Op-Ed: No excuse for unpreparedness as ransomware threatens APAC businesses

Ransomware was in the headlines worldwide last year as cyber attacks hit a broad swathe of businesses and organisations, maliciously causing financial damage and disruption. According to the 2022 SonicWall Cyber Threat Report, there were 19 attacks every second and 623.3 million attacks globally, and there’s nothing to suggest that ransomware threats will reduce or disappear soon.

A ransomware cyber attack can put a stranglehold on operations and have affected not only financial institutions and businesses but also healthcare institutions and power companies, threatening people’s lives as well as national security. As of November 2022, the FBI and other federal agencies have warned that one type of ransomware alone had been used to extort about $100 million from over 1,300 companies worldwide.

Criminals are finding new ways to hold businesses hostage to their ransomware demands. Sophisticated new methods have evolved from phishing and may include social engineering and exploiting vulnerabilities in flexible working arrangements such as the use of multiple devices and home IoT networks. Criminal developers have followed the software-as-a-service trend to offer ransomware-as-a-service (RaaS) on the dark web. With payments in cryptocurrencies, RaaS is proving a successful business model for developers and making it very easy for criminals without the coding skills to mount an attack themselves.

In Australia, high-profile attacks on household names like Optus, Woolworths, and Medibank put privacy laws on the national political agenda in 2022. During the Optus ransomware attack, almost 10 million customer details were exposed, including 2.1 million of which had a form of ID attached. The attackers threatened to sell the data if their ransom of US$1 million was not paid. Meanwhile, private health insurer Medibank is facing a class action lawsuit after personal data from millions of customers was released on the dark web.

More legislation is coming

Responding to the high-profile attacks in Australia, at the end of 2022, the government introduced new reforms to Australia’s privacy laws, including a substantial increase in privacy breach penalties for corporations that do business in Australia, whether based here or not. Under a new three-factor penalty scheme, fines for data breaches have increased to $50 million, or penalties based on data monetisation and 30 per cent of adjusted quarterly turnover.

Across APAC markets, legislation varies, but privacy regulations everywhere are being revisited, and the pace is accelerating. The EU’s General Data Protection Regulation (GDPR), considered the most demanding of privacy laws, is influencing the development of data protection in Asia. Gartner predicts that 75 per cent of the world’s population will have its personal information/data covered under modern privacy regulations by the end of 2024

Still not a priority

VIEW ALL

Many customers are ambivalent about data security; they expect personalisation of online and digitalised services, but they also demand their data be secure and private. Meanwhile, despite the potential for financial losses and fines, alongside irreversible damage to customer trust and brand reputation, it appears companies are also not taking the risk and compliance implications seriously.

A recent survey of chief information security officers (CISOs) in Australia and New Zealand by Veritas revealed “a damning landscape of unpreparedness”.

Although 84 per cent of CISOs interviewed said they expect moderate to significant disruption following a ransomware attack, 32 per cent do not follow 3.21 data protection, and only 13 per cent have complete confidence in their organisation’s backup strategy. More damning still, only 17 per cent said they have a strong security culture at all levels of business, and 21 per cent are not confident their team could orchestrate recovery.

Now is the time to strengthen data protection

Although ransomware techniques and approaches are continually evolving, they are not invincible if cyber security strategies evolve constantly, too. There are clear steps that can be taken to reduce the likelihood of being a target and an attack impacting operations. An organisation’s cyber defences are only as strong as the weakest link, so IT teams can no longer avoid ransomware attacks by endpoint security alone; they need a multi-layered strategy.

The National Institute of Standards and Technology (NIST), part of the US Department of Commerce, recommends developing a cyber security framework that enables organisations to establish a comprehensive, structured methodology around five key functions – identify, protect, detect, respond, and recover.

This kind of long-term framework strategy as part of a long-term relationship with a trusted partner is a sensible approach to reducing and mitigating the risk of exposure.

Mark Nutt is the senior vice-president of international sales at Veritas Technologies.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.