By Kurt Hansen, co-CEO of Tesserent (ASX:TNT)
Cybersecurity is at the top of every organisation’s risk management strategy. The days of an IT virus being an inconvenience are well behind us with cybersecurity incidents costing Australian companies almost $30 billion annually and over 160 cybercrime reports being made to the Australian Cyber Security Centre each day. And those numbers are climbing every year.
While nation state attacks against high-profile companies like JBS Meatworks and 9News have garnered headlines recently, the impact of the daily incidents that don’t make the news are felt far more broadly. A business email compromise attack, where a criminal imitates a trusted party and convinces someone to pay a fake invoice can result in thousands of dollars being lost in the blink of an eye. The ACCC reported that Australian businesses lost about $132 million to this type of scam – and that’s a number industry experts believe is highly under-reported.
Distributed Denial Of Service (DDoS) attacks often complemented by ransom demands to end an attack, or extort payment to avoid one, are increasingly common. A Melbourne man was recently arrested for launching DDoS attacks against a shopping centre and telco. And the New Zealand Stock Exchange suffered a number of outages as the result of similar attacks. Ransomware attacks continue to cause widespread disruption and financial impacts with a recent report from security software vendor Sophos finding the cost of recovery averaging almost $3 million, a figure far under the USD$11 million ransom recently paid by JBS Meatworks.
Today’s cybercriminals are like the bank robbers of days gone by. They attack businesses because they know that’s where the money is. However, the cost of being hacked goes well beyond the financial. Large companies with well resourced security teams and large budgets may be able to overcome the technical disruption, but the impact on suppliers, customers and other stakeholders may last months or longer and can be devastating.
The recent attack on Colonial Pipelines in the United State compromised the USA’s fuel supply so severely prices surged and a warning had to be given telling people that transporting fuel in plastic bags was unsafe. The attack on JBS Meatworks had a significant effect with about 800 workers in Queensland stood down without pay and the commodity price for meat quickly rising.
For many businesses, being tricked into paying a fraudulent invoice for $50,000 could be crippling. A DDoS attack during a peak sale period for an online retailer could be the difference between staying afloat during a challenging time or suffering a loss that closes the business down. For a Not-For-Profit, a successful attack could erode confidence and result in donations drying up and volunteers withdrawing their support.
What steps can you take to protect your business? The days of simply installing some end-point software and having a firewall are well behind us. Criminals can now buy the tools they need to execute attacks for a few hundred dollars though their own marketplaces. And these are tools that are specifically designed to overcome basic defensive measures. Start with the assumption that, at some point, your organisation will be targeted by a malicious party. Implement protections that will minimise the risk of being successfully hacked but, critically, also ensure you know how you will recover if a criminal is able to penetrate your defences. It is the plans you already have in place to respond that will determine the success of your recovery.
When it comes to protecting your systems and data, focusing on training staff to recognise the tell-tale signs of a dodgy email or potentially dangerous link is critical. And relatively straightforward measures such as multi-factor authentication, where users need to enter a unique one-time code when they connect to a system, can make a significant difference.
Carry out some regular technology hygiene by deleting unused user accounts, ensuring users only have access to the systems they need and ensuring operating systems and applications are updated with the latest security patches. It’s impossible to be 100% ‘hack proof’ but making the task as difficult as possible will deter all but the most determined attackers.
If an attacker does successfully overcome your defences, being ready to respond is critical. Create plans for how to recover from different types of incidents. Then, run regular drills to practice how you would respond to an incident. How will you recover lost data? Who do you have to notify, bearing in mind that there are some regulatory obligations such as the National Data Breach notification scheme? What systems are the most important to recover first? Engaging a trusted partner to help you with this process can be invaluable.
Cybercrime is a fact of life for Australian organisations. And while the impact can be catastrophic, it doesn’t have to be. Taking preventative steps and having a plan in place should you be attacked can make the difference between a minor bump on the road or falling off a business cliff.
