The Covid-19 pandemic has not only seen us change our ways of working. Cybercriminals have adjusted the way they work, intensifying their focus on low-hanging fruit like the ‘quick fixes’ many organisations implemented to support employees working remotely.
According to the Office of the Australian Information Commissioner (OAIC), the number of data breach notifications attributed to ransomware attacks from January to June this year increased by more than 150 per cent on the previous six months, from 13 to 33.
These attacks have included several large organisations, including Lion, Bluescope Steel, Toll, Regis Healthcare and the Spotless Group. Lion’s ransomware attack on 9 June forced the company to stop production for three weeks. It was hit again not long after, with criminals threatening to put confidential data up on the dark web unless they were paid a $1 million ransom.
Industry experts estimate the ransomware attacks could have cost Lion as much as $100 million.
Toll’s January cyberattack forced the company to spend six weeks rebuilding its IT infrastructure. A second ransomware attack in May saw its systems offline for weeks and corporate data stolen and reportedly leaked onto the dark web.
IBM’s 2020 Cost of a Data Breach Report, which uses figures gathered by the Ponemon Institute, puts the average cost of a data breach globally at US$3.8 million. The average cost in the US is much higher at US$8.64 million.
IBM estimates that each comprised record costs an organisation an average US$150. It says it takes an average of 207 days to identify a data breach and 73 days to contain it – so 280 days in total. That is five days up from the 2015 figure of 275.
A data breach not only affects the continuity of a business and its financials but there is also a financial penalty. Under the Australian Privacy Act, the current fine ranges from $525,000 to $2.1 million. However, on the 30 October the Attorney-General’s Department released its terms of reference for a review of the Privacy Act. Amongst other changes, it’s possible that Australia will adopt a regime similar to the General Data Protection Regulation in Europe where penalties are significantly higher, with the fine based on a percentage of the organisation’s turnover.
The costs to reputation
As well as hefty fines, organisations need to take into account the inevitable reputation impacts of data breaches. As a customer if you see a company has repeated data breaches you may not want to deal with them anymore. If you are a shareholder there can be significant impacts as well.
In its delayed 2020 budget, the Federal Government announced a significant increase in spending for cyber security, with an additional $201.5 million to support its $1.7 billion 2020 Cyber Security Strategy. It also included $470 million to bolster Australia’s cyber security workforce on top of $1.4 billion for government security efforts.
The current measures build on the government’s previously announced $1.4 billion Cyber Enhanced Situational Awareness and Response (CESAR) package, which includes a raft of measures to improve Australia’s strategic cyber capabilities.
How to protect your business
The fact that organisations take more than 200 days to identify the average data breach shows that most Australian companies just aren’t responding (or in cases can’t respond) quickly enough.
There is then a number of steps that trace stages of a cyberattack from the early reconnaissance stages to the exfiltration of data. This is called the “cyber kill chain”.
The hackers are happy to take their time. They do their own research and due diligence such as what can they find out about your organisation from publicly available information. That might be, for example, looking at member interests and starting to build a profile.
From a protection point of view there needs to be a layered approach – building up the controls which enable an organisation to disrupt or slow the kill chain.
History tells us that attacks cannot be prevent entirely. Many companies have seen a big uplift in the number of attacks during this pandemic.
This is perhaps a combination of people having more time on their hands and the attackers knowing companies have made some compromises to their infrastructure to support large number of their employees working from home.
The aim is to prevent hacker success. This includes identifying and securing a company’s most valuable and critical assets – their ‘crown jewels’ if you like. These could be systems containing company’s source code or running operational technology – areas that are critical to the organisation.
Continuous monitoring is vitally important. Companies tend to record a lot of logs; what they don’t do so well is monitoring these logs and correlating multiple log sources to look for the right trends and indicators.
If you look at traditional security controls, they are very much focussed on preventative controls. There is usually a lot of talk about firewalls – and all those typical controls we hear about. But if you work on the premise that there will eventually be an attack, and it’s better to detect it early when you still have a chance to do something about it.
Advice on cyber security strategies involves simulations that are not announced – with only a small number of employees knowing about them. This helps to test a company’s incident response and crisis management plans, to see if they work and refine them where they don’t. With a significant number of the workforce now working from home, this can make for an even more challenging test.
The bottom line is that a data breach is more about when than if. But being prepared can make a huge difference, both to your customers’ safety and your bottom line no matter what size your business.