, he adds.
2. Communicate clearly with customers and regulators
Fast and transparent communication is vital when in incident response mode, says Shameela Gonzalez, director and FSI industry lead at CyberCX. Stakeholders will become disgruntled if there are delays or a lack of detail on the extent of a data breach.
3. Speed up software patching
The Australian Cyber Security Centre (ACSC) now advises businesses to apply high-priority security patches within 48 hours. Previous average response times were up to 90 days, so this is quite an acceleration for many organisations. Vulnerability scanners can help organisations to automatically gather information on missing patches in their systems and networks.
4. Ramp-up multi factor authentication
Many cyber security experts believe more rigorous use of multi-factor authentication (MFA), requiring users to provide two or more verification factors to gain access to a network or system, is key to preventing attacks. That means that stolen passwords are no longer enough for an attacker to break-in, significantly raising the bar on this popular attack technique.
5. No more passwords?
Poor password management is blamed for many cyber attacks. Opting not to rely on them mitigates the risk of inadequate passwords, or the tendency of people to forget to update them, says David Lacey, managing director of cyber support service IDCARE. To get rid of passwords, companies must instead deploy smart devices that can recognise users, and then use MFA as a complementary security layer.
6. Get up to speed with privacy rules
The government has recently made changes to the penalty regime for serious or repeated breaches of the Privacy Act. Business leaders must understand the relevant Australian Privacy Principles (APPs), including when to notify affected individuals and the Office of the Australian Information Commissioner of a data breach, CyberCX’s Gonzalez says.
7. Factor in supply chain risks
A cyber attack on one of your key suppliers could quickly become a business disruption event for you, even if you have controls in place to prevent it becoming a cyber attack on your business, says Westpac’s Brown. Businesses can improve resilience by avoiding dependence on one supplier for any critical function.
8. Beware of the next big threat
Never be complacent about cyber risks because hackers are constantly seeking new ways to deceive victims. For example, artificial intelligence is being used in relationship scams to generate fake voices or videos of loved ones or other trusted people, and IDCARE’s Lacey believes the corporate world is vulnerable, too. “CEOs or other senior staff may be impersonated so criminals can gain access to systems. Rather than using an email, it could be a fake audio or video call instead.” Having a rigorous call-back process (and not just trusting the initial call – no matter how convincing) is a good defence against these kinds of scams.
9. Be alert for phishing and business email compromise
Almost three quarters of Australian organisations say they fell victim to an email-based cyber attack in the past year, and the threat continues to grow. Business email compromise, where a scammer gains access to someone’s inbox and then tricks others into sending money or divulging confidential information, is becoming increasingly sophisticated. Cyber training for staff has never been more essential as AI tools may help hackers write more professional scripts for email scams making them harder to recognise.
10. Fine tune your cyber security playbook
Discuss and document key cyber risk issues at board and management level, including whether your business would pay a ransom. The Australian Government recommends that a ransom should never be paid, however, for an unprepared company, the consequences of losing control might be unacceptable. If you don’t want to be in that position, ensuring you have a great, tested backup-and-recovery plan in place is critical.
11. Test your backup-and-restore systems
Testing your cyber security playbook can help safeguard important data, software and configuration settings. “Many companies have backups, but they’ve never tried a restore because it’s difficult to schedule while you're trying to run your business,” says Transgrid’s chief security officer Andrew Webster.
For more information, download this infographic from Westpac Institutional Bank:
11 key lessons from Australia’s cyber crime challenge