iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
As the Australian cyber climate worsens, the federal government has begun to adopt a number of changes to combat it.
Last year, new legislation introduced mandatory reporting for information security incidents across 11 critical infrastructure sectors.
While the idea that businesses are legally required to disclose a cyber incident upon its discovery does provide peace of mind for consumers, mandatory reporting is not without its caveats.
Cyber Security Connect sat down with Rapid7 senior vice-president and chief scientist Raj Samani to discuss the benefits and limitations of mandatory reporting.
In Australia, in the event of a cyber breach that significantly impacts the availability of a business and its assets, the Australian Cyber Security Centre (ACSC) must be notified within 12 hours of discovery.
While the rapid response time means that consumers and other businesses can be informed quickly and ready themselves for the consequences of the attack, the short time means that early investigation could be rushed, and details could be missing or incorrect.
Despite this, Samani said that the benefits outweigh the risks.
“I mean, in some cases, it can take months and even … years to really truly find out what is actually going on. And so, yeah, ultimately, the conclusions and the information and the evidence you identify may not be entirely or certainly won’t be the full story and may not be entirely accurate.
“But that being said, what is important is sharing that information with trusted parties, which actually allows us the opportunity to be able to share what we know to other organisations that may also be part of that campaign.”
Samani added that as cyber attacks, in many cases, aren’t isolated incidents but part of greater campaigns that can affect a series of organisations, sharing what you know fast is critical in preventing an attack from spreading.
“It’s not, ‘Oh well, I’m gonna go after that company, and that’s it’. No, actually there’s a campaign of attacks. And if you can quickly share information, that’s imperative because it may tip off an organisation that actually they’ve been compromised, and you may potentially even be able to disrupt the attack earlier in the kill chain,” he added.
Mandatory reporting legislation is designed to protect the consumer and any party whose data is in the hands of a corporation and that may be at risk.
However, as Australia cracks down on cyber breaches and the penalties for businesses get worse, mandatory reporting does now pose a legal risk to businesses.
When asked if businesses will attempt to avoid mandatory reporting, Samani said it happens and that it will continue to happen, but that sooner or later, that information will come out.
“I mean, we’ve seen it before, right? Yeah, major companies that we know that we trust, but our data has been compromised, and you know, the boards and the CISOs have basically covered it up,” Samani said.
“Here’s what I would say: [it] will come out, right?
“Like you can quote me on that, it absolutely will come out. If you think you’re going to hide a major breach and millions of your records have been stolen and your customer data has been sold on the dark web or, you know, somebody has basically, you know, issued a ransomware alert across your environment, it will come out,”
The importance of cyber safety and security has been brought to the forefront of Australian minds over the last six months, following the devastating cyber attacks on Optus and Medibank.
According to VPN provider Surfshark, Australia has earned the title of the most frequently hacked nation in the world, with 7,387 user accounts per 100,000 being hacked in Q4 2022. For context, Russia, which is currently at war, was second at 2,568 per 100,000.
Despite the assumption by many that Australia, in particular, is being targeted by hackers, Samani reiterated that hackers rarely specifically target nations or organisations, but in most cases, hacks are crimes of opportunity.
“People have this perception that cyber crime is targeted, right? I’m gonna go after this company, I’m going to go after that company.
“By and large, cyber crime typically, [hackers] just scan everything they can, or they just go to these dark web shops, which sell creds or sell access, and they break into that organisation.
“By and large, they don’t care whether that company is in Australia, Western Europe [and] United States,” he said.
Samani said that he gets asked constantly by people from nations all around the world why their nation, in particular, is being targeted by hackers, and he said that, in reality, everyone is a target in the form of a Lily Allen quote.
“Everybody’s at it, so why aren’t we?”
So why is Australia seeing so many major cyber attacks? If hackers search for opportunity, why does Australia present so many?
“[Australia has] a highly digital population,” Samani said.
“You’ve got a population with high disposable income. Your economy’s really quite buoyant, so companies have money.
“Therefore, they have the means to pay ransoms. They have the means to pay larger ransoms than, say, for example, some companies in other parts of south-east Asia, and so I think that makes it a naturally attractive proposition.”
The wave of major ransomware attacks, such as the one that targeted Medibank, has seen the Australian government, alongside many other organisations, take a strict stance on never paying ransom to hackers, as it rewards crime and has no guarantee that hackers will then back off, provide decryption or not use the data that has been accessed.
So, what should a business do in the instance where not paying ransom requests could lead to harm or death, such as with a hospital or healthcare provider?
Samani, who is the founder of an organisation called No More Ransom that provides companies with decryption tools so that they don’t have to pay the ransom, said that organisations should never pay.
No More Ransom is an initiative that works with both law enforcement and the private sector to provide organisations with free decryptors.
“We’ve got 163 decryptors on there. We won’t ask for your email address. We won’t track you in any way shape or form. And we collaborate and work together to basically tell the whole world don’t pay ransom, here is another choice and we will give you free decryptors,” Samani said.
To date, No More Ransom has prevented “over a billion dollars from going into the hands of criminals”.
Samani said that rather than wait until a decision has to be made on whether to pay hackers or not, businesses should prepare for those attacks and have solutions and safeguards in place to prevent the situation where lives may be in danger from arising.
“Don’t put yourself in a position where you are forced to decide whether to pay or not to pay.
“If you are intending to pay, then have that clearly defined, have that clearly set up, have the safeguards and the guardrails in place. There are companies out there that will negotiate on your behalf and legitimate companies that will do that. They have a plan around this and practice that particular plan.
“My advice is not to pay, and if you’re not going to pay, then make sure that you’ve got a plan in place to mitigate the impact of that particular attack.
“So, test how long it’s going to take to get your systems back online. Test who your liaison is within law enforcement like you’ve got to make the decision now, not make the decision when you’ve been impacted.
For more information on what No More Ransom does and how it can help you, visit the website here. To find out more about Rapid7 and its unique, practitioner-first security solutions, click here.
Be the first to hear the latest developments in the cyber industry.
