Where cybersecurity is concerned, you are the weakest link

Australia’s dominant real estate listing portal, Domain, was hit by a cyber attack this May, where users’ personal details were accessed and used in scamming attacks. Domain announced “a scam that used a phishing attack to gain access to Domain’s administrative systems”. Fortunately, little or no actual damage was done.

a scam that used a phishing attack to gain access to Domain’s administrative systems

The gorilla in the room is – someone at Domain must have fallen for the phishing attack. Someone clicked on a link.

Every business, every organisation, every computer user, must face this inevitable reality: no matter how careful you are, no matter how well trained your staff, no matter how up-to-date your gateways, someone, somewhere, somehow, some time is going to click on a link.

In a recent article on this website, we showed that human factors were behind the vast majority of personal information breaches reported to the Office of the Australian Information Commissioner (OAIC) in July to December 2020.

So what is a business to do?

Unlike some other risks, cyber security risk is difficult to measure but can be existentially threatening: a serious breach can destroy a business. Many financial institutions we deal with now consider cybersecurity a key risk when less than a decade ago it was not even in their list of top 10 risks.

Many boards acknowledge that because cyber security risk is new and rapidly evolving, their oversight processes lack maturity. Even boards skilled at overseeing complex financial risks are still learning how best to oversee cyber security risks.

The Reserve Bank of Australia is aware of the importance of cyber security for the stability of the financial system:

A cyber attack involving a breach of data integrity in the financial system could have the most severe financial stability implications. For example, an attack that had implications for the integrity of banks’ record of their assets and liabilities could impede their ability to disburse funds to customers or collect on monies due. In the extreme it could raise questions about the institution’s solvency status. This could force directors to withdraw the bank from trading while investors may pull back on capital market funding. (here)

Cyber security is a matter of the highest importance for a business, and it needs to be a constant focus at board level – boards can no longer leave cyber security to executive or other staff.

Boards must set the tone that cyber security risk is a critical business issue. For financial institutions, their cyber security obligations are undoubtedly among the most complex that boards need to address. For other businesses, schools, associations and more, cyber security may be less complex, but it is equally important.

Boards must have oversight of their institution’s compliance with all applicable obligations. Each board member should not only understand the cyber risks the organisation faces but should also take steps to ensure that robust risk minimisation strategies are in place and are regularly reviewed.

TPG shares whacked by cyberattack

Malware for hire

In early May 2021, the Australian Cyber Security Centre [ACSC] issued a warning concerning the rise in cyber security incidents involving Avaddon, a type of ransomware.

Avaddon is ransomware-as-a-service: criminals can use its capacity to threaten individuals and businesses, provided they pay a proportion of their profits to Avaddon’s developers as a commission.

It works by locking users out of computer systems or files on devices it has infiltrated until the victim meets the cybercriminals’ demands, such as anonymous payment in Bitcoin. Victims who do not meet the ransom demands may face additional threats, such as having the hostage files leaked or sold on the dark web.

Avaddon is commonly spread through phishing emails or malicious downloads.

In other words, someone clicks on a link.

The ACSC reports that since February 2019, criminal organisations have been using Avaddon to carry out cyber attacks around the world and that Australian organisations in a variety of sectors, including the financial services industry, are under threat.

In November 2020 in the US, American Bank Systems, a company providing services to US banks and financial institutions, fell victim to an Avaddon ransomware attack in which criminals threatened to leak over 50GB of proprietary and customer data online. It is reported that this data would allow criminals to access American Bank Systems’ clients’ systems, including banks and financial institutions.

In Australia, victims of Avaddon cyber attacks include the NSW Labor Party.

In the US, a ransomware attack became a regional state of emergency. Probably the scariest cybersecurity story this decade.

Defence in Depth

Here’s what the Australian Prudential Regulation Authority (APRA) Executive Board Member Geoff Summerhayes said in June 2019 “Cyber-adversaries are targeting Australia’s banks, insurers and superannuation licensees with growing frequency and sophistication. …  It is only a matter of time until an Australian financial institution suffers a material information security breach of the kind we’ve seen overseas, so they must be prepared.”

Businesses, boards, individuals, all should assume that a cyber breach will occur. Not if, but when.

Regular, off-site backups of critical data – ideally of all data – are non-negotiable. There are malware programs that act as sleepers, that stay on your system for a lengthy period before they activate, so you need backups that go back in time to before the date of an infection.

But backups are a last resort and relying on them alone risks the loss of more recent data. Moreover, backing up your data does nothing to prevent it falling into criminal hands. It does nothing to protect the personal information of your clients and staff.

Defence in depth in the cyber world involves having perimeter defences such as firewalls, monitoring outbound as well as inbound traffic, to catch a cyberattack as it begins.

Up-to-date signatures can search and destroy any traffic, at a packet level, connected to known phishing or compromised systems, so that even if someone has clicked a link, things can be headed off effectively before they get out of hand.

Real time traffic monitoring is essential for businesses. This can be outsourced in the case of a small business, but a combination of outsourced hardware capacity and in-house vigilance is the best defence. Particularly where customer personal data, or liquid assets such as money or securities, are involved, traffic monitoring must be real time: milliseconds count.

Promoting a culture of cyber resilience

One important, but overlooked, element of defence in depth is the culture of the business.

It is imperative that the Board and management promote and clearly communicate a culture of cybersecurity and resilience within their business. Unless this cultural approach is firmly in place, a business’s ability to quickly and effectively respond to cyber attacks is likely to be critically compromised.

Boards should satisfy themselves that staff are encouraged to speak up promptly about any cybersecurity issues. Boards should also be satisfied that staff are aware of how to access the business’s whistleblower policy, and that disclosures will be promptly and thoroughly investigated. Board meetings should regularly address the topic of cyber security risk and what is being done to ensure all staff are aware of it and are encouraged to speak up promptly about concerns.

A culture where staff are cyber security focussed enough to raise their concerns and share their observations with their IT team is one that every business should cultivate.

When a serious cybersecurity breach occurs

As far as possible, directors and management should be confident that the business continuity and crisis management response plans of their organisation are sufficiently comprehensive and robust and can be quickly invoked when a significant cybersecurity breach occurs. Boards need to ensure they are aware of their role if these plans are invoked; and that they have the means and capability of performing this role.

GRC Solutions’ Cyber Security Training Resources

Cyber Security – Australia

Cyber Security – USA

Cyber Security – Non-Jurisdictional

GRC Solutions’ Privacy Training Resources

Australia

Privacy -Covering the Privacy Act and the Australian Privacy Principles

Privacy for Schools – Covering the Privacy Act and the Australian Privacy Principles as they apply to schools

Australia- Financial Services

Financial Services Privacy Training – covering the Privacy Act and the Australian Privacy Principles

Credit Reporting – covering the Credit Reporting Act

New Zealand

Privacy – New Zealand – covering privacy in New Zealand under the 2020 updates to the law

Europe

General Data Protection Regulation – covering the GDPR – which has global implications

Singapore

Personal Data Protection Singapore – covering the Personal Data Protection Act 2012 and also the implications of the GDPR

Malaysia

Data Protection Malaysia – covering the Personal Data Protection Act 2010 and also the implications of the GDPR

California

California Consumer Privacy Act