Since the events of 2020 thrust cyber security into the spotlight, the threat landscape has continued to evolve and intensify exponentially.
Last year, focus centred largely around emerging points of vulnerability, including the rapid shift to remote working and a society under intense stress and pressure. Opportunistic cyber criminals took immediate advantage of a lapse in security awareness as efforts were redirected to fighting the pandemic.
During Australia’s first wave of COVID-19, between 10–16 March 2020 alone, the Australian Cyber Security Centre (ACSC) received over 45 pandemic-themed cyber crime and cyber security incident reports, while the ACCC’s Scamwatch site received over 100 reports of COVID-19 themed scams.
What we’ve witnessed since is the emergence of a new threat landscape — characterised by more frequent high-profile, large-scale attacks — as cyber criminals begin targeting lucrative organisations and industrial sectors where the loot is much larger.
Criminal groups are growing in size and sophistication, and state-sponsored attackers are ramping up activity, as some call for our cyber security to be considered a national priority. What remains indisputably clear is the severity of the threat posed by cyber criminals whose capabilities continue to outpace efforts to thwart them.
Another notable trend has been the recent surge in ransomware incidents — up 453 per cent in Australia over the past 18 months.
In response, we’re seeing a sharpened focus from government and regulators on protecting critical infrastructure networks and stronger reporting requirements for impacted businesses to enhance threat information sharing and intelligence.
Yet, despite our best efforts, the number of daily attacks continues to grow — signalling a clear need to reassess current approaches and revisit the best practice.
As the world grows increasingly connected — and considering the risks inherent in IoT devices — we’re at a clear inflection point when it comes to cyber security.
New and emerging threats
Since the start of 2021, we’ve barely gone a week without news of another cyber attack targeting a high-profile business or large-scale industry, with SolarWinds and Microsoft Exchange two notable examples.
Closer to home, the ransomware attacks that crippled TPG and 47 Australian facilities of the world’s largest meat processor JBS highlight the vulnerability of critical networks such as our cloud services and supply chains.
Compounding this is the fact that personally identifiable information (PII) has increased in value and our growing reliance on digital identities and digital service delivery has made it all the more accessible.
As regulators continue to introduce tougher cyber risk management protocols, there’s been a stronger focus on the responsibilities of the private sector, specifically the legal liabilities of company directors.
This includes increased director duties set to come into effect this year, making individual executives directly responsible for implementing controls to protect information assets. Proposed amendments to our critical infrastructure laws are also on the horizon, expanding the number of critical infrastructure sectors to place stronger cyber security obligations on more organisations.
More recent conversations have centred around a new mandatory reporting regime for businesses that pay ransomware to cyber criminals in order to improve threat-sharing, help law enforcement and inform policymaking.
Yet, while we’re headed in the right direction, more must be done to protect against the immediate cyber threats we’re faced with daily. While nothing new, deploying basic cyber hygiene and ensuring adequate preparedness and a reliable incident response capability is critical.
Optimising our lines of defence
At an organisational level, continuous education and training among employees is paramount to strengthen awareness and understanding around cyber risks — with this charge most effective when led from the boardroom.
It’s paramount that preparedness includes an assessment of data exposure risks to determine and remediate security gaps, ensuring viable (and protected) backups and enabling multi-factor authentication.
In the event of a ransomware attack, effective incident response will involve isolating impacted systems to contain the issue, identifying the attack, assessing the degree of data exposure, and notifying impacted parties — and the rest.
During this time, speed is critical, so having external expertise engaged pre-emptively is a smart move, especially when considering what businesses have to deal with in the aftermath of an attack.
Like in most industries, there’s a leading role for new and emerging technologies in shoring up our cyber defenses, particularly in relation to the recent spate of IT-based attacks impacting operational technology (OT) infrastructure.
To minimise these threats, businesses should look to:
- Enforce tighter network segmentation and ensure an ability to virtually and physically break network connections with the corporate IT and OT networks if under attack;
- Testing how and when to make this disconnect, to protect critical infrastructure and business — through desktop/crisis management simulation exercises; and
- Establish an alert for these key network connections, identifying issues early to give the business adequate time to respond to potential threats.
Where to from here
Kroll’s 2021 State of Incident Response report found that less than half of organisations conduct regular security readiness exercises — a clear indicator that awareness of threats and risks does not necessarily translate to practical action in reducing and managing cyber risks.
As attitudes towards cyber security continue to mature, in line with the growing threat and inevitability of a cyberattack occurring, businesses and governments must leverage this momentum to institute the behavioural change needed to coordinate action against cyber crime.
Yet, while we may have stood up and taken notice, there are still a number of considerable hurdles to jump before our preparedness will be where it needs to be — not least of which is the issue of skill shortages, a situation made worse with Australia’s international borders shut.
Ross Lettau is the associate managing director at Kroll.