In recent months, the WannaCry and Petya outbreaks caused widespread disruption and losses for businesses and public-sector bodies around the world, highlighting the vulnerable position of businesses when it comes to cyber security. Many are still failing to undertake urgently required remediation, experts have warned, and it is feared a new wave of targeted cyber crime is coming.
Experts at a security roundtable event in Sydney on 11 July agreed urgent action was required by Australian businesses of all sizes to ensure they were as prepared as possible before the next wave of attacks occurs.
“Business owners are understandably focused on the day-to-day challenges of running their business,” said David Cohen, Founder and Managing Director, SystemNet. “But unfortunately this means they are not paying sufficient attention to cyber security.
“Many might be aware of the risks, but have not considered the impact a ransomware attack could have on their operations. Effects could range from mild inconvenience to a data loss so significant it puts them out of business.”
Monica Schlesinger, Principal, Advisory Boards Group International, noted that the situation is not confined to small businesses, in fact many large organisations are also vulnerable to attack. She pointed to the most recent Petya attack that caused significant disruption for global firms such as advertising giant WPP, legal company DLA Piper and Danish shipping giant Maersk.
“Every business needs to have a clear strategy in place when it comes to cyber security, and formation of that strategy has to start at board level,” she said. “The strategy must take into account the evolving threat environment and clearly outline the steps that will be taken to minimise the risk of attack.”
Schlesinger said that, traditionally, IT challenges tended to not be well understood at board level, however the current environment had made cyber security an issue that required constant oversight by senior management.
“It needs to be seen as special risk,” she added. “When you suffer an attack it can happen very quickly and can destroy your company. It’s not a case of ‘if’ an attack will happen but ‘when’ and the board needs to be sure all required steps have been taken.”
Roundtable participants discussed the ramifications of the Notifiable Data Breaches Bill that will come into force in February 2018. The bill requires companies to report security breaches where there has been unauthorised access, disclosure or loss of personal information held by a company that is likely to result in ‘serious harm to any of the individuals to whom the information relates’.
“This means the impact of attacks can no longer be swept under the carpet,” said David Higgins, ANZ Country Manager, WatchGuard Technologies. “Senior management has to be aware of its responsibilities and realise that security can no longer simply be left to the IT team. They have to take a top-down approach.”
Although the recent ransomware attacks have served to increase awareness of the challenge, roundtable participants agreed more education was required for Australian business leaders. Many were still not taking basic steps such as deploying software patches that could significantly reduce their level of risk.
“There is also a need for ongoing education of staff around IT best practices,” said Cohen. “They must be aware of the risks associated with opening emails from unknown parties, visiting suspect websites and installing software from unknown sources.”
Higgins agreed, saying IT security was the responsibility of everyone in a business and all had a part to play in ensuring defences are as robust and effective as possible.
“Awareness and action has to extend from the managing director or board through to the most junior staff member,” he said. “By taking a holistic approach, businesses can ensure they have both the tools and behaviours in place that are needed to counter the threat.”
While ransomware has captured the bulk of attention when it comes to cyber crime, the panel speakers emphasised that there are other trends that should also be on the radar screens of Australian businesses. The trends include:
- Evolving Attacks: Attackers do not remain stagnant and, as new technologies emerge, they evolve their tactics to be more effective. Ensuring robust security will involve monitoring a shifting target.
- Authentication: One of the foremost tenants of security is trust, and trust is based on authentication. Unfortunately, the primary mechanism used for authentication – passwords – is no longer sufficient. New methods must be quickly found and put into use.
- Everyone is a target: there is a misconception among small- and medium-sized businesses that, because they don’t have huge amounts of intellectual property, they won’t be attacked, but that’s a fallacy. Bad guys don’t always want to steal data, and in the case of a ransomware attack, they don’t want the data at all – they just want the victim to want it badly enough to pay to get it back. Everyone is a target.
“Cyber attacks are going to become more sophisticated and, unfortunately, more effective,” said Higgins. “By having a multi-layered defence strategy in place, applying patches and educating staff, businesses can be best placed to withstand the threats that will have to be faced in the future.”