The forgotten side of cyber security

Taking advantage of the COVID-19 digital spike, sophisticated hackers are increasingly attacking organisations, large and small, with cyber security threats.

The Australian Cyber Security Centre’s (ACSC) latest report indicates one attack occurs every eight minutes in Australia.

Cyber is the “new battleground” according to Assistant Defence Minister Andrew Hastie, and it is up to government, industry and individuals to combat the escalating threat.

Last year, Toll Group was hit by two ransomware attacks in the space of three months, crippling the Australian logistics giant with costly disruptions to operations. While earlier this year, global meat and food processing company JBS Foods faced a cyber attack that led to the suspension of operations across the country.

But according to the same ACSC report, the healthcare sector is the latest to be targeted. With the second-highest number of ransomware incidents reported, healthcare has been hit with breaches at the exact time when Australians are most reliant on the industry to help us respond to and recover from the pandemic.

The reputational, operational and compliance implications to businesses can be crippling if cyber security risks are not addressed. But concerns should not be limited to incoming threats – business leaders also need to be aware of internal threats.

This is the side of cyber security that is too often forgotten – what’s happening to their data, who has access to it and where it’s being shared. In addition to building barriers to protect from external attacks, organisations must ensure business-critical data is correctly managed and governed to avoid a potential leak or misuse of their sensitive information.

Laying down the bounds

VIEW ALL

Whether unintentional or malicious, human error still comprises a significant number of the vulnerabilities being exploited by bad actors. In one example, Services Australia reported five eligible data breaches to the Office of the Australian Information Commissioner (OAIC), all involving human error since the start of the 2019 financial year through April this year.

Employees need to trust they can safely, securely and lawfully share and communicate critical data, and this comes down to ensuring the right people have the right access, at the right time. With the ability to control permissions and manage requests, a centralised and synchronised digital foundation bolsters policy for organisations – in government, healthcare and beyond – to ensure the appropriate level of governance so data isn’t misused.

A common scenario that risks a data breach is the use of third-party applications, like WhatsApp, which are often encrypted but unsupported by corporate networks. When employees share data or personally identifiable information (PII) via applications like these – which have not been approved by IT – it is often both illegal and risks data ending up where it shouldn’t be.

Accountability for best practice

The Australian government is already considering how to enforce greater accountability on company directors by making them more liable for cyber security incidents. If this comes to pass, stitching together core business applications and centralising communications for better data governance will be critically important for businesses.

Too often, organisations are faced with a Jenga tower of different applications and systems, illogically stacked upon each other to meet the varying needs of the business. This haphazard approach generates pockets of siloed information and a subsequent inability to consistently control and access data.

Companies must invest in securely reining in the enormous volumes of data flowing through their organisations to provide the visibility and assurance that it is being accessed and used safely, and in compliance with national, international and industry-specific regulations pertaining to data protection, such as the Notifiable Data Breach scheme.

This is particularly important in today’s distributed workforces where employees are working from home and digital environments are expanding. Governing and protecting data requires a modernised business strategy that reflects the changing threat landscape.

With the OAIC reporting a 24 per cent increase in data breaches arising from ransomware incidents in the first half of 2021, organisations need to go beyond measures that consider the bad actors trying to get into their systems and start focusing more on the existing risks within.

Without a comprehensive view of data and layers of assurance it won’t be shared or used improperly, companies expose themselves to a broad range of risks, even if they have the best measures to prevent cyber criminals from attacking their systems. The best defence is a good offence.

Nathan Gower is managing director for Australia and New Zealand at Boomi, a cloud-based integration software provider.