Speak to security professionals and the general consensus is Australia has a fair way to go when it comes to managing cyber risk, but the good news is we’re heading in the right direction.
In the world of cybercrime, one major challenge is most of the perpetrators are faceless. Reason being is the anonymity many consumers have online through the use of encrypted apps or Virtual Private Networks (VPNs) offer just as much protection to criminals as they do to law abiding citizens.
Moreover, they’re a lot easier to set up than they are to crack and due to the very nature of the worldwide web – they’re international and borderless.
KPMG’s Forensic Partner and National Leader of Forensic Technology Stan Gallo says local companies are acknowledging cyber security as a major concern at the moment, but with technology evolving so quickly, it’s near impossible to get ahead of the game.
According to Gallo, who has a background in covert law enforcement, security breaches can take many forms and they’re ever-changing.
They may range from the headline-grabbing stories like Edward Snowden’s alleged theft of the National Security Agency’s (NSA) files in the United States, to state-sponsored online attacks such as Russia’s purported meddling in the US and French elections.
Closer to home they could be as simple as a 'phishing' attack where an entity disguises itself as a trustworthy source, such as a bank, and attempts to gain access to an individual’s sensitive information.
Alternatively, a ransomware attack such as this year’s WannaCry attack wormed itself into computers running unpatched Microsoft Windows operating systems globally and demanded a ransom payment or else each individual computer’s data would be encrypted and effectively lost.
Gallo says the speed in which WannaCry spread was astonishing, but Australia was lucky because it hit in the early hours on a Saturday.
“By the time Australian businesses returned to work on the Monday, the awareness of the attack was higher and we could mitigate against it,” he says.
Yet while the big breaches grab all the headlines, there are a number of smaller scams persistently bubbling along. Gallo nominates some organised criminal groups who follow up on an email with a call, which is more effective than a standard phishing attack.
“They’re establishing a rapport with their victim so a person is more likely to give away personal information, or complete an action because having a person involved adds credibility to the scam.”
For business, Gallo says cyber security needs to be seen more as a people problem rather than solely an IT issue. Furthermore, cyber security needs to be treated as more than just another risk.
“Senior management need to get all of their people involved because it’s a significant problem.
“At present, too many organisations recognise the risk but feel it’s too expensive to fix.
“This is not the case. Many businesses need to significantly review their security operations and put in place response plans and broader crisis management policies in case of an attack.”
Changes to the Privacy Act, due to come into effect in February 2018, may require certain organisations to notify affected individuals and the Office of the Australian Information Commissioner when they have a data breach that is likely to cause serious harm to those affected.
These new mandatory disclosure laws may help ensure Australia doesn’t face a situation similar to this year’s Equifax attack in the US.
In this particular case, the 118-year-old credit-reporting agency took five months to disclose a security breach, and may have delayed disclosing a more recent cyberattack affecting 143 million individual consumers.
Gallo hopes the changes to the Privacy Act will see organisations develop better responses to cyberattacks from the moment they occur.
He suggests companies need to respond instantly.
“Their immediate reaction should be to enact a well-tested response plan based on the type of attack. There has to be a robust plan that addresses the incident itself along with broader crisis management.
“Organisations need to include monitor social media monitoring for reaction and a process to get back to business as usual as soon as possible. Importantly, they should test their response to incident planning regularly.
“It’s about developing a strategy and getting on the front foot as there will always be new issues to address. Never assume everything is good as there’s a lot happening out there, a lot more than we ever read about.”
Stan Gallo will be speaking in the FSC’s Cyber Security Series which runs from September to November 2017.